Alejandro Mijares
Founder and Chief Executive Officer, Mijares Consulting
Robert Power
Executive Risk & Innovation Consultant, Mijares Consulting
Executive Summary
Financial institutions rely heavily on third-party service providers, which face high risks if proper oversight mechanisms are not in place. An evaluation of 100 SOC 1 Type 2 and SOC 2 Type reports identified significant gaps that demand attention. Key issues include:
- Misunderstanding between SOC 1 (financial reporting controls) and SOC 2 (security, availability, processing integrity, confidentiality, privacy) reports, and between Type 1 and Type 2.
- Complementary User Entity Controls (CUECs) are often overlooked.
- Audit knowledge gaps in interpreting Service Organization Control (SOC) reports results.
- Discrepancies between application names in SOC reports and internal inventory.
- Institutions frequently fail to request gap letters when SOC reports have timeline lags.
- Annual vendor monitoring is often overlooked, leaving risks unchecked.
- Business application owners are not sufficiently involved in the vendor risk management process.
Observations
After reviewing 100 SOC 1 and SOC 2 Type 2 reports in 2024, our Firm noted several common gaps and issues that warrant attention from senior management. These findings highlight significant risks that, if unaddressed, could lead to regulatory scrutiny, operational disruptions, and reputational damage. This article aims to provide senior executives, board members, regulators, and auditors with insights into these vulnerabilities and the necessary steps to mitigate them.
1 – Misunderstanding between SOC 1 and SOC 2 reports
There is a pervasive lack of understanding regarding the differences between SOC 1 and SOC 2 reports and between Type 1 and Type 2 reports. SOC 1 reports focus on the controls at a service organization relevant to a user entity’s financial reporting. In contrast, SOC 2 reports focus on security, availability, processing integrity, confidentiality, and privacy controls. Type 1 reports describe the design of the controls at a specific point in time, whereas Type 2 reports provide evidence of the operational effectiveness of these controls over a period. This misunderstanding can lead to improper risk assessments and inadequate vendor oversight. Financial institutions should prioritize training and education on these distinctions to ensure that all relevant stakeholders understand the implications of each type of report. Strengthening this knowledge enables organizations to make informed decisions when evaluating service providers and enhances their vendor risk management program.
2 – Complementary User Entity Controls (CUECs) not mapped or addressed
A common trend noted in financial institutions is that Complementary User Entity Controls (CUECs) are not being mapped and addressed. CUECs highlight the controls that user entities (financial institutions) must implement to ensure the effectiveness of the overall control environment. FFIEC guidance emphasizes that banks must review SOC reports and determine if their own internal controls adequately address CUECs. Mapping CUECs from SOC reports to a bank’s internal controls is key to mitigating third-party risks, ensuring regulatory compliance, and strengthening operational resilience. CUECs define the responsibilities that banks must fulfill to ensure the effectiveness of a vendor’s control environment; however, many financial institutions fail to implement or even assess them properly.
The American Institute of Certified Public Accountants (AICPA) also underscores the importance of CUECs in its SOC report guidelines, stating that user entities must implement these controls to achieve the intended benefits of a service organization’s system. Without aligning CUECs with internal controls, financial institutions cannot entirely rely on outsourced services for security, data integrity, or financial accuracy. Regulatory guidance expects institutions to actively review, document, and address CUECs, integrating them into risk management frameworks to prevent disruptions and compliance failures.
By overlooking this important step, financial institutions expose themselves to audit deficiencies, operational risks, compliance gaps, financial reporting risks, and potential regulatory enforcement actions, making CUEC oversight a non-negotiable aspect of third-party risk management.
3 – Lack of audit knowledge in reviewing SOC reports
A significant number of institutions lack the audit knowledge necessary to fully understand and interpret SOC reports. This knowledge gap can result in misinterpreting the scope and findings of these reports, leading to ineffective risk management decisions. Properly assessing SOC reports requires a comprehensive approach considering control effectiveness, audit scope, and potential gaps that could impact regulatory compliance and business operations. Financial institutions should invest in audit training programs for relevant staff to mitigate this risk, establish internal guidelines for SOC report results presentation and escalation, and promote cross-functional collaboration between business line, audit, compliance, IT, IS, and vendor management teams. Strengthening expertise in SOC report evaluation is essential for enhancing vendor oversight, ensuring regulatory adherence, and effectively mitigating third-party risks.
4 – Inadequate consideration of audit methods for subservice organizations
Our evaluation showed that management frequently does not adequately consider the audit methods applied to subservice organizations when reviewing SOC reports, leading to potential gaps in risk management. The Carve-Out and Inclusive methods determine whether the subservice organization’s controls are included in the primary SOC report. The most used Carve-Out method excludes the subservice organization’s control objectives, requiring the user entity to assess these controls separately, if needed, through additional oversight measures, such as reviewing the subservice’s SOC report, compliance guidelines, and monitoring procedures.
The Inclusive method, on the other hand, incorporates the subservice organization’s control objectives directly into the service organization’s SOC report, offering a more transparent and comprehensive assessment of the overall control environment. This approach ensures that both entities’ controls are tested together, providing greater assurance but requiring full cooperation from the subservice organization during the audit process. Management must evaluate which method was used to mitigate third-party risks and determine whether additional oversight is necessary.
