As technology continues to evolve rapidly, SOC reports play a vital role for companies, especially those that work with many outside vendors. Without these reports, businesses may face security threats, compliance problems, and damage to their reputation. SOC reports help by highlighting weak spots and offering clear steps to improve security and maintain data integrity. Using these assessments, companies can build trust with their partners and protect themselves from risks like data breaches and regulatory issues.
The 2024 SOC Benchmark Study, conducted by CBIZ CPAs P.C., builds on these principles by highlighting emerging trends, key challenges, and opportunities for improving SOC compliance. Our review of 193 SOC reports — up from 154 last year — offers deeper insights into the evolving SOC landscape across various industries.
In our previous article, we focused on the first half of our results, exploring what they reveal about current SOC practices and how organizations can use these insights to bolster their compliance efforts. In the third and final installment of our results series, we will focus on the second half of our findings.
Control Exceptions
This year, 54.9% of reports included at least one control exception, a modest increase from 51% last year. Interestingly, the average number of exceptions per report fell from 2.7 to 1.73. The most common causes of exceptions were business approvals/reviews (16.5%), user access reviews (15.6%), terminations (12%), and change management (11.7%). For the first time, exceptions related to Information Provided by Entity (IPE) appeared, emphasizing a growing focus on data accuracy and completeness.
User access review exceptions fell into one of several categories, and below, we listed some recommendations on how to address each.
- Non-Performance: The simplest issue warrants the simplest recommendation. Set reminders to perform the activity on its required cadence.
- Lack of Documentation: Similar to change management, utilizing a centralized repository such as an IT help desk or ticketing system ensures that all information is available upon request.
- Segregation of Duties: In some cases, reviewers were called out for reviewing their own access. This can be easily rectified by adding a second reviewer in instances where this may occur.
- IPE: Auditors have started to get used to maintaining evidence of completeness and accuracy of populations, but this hasn't always been the case for control owners. Control owners should maintain the parameters or query how they generate any listing of users they are reviewing to support the completeness/accuracy of the reports they have reviewed.
Audit Opinion
The rate of qualified audit opinions rose slightly to 10.9%, up from 8% the previous year. Notably, user access review failures became the top driver of qualifications, overtaking business approvals. Meanwhile, environmental control-related qualifications disappeared altogether, a positive shift, especially considering many of these in the prior year were "somehow" related to SOC 1 reports.
More concerning, the study noted cases where numerous exceptions did not result in qualifications, prompting a call for greater transparency in audit conclusions. While auditors must explain the rationale for qualifications, there's no requirement to document why reports aren't qualified, even when exceptions are numerous. Acknowledging that reports may not contain all of the background and facts, in instances of many exceptions (8- 10, most of which were in the same criteria or objectives), we would love to see a push for greater transparency on conclusions. If users of service providers observe reports with high numbers of exceptions and an unqualified opinion, we encourage these readers to ask prudent questions about the reasons for exceptions and how the organization addresses them.
Emphasis of Matter
Use of Emphasis of Matter (EOM) paragraphs remained steady at 5.2%. These optional disclosures help clarify aspects of the audit that may not be covered in the core opinion. A not uncommon example is when the auditor is unable to test samples of security incidents due to a lack of incidents having occurred. However, recent AICPA guidance changes on the necessity to disclose event non-occurrences may reduce the use of EOM going forward, making it essential for report users to ask follow-up questions when limited testing is reported.
Description of the System
The average length of Section 3, which details the system description, increased slightly to 24.4 pages. Most reports (86%) fell within the 10–49-page range, indicating a healthy balance between brevity and detail. Fewer reports had system descriptions under 10 pages (6.7%), a trend the authors hope continues, as short descriptions often lack meaningful insights into key controls.
Duration to Issue
For public companies, timely report release is crucial, yet many readers overlook this aspect, which can offer indirect insights into the audit process and, more specifically, process efficiency. When analyzing SOC reports, companies often ignore this insightful statistic. If a report is being issued more than 90 days after the period end, it signifies either delays on behalf of the service auditor or delays on behalf of the service provider in providing crucial audit evidence to the auditor. Either way, a vested reader would be wise to inquire about the circumstances. If your service provider is not able to provide timely audit evidence due to other competing priorities within the firm, where does compliance rate as a priority?
In the analysis of this year's reports, 85% of reports were issued within 100 days of the audit period end. The average issuance duration was 69.9 days. This generally aligns with most larger CPA firms' target goals of issuance within 45 – 60 days. Reports taking longer than 100 days dropped from 21% to 15%, and no reports exceeded 300 days — a clear improvement over last year (where one report was issued 535 days after the period end!).
Complementary User Entity Controls (CUEC)
Complementary User Entity Controls (CUECs) are controls that service organizations expect their customers to implement to ensure the effectiveness of the overall control environment. These controls are essential because they guide users on what areas to focus on rather than leaving them to guess. This was a new category reviewed this year due to popular request.
The average number of Complementary User Entity Controls across reports was 12.5. SOC 1 reports had a higher average (14.7) compared to SOC 2 (8.9), reflecting the former's emphasis on financial audit support. Notably, 81.9% of reports had 0-20 CUECs, showing general consistency in this area.
While the AICPA's SOC 2 guide suggests that CUECs may not always be required, it's difficult to imagine a modern service environment where users have no responsibility for control management. Users should investigate if a report lacks CUECs, especially given today's reliance on cloud providers and technology partners. A careful review of CUECs is critical when analyzing SOC 2 reports.
Complementary Subservice Organization Controls (CSOC)
Complementary Subservice Organization Controls (CSOCs) are controls that service organizations expect their subservice providers to implement, working alongside the service organization's own controls to ensure service commitments and system requirements are met.
The study's first analysis of CSOCs revealed that most organizations listed fewer than 20 such controls. The average was approximately 10 across both SOC 1 and SOC 2 reports. The authors advise report users to be wary of reports listing no CSOCs, as this may indicate gaps in oversight of subservice providers.
Final Thoughts
The second half of the 2024 SOC Benchmark Study underscores the importance of transparency, efficiency, and precision in SOC reporting. Whether you're interpreting control exceptions, assessing system descriptions, or evaluating user and sub-service responsibilities, these insights offer actionable guidance for refining your SOC strategy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
