Operational Controls and SOC Reports-Reading Between the Lines

SOC REPORT OVERVIEW:

SOC 1 (SSAE 18):
Purpose: Financial reporting controls
Focus: Controls relevant to user financials
Users: User auditors, finance teams
Relevance: NAV calculation, financial reporting

SOC 2 (AT 101):
Purpose: Security, availability, processing integrity,
         confidentiality, privacy
Focus: Trust services criteria
Users: Management, due diligence
Relevance: Primary custody evaluation tool

SOC 3:
Purpose: General use report
Focus: Same as SOC 2, less detail
Users: Public/marketing
Relevance: Limited due diligence value

TYPE I VS. TYPE II:

• Point-in-time assessment

• Description of controls

• Design effectiveness only

• "Controls exist as described"

• Period assessment (typically 12 months)

• Operating effectiveness testing

• Controls worked during period

• "Controls operated effectively"

FOR CUSTODY EVALUATION:
SOC 2 Type II is the standard expectation
Type I is insufficient for institutional DD
```

SOC 2 REPORT STRUCTURE:

- Auditor's opinion
- Scope of examination
- Management's responsibilities
- Auditor's responsibilities
- Opinion on controls

Key Review Points:
□ Is opinion unqualified?
□ What's the report period?
□ Which trust services criteria?
□ Any scope limitations?

- Management's description
- Management's assertion
- Control objectives

Key Review Points:
□ Does description match services used?
□ Any carve-outs?
□ Subservice organizations?

- Services provided
- Components of system
- Relevant aspects
- Control environment

Key Review Points:
□ Does description match your use?
□ What's in scope?
□ What's NOT in scope?

- Control objectives
- Related controls
- Tests performed
- Results of tests

Key Review Points:
□ Any exceptions noted?
□ Exception materiality?
□ Remediation actions?

- Subservice organizations
- Complementary user entity controls
- Changes during period

SOC REPORT RED FLAGS:

OPINION ISSUES:

🚩 Qualified Opinion:
"Except for..." language
Indicates material deficiency
Requires explanation

🚩 Scope Limitations:
Auditor couldn't test something
May hide problems
Requires investigation

EXCEPTION ISSUES:

🚩 Multiple Exceptions:
More than isolated incidents
Pattern of control failures
Systemic concerns

🚩 Unremediated Exceptions:
Same issues year over year
No corrective action
Management concern

🚩 Material Exceptions:
Significant control failures
Could affect asset security
Critical review needed

SCOPE ISSUES:

🚩 Carve-Outs:
Important functions excluded
Subservice organizations
May exclude critical controls

🚩 Limited Trust Criteria:
Missing relevant criteria
(e.g., no security criteria)

🚩 Short Period:
Less than 12 months
May miss seasonal issues

GOOD INDICATORS:

✅ Unqualified opinion
✅ No exceptions
✅ Full 12-month period
✅ All relevant trust criteria
✅ No material carve-outs
✅ Clear system description
```

COMPLEMENTARY USER ENTITY CONTROLS (CUECs):

WHAT THEY ARE:
Controls that user organizations must implement
for overall system of controls to be effective

COMMON CUECs FOR CUSTODY:

• User responsible for own credentials

• Timely termination of access

• Access review processes

• Proper authorization procedures

• Segregation of duties (user side)

• Approval workflows

• Review of custodian reports

• Reconciliation procedures

• Exception follow-up

WHY THEY MATTER:

• Custodian controls insufficient alone

• System as a whole incomplete

• Residual risk remains

• Implement required CUECs

• Document implementation

• Include in own controls

REVIEW CHECKLIST:
□ What CUECs are listed?
□ Are you implementing them?
□ Can you document implementation?
□ Any gaps to address?

---

PROOF OF RESERVES (POR):

PURPOSE:
Demonstrate assets equal or exceed liabilities

ELEMENTS:

• Demonstrate control of assets

• On-chain verification

• Cryptographic proof

• Point-in-time or continuous

• Customer obligations

• Off-chain data typically

• Aggregated balances

• Privacy considerations

METHODS:

• Merkle tree proofs

• Zero-knowledge proofs

• On-chain verification

• Customer verification possible

• Auditor/accountant verification

• Point-in-time assessment

• Procedures vary

• Letter or report

• Real-time verification

• Automated systems

• Dashboard access

• Emerging practice

POR LIMITATIONS:

WHAT POR SHOWS:
✅ Assets exist at point in time
✅ Custodian controls addresses
✅ Assets ≥ liabilities (if proper)

WHAT POR DOESN'T SHOW:
❌ Asset quality/encumbrance
❌ Off-chain liabilities
❌ Related party transactions
❌ Operational controls
❌ Future solvency
❌ Complete picture

SPECIFIC LIMITATIONS:

• Snapshot only

• Could window-dress

• Doesn't show trends

• Not continuous (usually)

• Off-chain liabilities?

