The significance of managing risks associated with your vendors is more important than ever. As more companies outsource key processes, technologies, and data management and storage, many control activities are no longer directly performed by company personnel. However, the responsibility for those controls still resides with your company.
Outsourcing exposes your organization to risk and underscores the need for effective vendor risk management and due diligence. Experience has shown that security questionnaires and/or contractual clauses are not sufficient for critical vendors – organizations need independent validation that controls are not only properly designed, but also operating effectively at key vendors. Obtaining a vendor’s SOC report allows an organization to effectively monitor the controls in place at the vendor.
The SOC report that is provided to the service organization by an independent auditor is intended to provide the service organization’s customers, business partners, and auditors assurance on the internal control activities relevant to the service organization’s system.
There are three different SOC reports that a vendor may offer:
SOC 1 is designed for financial transaction processing.
SOC 2 is designed to certify the security, processing integrity, availability, confidentiality, and/or privacy of hosted systems and the data they store or process.
SOC 3 report covers the same testing procedures as a SOC 2 report, but it omits the detailed test results and is intended for general public distribution.
Assess the risk of your vendors:
Not all vendors pose the same risks to your organization. As such, not all vendors would require a SOC report to validate they are properly securing your data or ensuring the accurate processing of financial transactions, for example (e.g., your cleaning crew, the company you buy office supplies from, etc.). However, vendors that have access to your company data or that provide financial data utilized in your company’s financial statements certainly pose a much greater risk to your system of controls. These are simple examples of the type of company that should provide a SOC report.
Many of your critical vendors do not offer a SOC report. This increases your risk. While there is no requirement from a regulatory or industry perspective for any vendor to produce a SOC report, they are often performed due to requests from the vendor’s customers.
As you assess the risk of your vendors, you need to think broadly about who has the potential to negatively impact your system of internal controls. You need to ask the following questions about all of your vendors:
- Do they process business transactions on your behalf (401K administrators, other TPAs, billing outsourcers, payroll processors, etc.)?
- Do they do some type of processing of data on your behalf? Look beyond the normal day-to-day transaction processing of your vendors and to those vendors that may be performing data analytics, data modeling, billing analysis, legal analysis, accounting, etc.
- Do they host your data processing equipment?
- Do they host key business applications that have sensitive/confidential data (e.g., HR information, electronic health records, banking transactions, enterprise resource planning, or accounting systems, etc.)?
- Do they perform key ancillary activities on your behalf such as network monitoring, security monitoring, etc.?
How to ask for a Report
- The most effective method is to ask for or demand it during contracting and vendor selection. A SOC report should be a requirement for all critical vendors.
- If the vendor is already in place, simply ask your account executives/sales representative.
- Some larger vendors (e.g., Google Cloud, AWS, Microsoft Azure, etc.) have links on their websites that allow you to request a copy of their respective SOC reports.
What if they don’t have a report?
At this point, you need to assess the importance of the outsourced controls to your financial statements of the risk of the data you have provided and the criticality of the controls you have entrusted to that vendor. Some things to take into consideration:
- Are you impacted by legal/regulatory requirements regarding the adequacy of your controls (e.g., HIPAA, GLBA, FDICA, PCI, or the other alphabet soup of acronyms that are prescriptive in control requirements)?
- Contractual obligations you have with your customers/clients to adequately protect their data
At the end of the day, you’re responsible for monitoring the controls of your vendors. A SOC report is often the most efficient way to accomplish this, due to its comprehensive nature and the independence and objectivity of the auditor.
If you have questions about which report you should request from your vendors, please do not hesitate to contact Tom Skoog at 614-220-4131 or firstname.lastname@example.org. If your vendor does not have a SOC report to provide, please consider referring them to Blue & Co. by contacting us. We are happy to provide additional information or advice on the use of these reports.