Watch: Third-Party Risk Management: SOC Reporting

Date September 28, 2022
Article Authors

Highlights of the September 28 HBK Risk Advisory Services webinar hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director; and Joel Van Horn, DPA/CITP, CISA, Senior Manager

Watch On Demand.

Assessing your third-party service providers

  • Organizations are working with more third-party vendors than ever before
  • Vendors should be assessed for security
  • Ways to assess:

  • Vendor questionnaires: might not get the answers you’re looking for; some will not cooperate
  • Audit: can be too time consuming and costly (e.g., travel)
  • ISP 27001 certification: covers IT controls
  • But SOC reporting is one of the best ways to assess potential business partners: Administered according to AICPA stringent reporting requirements, Very detailed report and A good foundation to know the company you’re working with at least has controls in place
  • SOC 2: third party risk assessment

    Key terms include:

  • Service organization – company that handles transactions on behalf of its customers, like a payroll company
  • User entity – company that outsources its information or business processes to a service organization
  • Service auditor: CPA hired by a service organization to conduct an SOC audit
  • User auditor – CPA who audits a user entity
  • Subservice organizations – vendors of substantial significance to the organization
  • SOC (System and Organization Control) reports

  • Report on effectiveness of the controls
  • Can cover a wide range of items, including financial reporting, the security of a particular system or systems
  • Why CPAs do SOC reporting

  • Security is a CPA area of specialization
  • Do a great deal of reporting, including SOC reports
  • Will provide an independent assessment
  • Use SOC reports to provide to customers or auditors to minimize the burden on the service organization to communicate on each of their controls independently
  • Benefits of an SOC examination

  • Reduce compliance costs and time spent on audits and filling out vendor questionnaires
  • Meet contractual obligations and marketplace concerns through flexible, customized reporting
  • Proactively address risks across your organization
  • Increase trust and transparency to internal and external stakeholders
  • Enhance reputation, credibility, marketability: set your organization apart from the competition that doesn’t have an SOC report
  • Lets others know you take security seriously
  • Types of SOC examinations

  • SOC 1: internal controls over financial reporting, such as payroll
  • Soc 2: trust service criteria – focused on security and other than financial reporting; includes five trust service principles
  • Soc 3: trust service criteria general use report; a slimmed down version of the SOC 2 report to post on website
  • SOC for cybersecurity: cyber risk management report
  • SOC for supply chain – system for producing, manufacturing, or distribution
  • Types of reports

  • Type 1 – covers design and implementation of controls designed to address service commitments
  • Type 2 – once controls have been in place for some time; covers design and implementation, but also operating effectiveness of controls over a specified period of time
  • SOC 2 trust service criteria:

  • Security – required, the system is protected against unauthorized access
  • Availability – the system is available for operation and use as committed or agreed to
  • Processing integrity – what the system is processing is complete, accurate, and authorized
  • Confidentiality – if data is sensitive
  • Privacy – making sure personal information gathered is compliant with commitments in the entity’s privacy notice
  • Criteria common to SOC 2 reports: Help strengthen overall security posture and exist as best practices to have in place on organization’s controls

  • CC1: organization and management controls – focused on top guidelines for employees, procedures in place; demonstrate a commitment to integrity and ethical values
  • CC2: communication and information – relevant information is obtained and contained, and communicated to internal and external personnel
  • CC3: risk assessment – have a formal program in place to identify, assess, and mitigate risks; see how changes implemented impact the system controls; auditors can periodically assess risk for organizations that don’t have a formal program in place
  • CC4: monitoring – ensure you’re collecting and monitoring data and reporting to relevant individuals, and seeing that corrections are getting done
  • CC5: – control activities – ensure the entity selects and develops control activities that mitigate the risks identified in the risk assessment process
  • CC6: logical and physical access – wide ranging control; access controls related to specific areas of the company; dependent on the information included in the system for which controls are in place; the more sensitive the data, the more sophisticated the control required
  • CC7: system monitoring – for vulnerabilities and security events, including review of formal program of incident response
  • CC8: change management – ensure formal process is in place of testing and change implementation and continues to function properly, including software updates, security patches made
  • CC9: risk mitigation – identifies, selects, and develops risk mitigation activities for risk arising from potential business disruptions; manages risk associated with vendors and other business partners
  • Components of an SOC 2 report

  • Section 1: Independent service auditor’s report – provides auditor’s opinion on the system description, design, and operating effectiveness required to meet control objectives
  • Section 2: communicates facts and assertions made by management on what they have asserted to the auditor related to the systems under audit
  • Section 3: management’s description of the system – details the system being reported on; used to determine boundary, infrastructure, controls, user entity controls, and other system information
  • Section 4: identified controls and test of controls – shows criteria, management controls in place to address criteria, test performed by service auditor and the test results; can list exceptions and give management opportunity to address exceptions (which could be in a Section 5)
  • User entity controls: controls that the vendor has included with the system; means to implement these controls to achieve vendor’s objective
  • Service organization controls – controls management of the service organization assumes in the design of the systems that will be implemented as necessary to achieve the control objectives
  • Three steps for using reports to assess third-party risk:

  • List the third-party service providers
  • Obtain a SOC report for each
  • Review those reports to see how the vendors handle security processes, identify any gaps, and follow up with vendors on gaps
  • Misconceptions

  • “All we need to know is that the vendor has an SOC report”
  • “The vendor provided an old report and said nothing has changed”
  • Achieving SOC 2 status

  • Start with a readiness assessment: a consulting engagement to identify service commitments, system requirements and boundaries, and which criteria are most relevant for your organization; conduct interviews; review policies to identify controls in place and issue a formal letter for any gaps identified including recommendations on how to mitigate or reduce those weaknesses.
  • Do a Type I report
  • Move on to a Type II report, which involves returning after a specific period, testing the operating effectiveness of the controls in place, and reporting on any exceptions
  • Speak to one of our professionals about your organizational needs

    "*" indicates required fields