5 – Discrepancies between application names in SOC reports and inventory lists at the financial institution
One of the more concerning trends is the lack of accurate inventory management, particularly with applications. Discrepancies were found between the application lists in vendor management systems, IT systems, and IS systems. In some cases, decommissioned applications were still listed, while others in scope were missing. This fragmentation can lead to critical oversights in security and compliance. Financial institutions should regularly reconcile application inventories across all systems to ensure accuracy and completeness.
In addition, there are frequent discrepancies between the names of applications listed in SOC reports and those in the financial institution’s inventory lists. These inconsistencies can confuse audits and risk assessments, potentially leading to overlooked risks. To maintain completeness and accuracy, financial institutions must establish a process for cross-referencing and validating application names between SOC reports and internal inventories.
6 – Failure to request gap letters
A consistent observation across multiple institutions is the absence of gap letters when reviewing SOC reports. Gap letters are critical for understanding what periods are not covered by the SOC report, especially when there is a lag between the reporting period and the current date. Without them, financial institutions may unknowingly expose themselves to risks that arose after the SOC report was issued. Financial institutions should integrate the routine requesting and review of gap letters into their vendor management processes as a standard practice.
7 – Non-compliance with Vendor Management policies and procedures
Vendor management is a cornerstone of a financial institution’s risk management program. Unfortunately, our review indicates non-compliance with internal vendor management policies and procedures. This often results from a lack of clear communication and accountability across different departments. Financial institutions should ensure that vendor management practices are well-documented and enforced, including regular training for stakeholders involved in vendor management.
8 – Inadequate annual monitoring of vendors
Many institutions fail to meet the basic requirement of annual monitoring of vendors. This oversight can lead to outdated risk assessments, allowing potential issues to go unnoticed, such as overlooking emerging threats, compliance deficiencies, or deteriorating vendor performance, increasing exposure to operational and security risks.
Financial institutions need to establish a disciplined approach to vendor monitoring, ensuring that all high-risk vendors are reviewed at least annually. This includes financial stability, security, and performance of the vendors and their compliance with relevant regulations and internal policies.
9 – Lack of Involvement from Business Application Owners
The involvement of business application owners is key to understanding the specific risks associated with each system application. However, the Firm noted a recurring lack of engagement from these stakeholders in the vendor management process. This disconnect can result in the overlooking of key application-specific risks and vendor dependencies and failure to identify and implement necessary controls. Financial institutions should foster greater collaboration between IT, IS, risk management, and business application owners to ensure that different perspectives are considered in the vendor risk management process.
Conclusion
In conclusion, a comprehensive analysis of SOC 1 and SOC 2 reports highlights significant vulnerabilities within financial institutions’ third-party risk management programs and internal control oversight. Misunderstanding the distinctions between SOC report types and their implications challenges the effectiveness of vendor assessments and leads to inaccurate risk evaluations. Furthermore, the prevalent lack of accurate mapping and addressing Complementary User Entity Controls (CUECs) directly compromises the efficacy and effectiveness of vendor controls, increasing susceptibility to regulatory scrutiny, operational disruptions, compliance failures, and cybersecurity incidents.
The absence of audit knowledge in interpreting SOC reports further exacerbates these vulnerabilities, as does the insufficient consideration of subservice organizations’ audit methodologies. Failure to appropriately distinguish and evaluate Carve-Out and Inclusive methods introduces blind spots in oversight, diminishing the institution’s capacity to identify and mitigate risks arising from indirect vendor relationships. Additionally, persistent discrepancies in application inventory management and overlooking request and review critical gap letters further compound the risk landscape, obstructing clear visibility and timely responses to current and emerging threats.
Financial institutions should prioritize strategic initiatives to proactively mitigate these risks, including comprehensive education programs that clarify the scope and purpose of SOC reports, systematic integration of CUECs into internal controls frameworks, and enhanced audit expertise across compliance, audit, IT, IS, and vendor management teams. Establishing disciplined procedures for consistent inventory reconciliation, routine acquisition and analysis of gap letters, and rigorous enforcement of vendor management policies and procedures are essential to fortifying organizational resilience. Encouraging deeper involvement and accountability from business application owners will facilitate more substantial risk assessments tailored to each application’s unique risk profile.
By embracing these strategic enhancements, financial institutions can significantly strengthen their third-party risk management capabilities, ensure strong compliance with regulatory guidelines, enhance operational resilience, and foster increased trust and security in outsourced vendor relationships.
Thank you for reading our financial institutions’ cybersecurity and artificial intelligence article. If you found these insights valuable, please ‘Like’ and ‘Share’ to spread the knowledge within your professional network. Your engagement is crucial in fostering a broader understanding of these critical topics.
Remember to “Follow US” for ongoing updates and insights into the intersection of finance and technology. Your involvement is key to building a community that is at the forefront of industry trends and innovations. We appreciate your support and look forward to continuing this journey together. Let’s keep the conversation going!
Follow us, stay informed, stay secure, and let’s navigate the risk landscape together.
