Highlights of the September 28 HBK Risk Advisory Services webinar hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director; and Joel Van Horn, DPA/CITP, CISA, Senior Manager
Watch On Demand.
Assessing your third-party service providers
Organizations are working with more third-party vendors than ever before
Vendors should be assessed for security
Ways to assess:
Vendor questionnaires: might not get the answers you’re looking for; some will not cooperate
Audit: can be too time consuming and costly (e.g., travel)
ISP 27001 certification: covers IT controls
But SOC reporting is one of the best ways to assess potential business partners: Administered according to AICPA stringent reporting requirements, Very detailed report and A good foundation to know the company you’re working with at least has controls in place
SOC 2: third party risk assessment
Key terms include:
Service organization – company that handles transactions on behalf of its customers, like a payroll company
User entity – company that outsources its information or business processes to a service organization
Service auditor: CPA hired by a service organization to conduct an SOC audit
User auditor – CPA who audits a user entity
Subservice organizations – vendors of substantial significance to the organization
SOC (System and Organization Control) reports
Report on effectiveness of the controls
Can cover a wide range of items, including financial reporting, the security of a particular system or systems
Why CPAs do SOC reporting
Security is a CPA area of specialization
Do a great deal of reporting, including SOC reports
Will provide an independent assessment
Use SOC reports to provide to customers or auditors to minimize the burden on the service organization to communicate on each of their controls independently
Benefits of an SOC examination
Reduce compliance costs and time spent on audits and filling out vendor questionnaires
Meet contractual obligations and marketplace concerns through flexible, customized reporting
Proactively address risks across your organization
Increase trust and transparency to internal and external stakeholders
Enhance reputation, credibility, marketability: set your organization apart from the competition that doesn’t have an SOC report
Lets others know you take security seriously
Types of SOC examinations
SOC 1: internal controls over financial reporting, such as payroll
Soc 2: trust service criteria – focused on security and other than financial reporting; includes five trust service principles
Soc 3: trust service criteria general use report; a slimmed down version of the SOC 2 report to post on website
SOC for cybersecurity: cyber risk management report
SOC for supply chain – system for producing, manufacturing, or distribution
Types of reports
Type 1 – covers design and implementation of controls designed to address service commitments
Type 2 – once controls have been in place for some time; covers design and implementation, but also operating effectiveness of controls over a specified period of time
SOC 2 trust service criteria:
Security – required, the system is protected against unauthorized access
Availability – the system is available for operation and use as committed or agreed to
Processing integrity – what the system is processing is complete, accurate, and authorized
Confidentiality – if data is sensitive
Privacy – making sure personal information gathered is compliant with commitments in the entity’s privacy notice
Criteria common to SOC 2 reports: Help strengthen overall security posture and exist as best practices to have in place on organization’s controls
CC1: organization and management controls – focused on top guidelines for employees, procedures in place; demonstrate a commitment to integrity and ethical values
CC2: communication and information – relevant information is obtained and contained, and communicated to internal and external personnel
CC3: risk assessment – have a formal program in place to identify, assess, and mitigate risks; see how changes implemented impact the system controls; auditors can periodically assess risk for organizations that don’t have a formal program in place
CC4: monitoring – ensure you’re collecting and monitoring data and reporting to relevant individuals, and seeing that corrections are getting done
CC5: – control activities – ensure the entity selects and develops control activities that mitigate the risks identified in the risk assessment process
CC6: logical and physical access – wide ranging control; access controls related to specific areas of the company; dependent on the information included in the system for which controls are in place; the more sensitive the data, the more sophisticated the control required
CC7: system monitoring – for vulnerabilities and security events, including review of formal program of incident response
CC8: change management – ensure formal process is in place of testing and change implementation and continues to function properly, including software updates, security patches made
CC9: risk mitigation – identifies, selects, and develops risk mitigation activities for risk arising from potential business disruptions; manages risk associated with vendors and other business partners
Components of an SOC 2 report
Section 1: Independent service auditor’s report – provides auditor’s opinion on the system description, design, and operating effectiveness required to meet control objectives
Section 2: communicates facts and assertions made by management on what they have asserted to the auditor related to the systems under audit
Section 3: management’s description of the system – details the system being reported on; used to determine boundary, infrastructure, controls, user entity controls, and other system information
Section 4: identified controls and test of controls – shows criteria, management controls in place to address criteria, test performed by service auditor and the test results; can list exceptions and give management opportunity to address exceptions (which could be in a Section 5)
User entity controls: controls that the vendor has included with the system; means to implement these controls to achieve vendor’s objective
Service organization controls – controls management of the service organization assumes in the design of the systems that will be implemented as necessary to achieve the control objectives
Three steps for using reports to assess third-party risk:
List the third-party service providers
Obtain a SOC report for each
Review those reports to see how the vendors handle security processes, identify any gaps, and follow up with vendors on gaps
Misconceptions
“All we need to know is that the vendor has an SOC report”
“The vendor provided an old report and said nothing has changed”
Achieving SOC 2 status
Start with a readiness assessment: a consulting engagement to identify service commitments, system requirements and boundaries, and which criteria are most relevant for your organization; conduct interviews; review policies to identify controls in place and issue a formal letter for any gaps identified including recommendations on how to mitigate or reduce those weaknesses.
Do a Type I report
Move on to a Type II report, which involves returning after a specific period, testing the operating effectiveness of the controls in place, and reporting on any exceptions