You most likely selected the link to this blog to discover one of two things: 1) how to effectively manage vendor requirements via SOC reports or 2) what the SOC 1/SOC 2 examination requirements are for vendor management. I don’t want to disappoint, so this article will provide you with some knowledge or at least some validation of your current thoughts on the matter.
Is Requesting Your Vendors’ SOC Report an Effective Form of Vendor Management?
Yes…with the appropriate follow-through. A lot of companies ask for SOC reports, but many never actually read them. Most will likely view their job as finished once the report is received. Once the report is in hand, organizations have a tendency to simply “check the box” and move on. However, without thoroughly digesting the SOC report, how can the organization know that the risks associated with using that vendor are actually addressed and mitigated?
The key is to review the provided report, identify the areas of key risk and concern, and follow up with the vendor should any notion of unacceptable risk remain. Your vendor may not have controls in place that you deem necessary to mitigate the risks inherent in the partnership and business model. The vendor may not even be in the right ballpark, and may still be providing a SOC 1 report instead of a SOC 2 report (or vice versa) and be missing all of the relevant criteria and controls that would help the vendor address the risks your organization is rightfully concerned about. Without fully digesting the provided report, simply requesting your vendors’ SOC report will not, and does not, serve as an effective form of vendor management.
In developing a comprehensive vendor management program, there are many other avenues to be explored, some of which are required and detailed in SOC examinations themselves.
How SOC Examinations Incorporate Vendor Management
How your SOC examination, or prospective SOC examination, approaches the ever-important topic of vendor management depends on the type of SOC examination being performed. If your company is in the process of or considering a SOC 1, the requirements and expectations for vendor management will differ from those in a SOC 2, and vice versa.
SSAE 18, effective May 2017, requires that all SOC examinations include an evaluation of an organization’s vendor (certain vendors are referred to as subservice organizations in the SOC framework) management program. Per AT-C 320.A27 of the standard, under Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting :
Management’s description of the service organization’s system and the scope of the service auditor’s engagement includes controls at the service organization that monitor the effectiveness of controls at the subservice organization, which may include some combination of ongoing monitoring to determine that potential issues are identified timely and separate evaluations to determine that the effectiveness of internal control is maintained over time. Such monitoring activities may include:
- reviewing and reconciling output reports,
- holding periodic discussions with the subservice organization,
- making regular site visits to the subservice organization,
- testing controls at the subservice organization by members of the service organization’s internal audit function,
- reviewing type 1 or type 2 reports on the subservice organization’s system prepared pursuant to this section or section 205, and
- monitoring external communications, such as customer complaints relevant to the services by the subservice organization.
The guidance above is important as it outlines subservice organization practices to be considered under SOC 1, which heretofore have been almost nonexistent. The list also demonstrates some elements that an organization would be expected to have in place under SOC examinations in general, as subservice organization monitoring practices have been expected under SOC 2 reports for quite some time. Although these activities are not specifically required, as in some frameworks, organizations are expected to have some sort of monitoring/management program in place and these are excellent starting points in developing a comprehensive vendor management program.
If your organization is about to undergo, or has already undergone, a SOC 2 examination, you should find the requirements as they relate to vendor management to be intermixed amongst the criteria. Organizations that utilize subservice organizations within their system to aid in the delivery of services should already have some sort of vendor management program in place and should be able to provide controls and evidence speaking to those practices. Depending on the criteria in scope for your organizations environment, your exposure to criteria pertaining to vendor management practices may vary.
For example, vendor management would most likely have been considered when determining the controls to meet section CC3.0: Common Criteria Related to Risk Management and Design and Implementation of Controls, within the 2016 TSP Section 100A. The criterion at CC3.1 states:
CC3.1: The entity (1) identifies potential threats that could impair system security, availability, processing integrity, confidentiality, and privacy commitments and system requirements (including threats arising from the use of vendors and other third parties providing goods and services, as well as threats arising from customer personnel and others with access to the system), (2) analyzes the significance of risks associated with the identified threats, (3) determines mitigation strategies for those risks (including implementation of controls, assessment and monitoring of vendors and other third parties providing goods or services, as well as their activities, and other mitigation strategies), (4) identifies and assesses changes (for example, environmental, regulatory, and technological changes and results of the assessment and monitoring of controls) that could significantly affect the system of internal control, and (5) reassesses, and revises, as necessary, risk assessments and mitigation strategies based on the identified changes.
As the criterion speaks to identifying threats, analyzing associated risks, and determining mitigation strategies, it should encompass all manner of risks impacting security (as well as any other criteria in scope), including those associated with using subservice organizations. And as the latter part of the criterion states that the organization should identify and assess changes and reassess and revise risk assessments and mitigation strategies based on those identified changes, it would make sense to reevaluate risks associated with vendors on a defined recurring basis.
If additional Trust Services Principles and Criteria are in scope, as mentioned earlier, exposure to criteria with aspects of vendor management will increase. Some instances of these additional criteria can be found below:
C1.4: The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality system requirements from vendors and other third parties whose products and services are part of the system and have access to confidential information.
C1.5: Compliance with the entity’s confidentiality commitments and system requirements by vendors and others third parties whose products and services are part of the system is assessed on a periodic and as-needed basis, and corrective action is taken, if necessary.
C1.6: Changes to the entity’s confidentiality commitments and system requirements are communicated to internal and external users, vendors, and other third parties whose products and services are part of the system.
P6.4: The entity obtains privacy commitments from vendors and other third parties whose products and services are part of the system and who have access to personal information processed by the system that are consistent with the entity’s privacy commitments and system requirements.
P6.5: Compliance with the entity’s privacy commitments and system requirements by vendors and others third parties whose products and services are part of the system and who have access to personal information processed by the system is assessed on a periodic and as-needed basis and corrective action is taken, if necessary.
P6.6: The entity obtains commitments from vendors and other third parties that may have access to personal information processed by the system, to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on to meet the entity's established incident response procedures, privacy commitments, and system requirements.
As stated above, the extent of requirements related to vendor management will depend on the type of SOC examination your organization goes through. Any organization that has subservice organizations in scope for a SOC examination, which again are vendors that are integral to the delivery of services, will be expected to have some degree of a vendor management program in place. By implementing a vendor management program, not only can your organization expect to meet these requirements during your next SOC examination, they can also sleep soundly knowing that they are effectively assessing and mitigating the risks that vendors/subservice organizations pose to their shareholders.
About the Author
Chris Lippert is a Privacy Technical Lead and Manager at Schellman based out of Atlanta, GA. With more than five years of experience in information assurance, Chris has a concentration in privacy-related engagements. He is an active member of the Information Systems Audit and Control Association (ISACA) and International Association of Privacy Professionals (IAPP) and advocates for privacy by design and the adequate protection of personal data in today's business world.
More Content by Chris Lippert