• Contingent liabilities?

• Intercompany obligations?

• Complete picture uncertain

• Pledged assets?

• Collateral obligations?

• Third-party claims?

• Clean ownership?

• Procedures vary

• Not a full audit

• Scope may be limited

• Reliance assumptions

POST-FTX LESSONS:

• "Proof of reserves" meaningless

• Assets moved before/after

• Liabilities understated

• Complete fraud

• POR necessary but not sufficient

• Full audit still needed

• Continuous monitoring better

• Skepticism warranted

POR EVALUATION CHECKLIST:

METHODOLOGY:
□ What methodology was used?
□ Cryptographic or attestation?
□ Third-party verification?
□ Procedures described?

SCOPE:
□ What assets covered?
□ What liabilities included?
□ Any exclusions?
□ All customer types?

TIMING:
□ Point-in-time or continuous?
□ How recent?
□ Frequency of updates?
□ Historical availability?

ATTESTOR QUALIFICATIONS:
□ Who performed attestation?
□ What are their qualifications?
□ Independence verified?
□ Reputation/track record?

CUSTOMER VERIFICATION:
□ Can customers verify inclusion?
□ Merkle proof availability?
□ Privacy maintained?
□ Verification process clear?

GOOD INDICATORS:
✅ Reputable third party
✅ Clear methodology
✅ Cryptographic proof
✅ Customer verification possible
✅ Regular/frequent updates

CONCERNS:
⚠️ Self-attestation
⚠️ Vague methodology
⚠️ No third-party involvement
⚠️ Infrequent updates
⚠️ No customer verification

---

ISO 27001:

WHAT IT IS:
International standard for information security
management systems (ISMS)

- Implement ISMS
- Third-party audit
- Annual surveillance audits
- Three-year recertification

- Security policies
- Organization of security
- Human resources security
- Asset management
- Access control
- Cryptography
- Physical security
- Operations security
- Communications security
- System acquisition/development
- Supplier relationships
- Incident management
- Business continuity
- Compliance

WHAT IT MEANS FOR CUSTODY:

Positive Indicators:
✅ Structured security program
✅ Regular third-party review
✅ Continuous improvement
✅ Broad security coverage

Limitations:
⚠️ Not crypto-specific
⚠️ Scope varies
⚠️ Implementation varies
⚠️ Certification ≠ perfect security

VERIFICATION:
□ Is certificate current?
□ What's the scope?
□ Who certified (accredited body)?
□ Any non-conformities?
```

CRYPTOCURRENCY SECURITY STANDARD:

WHAT IT IS:
Crypto-specific security framework
Developed by CryptoCurrency Certification Consortium

LEVELS:
Level I: Basic security
Level II: Enhanced security
Level III: Advanced security (institutional)

1. Cryptographic Asset Management

1. Operations

1. Security

WHAT IT MEANS FOR CUSTODY:

Positive Indicators:
✅ Crypto-specific assessment
✅ Key management focus
✅ Operational procedures
✅ Level indicates rigor

Limitations:
⚠️ Less widespread than ISO
⚠️ Adoption varies
⚠️ Not universally accepted
⚠️ Newer standard

EVALUATION:
□ What level certified?
□ Who performed assessment?
□ What was scope?
□ Any gaps identified?
```

OTHER RELEVANT CERTIFICATIONS:

PCI DSS:
Relevance: If handling payment cards
Scope: Card data security
Value: Payment processing security

SOC 2 Type II:
Covered earlier, most important for custody

NIST Cybersecurity Framework:
Relevance: Framework alignment
Scope: Comprehensive cybersecurity
Value: Structured approach

CSA STAR:
Relevance: Cloud security
Scope: Cloud controls
Value: If cloud-based custody

CERTIFICATION EVALUATION FRAMEWORK:

1. Is it current?
2. What's the scope?
3. Who issued it?
4. What does it actually cover?
5. What are its limitations?

• Certifications complement each other
• None are comprehensive alone
• Combine with other DD elements
• Ongoing verification needed

---

COMPREHENSIVE CONTROL EVALUATION:

TIER 1: INDEPENDENT VERIFICATION
□ SOC 2 Type II report
□ ISO 27001 certification
□ CCSS certification (if applicable)
□ Penetration test results
□ Proof of reserves

TIER 2: OPERATIONAL CONTROLS
□ Access management
□ Change management
□ Incident management
□ Business continuity
□ Vendor management

TIER 3: SECURITY CONTROLS
□ Key management
□ Network security
□ Application security
□ Physical security
□ Employee security

