When it comes to managing third-party risk, most organizations already have a formal due diligence process for evaluating potential vendors. Having an established vetting process in place is a must. However, organizations should also continually monitor third-parties, especially those that provide vital services to the organization, or "key service providers." If a key service provider were to suddenly fail and go out of business, have serious control failures, or suffer a data breach, the repercussions could be disastrous for your organization. If your organization regularly assesses vendors, it is more likely to avoid sudden problems arising from unreliable vendors.
There are various ways to monitor third-parties. The right approach is different for each vendor and can be based on several factors including the services provide by the vendor, the vendor’s background and history, and the data being exchanged with the vendor. As with approach, the frequency of monitoring activity can be contingent on the nature of the vendor relationship, whether it is on a more frequent basis with regular meetings and vendor reports, or a less often, but at least annual basis by sending your vendors questionnaires or reviewing their Service Organization Control (SOC) reports. It is recommended to use a combination of these methods to attentively monitor your organization's vendors and gain comfort over their ability to perform their services.
Depending on the type of services provided, one way to monitor key service providers is through regularly scheduled meetings with your vendor contact. Through regular meetings with, for example, an IT managed services provider, you can gather current information about the status of IT projects, discuss any changes in the pipeline, and identify potential issues before they become serious. Regular meetings with vendors may not always be possible or make the most sense due to schedules and time constraints.
Another option is reviewing vendor reports to confirm your vendor is meeting its obligations as specified in the vendor contract. With this option, your organization is relying on the reports supplied by the vendor. This may be a good option for verifying up-time statistics, identifying and remediating data backup failures, and reconciling the accuracy of data processed through the third-party.
Every organization utilizing third-party service providers (user entities) should practice due diligence wherever possible by evaluating their key service provider's control environment. This information can be gathered from a SOC report prepared by an independent auditor through an SSAE 18 audit. If you have never heard of a SOC report, you may be surprised how many of your key service providers have one. There are three types of SOC reports that are targeted toward different audiences:
Additionally, a SOC report can either be Type I or Type II:
A service organization with a Type I report is typically undergoing a SOC examination for the first time in building preparedness for reoccurring Type II examinations.
The type of report will depend on what information you deem relevant to your organization. If your organization must be compliant with Sarbanes-Oxley (SOX) requirements, you may want to request a SOC 1 report from service providers that have an impact on financial statement information. If the security, availability, processing integrity, confidentiality, or privacy of data is a concern, request a SOC 2 report covering relevant trust criteria. For example, controls around availability would be a concern if your organization is relying on a software-as-a-service (SAAS) provider to keep its application up and running without disruption. In some instances, you may want to request both a SOC 1 and SOC 2 report to cover all applicable areas of concern. Since a SOC 3 report does not include a detailed description of the service provider's system or controls, it is not recommended for use in performing a vendor control review.
There are three key areas of a SOC 1 or SOC 2 report that should be reviewed:
If your key service provider does not have a SOC report available, you should request that they undergo a SOC audit to get the best understanding of the control environment. Alternatively, you can prepare a questionnaire. It is important to note that a questionnaire will not replace a vendor's SOC report if you are required to specifically review your vendors' SOC reports to meet the requirements of an external financial statement audit, contractual agreements, or regulatory obligations.
A vendor questionnaire does not need to be 300 questions long. Rather, you should tailor it to include questions that are relevant to the risks the vendor may present to your organization. If your vendor provides collocation services, you should ask questions around their physical access controls. A vendor that processes data should receive questions pertaining to controls regarding the completeness and accuracy of the data. Additionally, the questions should be specific enough to be answered with a short response. Any "no" or "not applicable" answers should be investigated via inquiry with the vendor contact.
These are the most common ways to continually monitor vendors with relatively minimal cost and effort. There are other ways to monitor vendors not discussed in this article, such as using vendor management software or conducting on-site vendor audits. Whichever methods your organizations decides to use, a formally documented vendor management policy should be implemented and reviewed at least annually by a designated individual.
If you are interested in establishing and maintaining a service provider and vendor control monitoring process for your organization, our Risk Advisory Services team can work with you. Our internal control consultants will provide guidance on how to review your vendor's SOC reports and prepare questionnaires to best address the vendor control risks facing your organization.
For more information regarding how Freed Maxick can improve how you monitor your vendor controls, please call 716.847.2651 or contact us here.