SOC Report Review Checklist Template

A structured process for reviewing vendor SOC 1 and SOC 2 reports — so nothing critical gets missed.

When a vendor provides a SOC 1 or SOC 2 report, the temptation is to file it and assume everything is fine. A proper SOC report review is a structured process: verifying the report covers the right scope, assessing the auditor’s opinion, reviewing control testing results for exceptions, identifying your complementary user entity controls, and documenting findings for your own compliance records. This free SOC report review checklist template gives internal auditors, compliance managers, and IT security teams a consistent framework for reviewing SOC reports from every vendor — run it as a reference or as a live, trackable checklist in CheckFlow, with tasks assigned across IT, compliance, and finance, and every finding documented for your audit trail.

Use This Template Free See Live Example

No Credit Card Required

What Is a SOC Report Review Checklist?

A SOC report review checklist is a structured framework used by internal auditors, compliance managers, and IT security teams to systematically evaluate a SOC (System and Organisation Controls) report received from a vendor or service provider.

SOC reports — issued by independent auditors following AICPA standards — come in several types. SOC 1 reports cover a service organisation’s internal controls over financial reporting (ICFR), and are typically reviewed by finance teams and external auditors as part of SOX compliance. SOC 2 reports cover controls relevant to security, availability, processing integrity, confidentiality, and privacy (the Trust Services Criteria), and are reviewed by IT, compliance, and procurement teams as part of vendor due diligence. Both come in Type 1 (design of controls at a point in time) and Type 2 (operating effectiveness over a period) variants — with Type 2 providing stronger assurance and typically required for ongoing vendor relationships.

Reviewing a SOC report is not simply a matter of confirming one exists. A proper review verifies that the report covers the right scope, that the auditor’s opinion is unqualified, that any exceptions in control testing are understood and addressed, that complementary user entity controls (CUECs) are implemented on your side, and that findings are documented for your own compliance records. For organisations managing multiple vendor relationships, a structured checklist ensures every SOC report is reviewed consistently and that nothing critical is missed.

What the SOC Report Review Checklist Covers

This checklist is organised into five phases that cover the complete process of reviewing a SOC 1 or SOC 2 report — from initial preparation through to findings documentation and follow-up actions.

Phase 1

Pre-Review Preparation

Confirm which vendor(s) are in scope for SOC report review this cycle
Request the most current SOC report from each vendor — confirm it is the latest available
Identify the report type: SOC 1 or SOC 2, Type 1 or Type 2
Confirm the report period covers your organisation’s relevant fiscal or compliance period
If the report period has ended, request a bridge letter confirming controls remained in place through to the current date
Gather your organisation’s vendor risk classification for this vendor (critical, high, medium, low)
Identify the internal stakeholders who need to review the report (IT, compliance, finance, legal, procurement)
Confirm the review framework applicable to your organisation (SOX, ISO 27001, internal policy, customer contractual requirement)
Assign sections of the report to appropriate reviewers
Set target completion date for the review

Phase 2

Report Basics & Auditor’s Opinion

Confirm the report covers the specific system or service your organisation uses — not just a related product
Verify the service auditor is an independent, qualified CPA firm
Review the independent service auditor’s report (typically Section I or II) — note the type of opinion issued
Confirm the opinion is unqualified (clean) — flag any qualified, adverse, or disclaimer of opinion for immediate review
Note any “except for” language in the opinion — this indicates specific control failures
Confirm the audit period is current and adequate for your compliance requirements
For SOC 2 reports — confirm which Trust Services Criteria are in scope (Security, Availability, Processing Integrity, Confidentiality, Privacy) and verify the in-scope criteria are relevant to your organisation’s risk concerns
For SOC 1 reports — confirm the control objectives cover the financial processes your organisation relies on
Note the report date and confirm no significant time has elapsed since issuance (or obtain bridge letter)

Phase 3

System Description & Management Assertion

Review the system description (typically Section III) — confirm it accurately reflects the services and systems provided to your organisation
Verify the system description includes the infrastructure, software, people, procedures, and data relevant to the services in scope
Review management’s assertion — confirm management claims controls are suitably designed (Type 1) and operating effectively (Type 2)
Identify any subservice organisations noted in the system description — third parties the vendor relies on for components of the service
For each subservice organisation, confirm the carve-out or inclusive method is noted and determine whether you need to obtain separate SOC reports for subservice providers
Note any significant changes to the system or organisation during the audit period
Confirm the system description covers the full scope of services relevant to your organisation — flag any gaps

Phase 4

Control Testing Results, Exceptions & CUECs

Phase 4 applies to Type 2 reports only. For Type 1 reports, proceed to Phase 5.

