Maria Sciarrino, CPA
Staff Accountant | Risk Advisory Services
When it comes to managing third-party risk, most organizations already have a formal due diligence process for evaluating potential vendors. Having an established vetting process in place is a must. However, organizations should also continually monitor third-parties, especially those that provide vital services to the organization, or "key service providers." If a key service provider were to suddenly fail and go out of business, have serious control failures, or suffer a data breach, the repercussions could be disastrous for your organization. If your organization regularly assesses vendors, it is more likely to avoid sudden problems arising from unreliable vendors.
There are various ways to monitor third-parties. The right approach is different for each vendor and can be based on several factors including the services provide by the vendor, the vendor’s background and history, and the data being exchanged with the vendor. As with approach, the frequency of monitoring activity can be contingent on the nature of the vendor relationship, whether it is on a more frequent basis with regular meetings and vendor reports, or a less often, but at least annual basis by sending your vendors questionnaires or reviewing their Service Organization Control (SOC) reports. It is recommended to use a combination of these methods to attentively monitor your organization's vendors and gain comfort over their ability to perform their services.
Assessing Key Service Providers with Regular Meetings and Vendor Reports
Depending on the type of services provided, one way to monitor key service providers is through regularly scheduled meetings with your vendor contact. Through regular meetings with, for example, an IT managed services provider, you can gather current information about the status of IT projects, discuss any changes in the pipeline, and identify potential issues before they become serious. Regular meetings with vendors may not always be possible or make the most sense due to schedules and time constraints.
Another option is reviewing vendor reports to confirm your vendor is meeting its obligations as specified in the vendor contract. With this option, your organization is relying on the reports supplied by the vendor. This may be a good option for verifying up-time statistics, identifying and remediating data backup failures, and reconciling the accuracy of data processed through the third-party.
Assessing Key Service Providers with SOC Reports
Every organization utilizing third-party service providers (user entities) should practice due diligence wherever possible by evaluating their key service provider's control environment. This information can be gathered from a SOC report prepared by an independent auditor through an SSAE 18 audit. If you have never heard of a SOC report, you may be surprised how many of your key service providers have one. There are three types of SOC reports that are targeted toward different audiences:
- SOC 1 Report - Covers internal controls of the service organization on the user’s financial statement assertions
- SOC 2 Report - Covers internal controls at an organization as it relates to security, availability, processing integrity, confidentiality and/or privacy
- SOC 3 Report - Provides assurance on the controls at a service organization but does not have the need for the deep level of information provided in a SOC 2 report.
Additionally, a SOC report can either be Type I or Type II:
- Type I - The attestation of controls is at a specific point in time. A Type I examination reports on the design of a service organization's controls.
- Type II - The attestation of controls is during a period of time of usually 6 months or 1 year. A Type II examination reports on the design and operating effectiveness of a service organization's controls.
A service organization with a Type I report is typically undergoing a SOC examination for the first time in building preparedness for reoccurring Type II examinations.
Which SOC report should my organization request?
The type of report will depend on what information you deem relevant to your organization. If your organization must be compliant with Sarbanes-Oxley (SOX) requirements, you may want to request a SOC 1 report from service providers that have an impact on financial statement information. If the security, availability, processing integrity, confidentiality, or privacy of data is a concern, request a SOC 2 report covering relevant trust criteria. For example, controls around availability would be a concern if your organization is relying on a software-as-a-service (SAAS) provider to keep its application up and running without disruption. In some instances, you may want to request both a SOC 1 and SOC 2 report to cover all applicable areas of concern. Since a SOC 3 report does not include a detailed description of the service provider's system or controls, it is not recommended for use in performing a vendor control review.
What do I look for in a SOC report?
There are three key areas of a SOC 1 or SOC 2 report that should be reviewed:
- Service Auditor's Opinion - The service auditor will include an opinion on whether management’s description of the service organization’s system is presented fairly and whether the controls in the service organization’s system are suitably designed (and operating effectively for a Type II report). If the opinion is not clean, your organization should determine why that opinion was given and how it could impact your organization.
- Complementary User Entity Controls (CUECs) - CUECs are controls that the service organization expects your organization (the user organization) to have placed in operation. This section should be reviewed to determine what CUECs are applicable and whether or not your organization has applicable CUECs in place.
- Control Exceptions and Management's Response - A SOC 1 or SOC 2 report will list the service organization's controls and detail any exceptions noted in the design (Type I) and operating effectiveness (Type II) of each control. If any exceptions (sometimes called "deviations") are noted, you should review the cause of the exception and management's response to evaluate if the finding has a material impact on your organization's reliance on that vendor.
Assessing Key Service Providers with Questionnaires
If your key service provider does not have a SOC report available, you should request that they undergo a SOC audit to get the best understanding of the control environment. Alternatively, you can prepare a questionnaire. It is important to note that a questionnaire will not replace a vendor's SOC report if you are required to specifically review your vendors' SOC reports to meet the requirements of an external financial statement audit, contractual agreements, or regulatory obligations.
A vendor questionnaire does not need to be 300 questions long. Rather, you should tailor it to include questions that are relevant to the risks the vendor may present to your organization. If your vendor provides collocation services, you should ask questions around their physical access controls. A vendor that processes data should receive questions pertaining to controls regarding the completeness and accuracy of the data. Additionally, the questions should be specific enough to be answered with a short response. Any "no" or "not applicable" answers should be investigated via inquiry with the vendor contact.
These are the most common ways to continually monitor vendors with relatively minimal cost and effort. There are other ways to monitor vendors not discussed in this article, such as using vendor management software or conducting on-site vendor audits. Whichever methods your organizations decides to use, a formally documented vendor management policy should be implemented and reviewed at least annually by a designated individual.
Connect with a Freed Maxick Internal Controls Consultant
If you are interested in establishing and maintaining a service provider and vendor control monitoring process for your organization, our Risk Advisory Services team can work with you. Our internal control consultants will provide guidance on how to review your vendor's SOC reports and prepare questionnaires to best address the vendor control risks facing your organization.
For more information regarding how Freed Maxick can improve how you monitor your vendor controls, please call 716.847.2651 or contact us here.