The importance of vendor management continues to rise across all industries, especially given the large growth in outsourcing functions to a third party. According to recent information security studies, third parties are the number one security risk to financial services and 60 percent of all targeted attacks struck small and medium sized businesses. However, 23 percent of companies do not evaluate third parties at all, and most companies do not have a formal process for assessing third party partner capabilities before doing business with them.
How do you help your company avoid being part of these statistics? A main component to evaluating the controls at a third party is performing regular due diligence and reviews of vendor controls. One way to accomplish this is to request assurance documentation such as the Statement on Standards for Attestation Engagements No. 18 (SSAE18) SOC 1 or SOC 2. SSAE 18 is part of the Service Organization Control (SOC) framework. A SOC report is the result of a review of a service organization’s controls and the controls that are reviewed vary with the type of SOC report.
A SOC report should be requested and reviewed for any company that stores, accesses, transmits, or processes non-public information (NPI). The following is a reference guide that will help an organization determine which report is applicable for each service provider relationship.
Quick SOC Report Reference Guide
SOC reports are intended to provide you with an understanding of a service organization’s controls and if the controls are working effectively.
SOC 1 Report
Reports on the review of the Internal Controls over Financial Reporting (ICFR) at a Service Organization (SO). Allowed to include any controls the SO chooses.
Type 1: Report on suitability of the design
Type 2: Report on suitability of the design AND operating effectiveness of controls
SOC 2 Report
Reports on a review of a SO’s controls that meet the Trust Service Criteria of Security, Availability, Processing Integrity, Confidentiality, and Privacy. Prescribed controls; not all criteria may apply.
Type 1: Report on suitability of the design
Type 2: Report on suitability of the design AND operating effectiveness of controls
SOC 3 Report
Similar to SOC 2 report but with fewer report restrictions.
SOC Report Trust Criteria
Common Criteria (CC): The system is protected against unauthorized access (both physical and logical). (28 Controls). All SOC 2 reports must include the Common Criteria, which covers the previously named Security Principle.
Availability: The system is available for operation and use as committed or agreed. (CC + 3 Controls)
Processing Integrity: System processing is complete, accurate, timely, and authorized. (CC + 6 Controls)
Confidentiality: Information designated as confidential is protected as committed or agreed. (CC + 6 Controls)
Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA (10 main GAPP Controls).
The Common Criteria cover the following areas:
- Organization and management
- Communications
- Risk management
- Monitoring of controls
- Logical and physical access controls
- System operations
- Change management
Reviewing an SOC Report
Now that you have requested the applicable report, what’s next? Key components to reviewing a SOC report include the following, all of which should be documented:
- If the vendor offers multiple services or systems, review to ensure that the report includes in-scope information and controls.
- Look for an opinion from a CPA firm. All SOC reports must be performed by a CPA or CPA firm and their opinion should be unqualified.
- Ensure that all of the internal controls that your organization requires are in place at the vendor as well.
- Review the exceptions listed in the report, if any, and make sure that the exceptions were addressed by the vendor. This may require further investigation if you do not gain comfort from managements response to the exception.
- Always review the Complimentary User Entity controls section, which is often overlooked. This is the list of controls that the vendor feels are essential to achieving some of its own control objectives.
- You may also want to look at collecting items such as policies and procedures, compliance documentation (such as GLBA), disaster recovery plans, and financial reports.
If a SOC report cannot be supplied, the organization should request other pertinent compliance information from any third-party vendor that meets the description noted above. If such data cannot be supplied, the organization must assess the vendor as a critical vendor and implement any needed controls internally to mitigate the risks of exposure. Addressing the adequacy of third-party vendor controls, including those mentioned above, will help reduce the risk of data loss, which can lead to fines, sanctions, and reputational damage.
Remember, outsourcing a task or function does not mean you have outsourced the responsibility.
Allison Hall is an experienced assistant accountant based out of our Rochester, NY office. Jillian Martucci is a manager based out of our Rochester, NY office.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal, or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, a consultant-client relationship.