TIER 4: COMPLIANCE CONTROLS
□ AML/KYC (covered Lesson 11)
□ Regulatory compliance
□ Privacy controls
□ Audit trails

EVALUATION SCORING:

For Each Control Area:
Strong: Documented, tested, no issues
Adequate: Documented, minor issues
Weak: Gaps, material issues
Absent: No evidence of control
```

DOCUMENTATION REVIEW:

INITIAL REQUEST:
□ SOC 2 Type II (most recent)
□ Penetration test executive summary
□ ISO 27001 certificate
□ CCSS certificate (if applicable)
□ Proof of reserves attestation
□ Insurance certificates

REVIEW PROCESS:

• All documents within validity

• No expired certifications

• Recent audit dates

• Services used in scope

• No critical carve-outs

• Geographic coverage

• Exceptions in SOC

• Non-conformities in ISO

• Gaps in POR

• Coverage limits in insurance

• What's not covered?

• What additional info needed?

• What requires clarification?

• Clarify exceptions

• Understand carve-outs

• Verify remediation

• Assess materiality

• All received documents

• Review notes

• Follow-up correspondence

• Assessment conclusions

---

SAMPLE SOC ANALYSIS:

Scenario: Reviewing custodian SOC 2 Type II

FINDINGS FROM REVIEW:

Positive:

• Unqualified opinion
• Full 12-month period
• Security and availability criteria
• No material exceptions

• 2 access control exceptions noted
• 1 change management exception
• Subservice org for cloud infrastructure
• CUECs listed require implementation

Analysis:

Access Control Exceptions:
"Two instances where terminated employee
access was not removed within 24-hour policy"
Assessment: Minor operational exception
Remediation: Process improvement noted
Risk: Low

Change Management Exception:
"One instance of emergency change without
post-implementation documentation"
Assessment: Procedural gap
Remediation: Training provided
Risk: Low

Subservice Organization:
"AWS provides infrastructure services"
Assessment: Common arrangement
Note: Relies on AWS SOC reports
Action: Request AWS SOC confirmation

Conclusion:
Acceptable SOC report with minor exceptions
Implement required CUECs
Monitor for recurring exceptions
```

CONTROL EVALUATION DECISION:

GREEN LIGHT (Proceed):
✅ SOC 2 Type II, unqualified
✅ No material exceptions
✅ Current certifications
✅ Adequate POR
✅ All major controls covered

YELLOW LIGHT (Proceed with Conditions):
⚠️ Minor exceptions (monitor)
⚠️ Some certifications pending
⚠️ CUECs require attention
⚠️ Limited scope in some areas
→ Proceed with monitoring plan

RED LIGHT (Do Not Proceed):
🚩 Qualified SOC opinion
🚩 Material unresolved exceptions
🚩 No independent verification
🚩 Missing critical certifications
🚩 Major control gaps
→ Requires remediation before proceeding

---

✅ SOC 2 Type II provides meaningful assurance - Industry standard validation

✅ Independent verification adds value - Third-party assessment important

✅ POR is necessary but not sufficient - Shows assets, not complete picture

✅ Certifications indicate commitment - Investment in security programs

⚠️ Exception materiality judgment - Context determines significance

⚠️ Certification quality variation - Not all certifications equal

⚠️ POR completeness - Off-chain liabilities uncertain

⚠️ Future performance - Past controls don't guarantee future

📌 Accepting certifications at face value - Must verify scope and currency

📌 Ignoring exceptions - May indicate systemic issues

📌 Over-relying on POR - Point-in-time, limited scope

📌 Checkbox approach - Certifications without substance

SOC reports, certifications, and POR provide valuable information—but only if you know how to read them. The details matter: scope, exceptions, methodology, timing. These documents inform judgment; they don't replace it.

---

Assignment: Analyze provided control documentation and prepare evaluation.

Scenario: You've received SOC 2 Type II, ISO 27001 certificate, and POR attestation from a custody provider. Evaluate the documentation.

Format: Professional evaluation report, 5 pages maximum

Time Investment: 3-4 hours

---

1. What is the key difference between SOC 2 Type I and Type II?
Answer: C - Type II tests operating effectiveness over a period; Type I only tests design

2. What are Complementary User Entity Controls (CUECs)?
Answer: B - Controls users must implement for the overall system to be effective

3. What is the primary limitation of proof of reserves?
Answer: A - Point-in-time snapshot that may not reflect complete liabilities

4. What should you do if a SOC report has minor exceptions?
Answer: D - Review materiality, monitor for patterns, assess remediation

5. Why are multiple forms of verification important?
Answer: B - Each has limitations; together they provide comprehensive view

---

End of Lesson 12

Total Words: ~4,200
Estimated Completion Time: 55 minutes reading + 3-4 hours for deliverable