Thursday, August 7, 2025

Why We Ask for SOC Reports

Why we ask for SOC Reports
contributed by Matt Phillippi

If someone from UVA’s Compliance team has ever reached out asking for a SOC report, or asked you to respond to something called a “CUEC,” you may have wondered: What is this, exactly, and why is it part of my work?

Here’s a quick breakdown to help explain.

What’s a SOC report?


SOC stands for System and Organizational Controls. A SOC report is created by an independent auditor who reviews a company’s internal controls—things like how they protect financial data, ensure privacy, and manage cybersecurity.

When UVA works with a third-party company, especially one that handles payments or sensitive information on our behalf, it’s important that we verify those systems and processes are sound. SOC reports give us that assurance. Requesting and reviewing them isn’t just a best practice, it’s also required by both the Auditor of Public Accounts (APA) and the Agency Risk Management Internal Control Standards (ARMICS).

Two Types of SOC Reports We Use

  • SOC 1 focuses on financial controls. We need this if the company’s work affects UVA’s financial reporting, such as processing payments or managing key financial data.
  • SOC 2 focuses on areas like cybersecurity, data privacy, and regulatory compliance. If a vendor handles University data, we look for this report to ensure that information is being protected.

What We Look For in These Reports


SOC reports can be quite detailed, but the Compliance team zeroes in on two key parts:
  • Complementary User Entity Controls (CUECs): These are responsibilities the vendor expects us to fulfill for their controls to be effective. For example, they might manage the system securely, but we need to manage who has access on our side. If you’re asked to respond to a CUEC, it’s about confirming the steps your area takes to help ensure overall security.
  • Audit Results: The report includes findings from the auditor’s testing, including whether the vendor’s controls were working properly and, if not, how they responded. This helps us understand any risks and make informed decisions about working with that vendor.


Why It Matters


SOC reports are an essential part of how we help ensure UVA’s financial reporting accuracy and data security. They support our shared responsibility for compliance and are one way we show due diligence when working with third-party providers.

If you’re ever asked to help gather a SOC report or respond to a CUEC, know that you’re helping UVA stay on solid ground, both financially and in terms of data security. And of course, the Compliance team is always here to answer questions and support you through the process.
Share:
at Edit this post
Labels:

No comments

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)
© UVAFinance | All rights reserved.
Blog Layout Created by pipdig