Review the control testing results (typically Section IV) — identify all controls tested and their results
Note any exceptions (instances where controls did not operate effectively) — list each exception individually
For each exception, assess whether the relevant control objective applies to your organisation’s use of the service
Review management’s response to each exception (typically in Section V) — confirm the response is adequate and remediation is in progress or complete
Assess the frequency and severity of exceptions — a small number of low-risk exceptions is generally acceptable; repeated or high-severity exceptions require escalation
Identify all Complementary User Entity Controls (CUECs) listed in the report — these are controls that your organisation is responsible for implementing
For each CUEC, confirm whether your organisation has the corresponding control in place
Document any CUECs that are not currently implemented and create remediation actions
Review any additional information provided by the service organisation (Section V) for context on exceptions or changes
Note any significant incidents or breaches disclosed in the report

Phase 5

Findings Documentation & Follow-Up Actions

Compile all findings from the review — qualified opinions, exceptions, unimplemented CUECs, subservice organisation gaps, and coverage gaps
Rate each finding by severity and risk to your organisation
Assign owners and target completion dates to each remediation action
Determine whether any findings require escalation to senior management, legal, or your external auditor
Confirm whether the vendor relationship should continue, be monitored more closely, or be escalated to procurement/risk committee
Document the completed SOC review as evidence for your own compliance programme (SOX, ISO 27001, or internal audit)
Communicate any CUEC gaps to the relevant internal teams and confirm remediation plans
Schedule the next annual SOC review for this vendor
Update vendor risk register with findings and risk rating
File the reviewed SOC report and review documentation in your compliance records

This checklist is available as a free, runnable template in CheckFlow — with tasks assigned across IT, compliance, and finance teams, exceptions tracked to remediation, and a complete review record for every vendor in your programme.

Use This Template Free

Why Run Your SOC Report Reviews in CheckFlow?

1

One consistent process for every vendor

Build the checklist once and run it for every vendor SOC report review in your programme. Enter the vendor name, report type, and review period at launch — CheckFlow assigns tasks across IT, compliance, and finance automatically and notifies each reviewer. Whether you’re reviewing three vendor reports or thirty, every review follows the same structured process.

Template Designer

2

Track exceptions and CUECs to resolution

Every exception identified in a SOC report, and every unimplemented complementary user entity control, becomes a trackable action in CheckFlow — assigned to an owner with a due date and automatic reminders. Nothing sits in a review document that nobody follows up on. Your next audit cycle starts with a clear record of what was found last time and what was done about it.

Auto-Assignments

3

Compliance evidence for your own audit trail

Every completed SOC review is archived in CheckFlow with a timestamped log of who reviewed each section, what was found, and what actions were taken. When your external auditor, SOX compliance team, or ISO 27001 certification review asks for evidence of vendor SOC oversight, the record is already there — structured, complete, and ready to present.

Audit Trail

Other Audit Checklist Templates

CPA Audit Checklist

Disaster Recovery Audit Checklist

Human Resources Audit Checklist

Safety Audit Checklist

Operational Audit Checklist

View all audit templates →

Frequently Asked Questions

What is a SOC report and why do organisations review them?

+

A SOC (System and Organisation Controls) report is an independent audit report issued by a CPA firm that describes a service organisation’s controls and how effectively they operate. Organisations review vendor SOC reports as part of their vendor risk management and third-party due diligence programmes — to understand whether the vendors they rely on have adequate controls in place to protect their data, ensure service availability, and maintain financial reporting integrity. SOC report review is also required for SOX compliance (for SOC 1 reports) and increasingly required by enterprise customers as a condition of doing business (for SOC 2 reports).

What is the difference between SOC 1 and SOC 2?

+

SOC 1 reports cover a service organisation’s internal controls over financial reporting (ICFR) — they are relevant when a vendor handles processes that could affect your financial statements, such as payroll processing, billing, or benefit plan administration. SOC 2 reports cover the five Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy — and are relevant when a vendor handles your data or provides cloud services. Both come in Type 1 (controls as of a point in time) and Type 2 (controls operating effectively over a period) variants, with Type 2 providing stronger assurance.

What is a qualified opinion and how serious is it?

+

An unqualified (clean) opinion is the most desirable outcome of a SOC audit — it means the auditor found no material exceptions and the controls are suitably designed and operating effectively. A qualified opinion means the auditor found specific exceptions significant enough to warrant a departure from a clean opinion. A qualified opinion does not necessarily mean the vendor is unsuitable, but it requires careful review — you need to understand exactly which controls failed, whether those controls are relevant to your use of the service, and what the vendor has done to remediate the issues. Any qualified opinion should be escalated to your compliance team and potentially your external auditor.

What are complementary user entity controls (CUECs) and why do they matter?

+

CUECs are controls listed in a SOC report that the vendor assumes your organisation has in place for the overall control environment to be effective. For example, a cloud provider’s SOC 2 report might assume that you have adequate user access management controls on your side — that you promptly revoke access when employees leave. If your organisation does not have those controls in place, the vendor’s SOC report does not fully cover the risk. Reviewing and implementing CUECs is one of the most commonly missed steps in SOC report review, and one of the most important — they represent the controls you are responsible for.

How often should vendor SOC reports be reviewed?

+

SOC reports should be reviewed at least annually — most vendors issue new reports covering a 12-month period. For critical vendors handling sensitive data or financial processes, some organisations review mid-year updates or request bridge letters to cover gaps between report periods. A SOC report older than 12 months is generally considered stale and should be accompanied by a bridge letter. CheckFlow’s recurring checklist feature can schedule your annual vendor SOC reviews automatically so no vendor falls outside your review cycle.

Is CheckFlow free to use for this template?

+

You can start a free 14-day trial with no credit card required, giving you full access to all features including this template. The Business plan is $10 per user per month after the trial. Full details at checkflow.io/pricing.