Watch: Third-Party Risk Management: SOC Reporting

Highlights of the September 28 HBK Risk Advisory Services webinar hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director; and Joel Van Horn, DPA/CITP, CISA, Senior Manager

Assessing your third-party service providers

  • Organizations are working with more third-party vendors than ever before
  • Vendors should be assessed for security
  • Ways to assess:

  • Vendor questionnaires: might not get the answers you’re looking for; some will not cooperate
  • Audit: can be too time consuming and costly (e.g., travel)
  • ISP 27001 certification: covers IT controls
  • But SOC reporting is one of the best ways to assess potential business partners: Administered according to AICPA stringent reporting requirements, Very detailed report and A good foundation to know the company you’re working with at least has controls in place
  • SOC 2: third party risk assessment

    Key terms include:

  • Service organization – company that handles transactions on behalf of its customers, like a payroll company
  • User entity – company that outsources its information or business processes to a service organization
  • Service auditor: CPA hired by a service organization to conduct an SOC audit
  • User auditor – CPA who audits a user entity
  • Subservice organizations - vendors of substantial significance to the organization
  • SOC (System and Organization Control) reports

  • Report on effectiveness of the controls
  • Can cover a wide range of items, including financial reporting, the security of a particular system or systems
  • Why CPAs do SOC reporting

  • Security is a CPA area of specialization
  • Do a great deal of reporting, including SOC reports
  • Will provide an independent assessment
  • Use SOC reports to provide to customers or auditors to minimize the burden on the service organization to communicate on each of their controls independently
  • Benefits of an SOC examination

  • Reduce compliance costs and time spent on audits and filling out vendor questionnaires
  • Meet contractual obligations and marketplace concerns through flexible, customized reporting
  • Proactively address risks across your organization
  • Increase trust and transparency to internal and external stakeholders
  • Enhance reputation, credibility, marketability: set your organization apart from the competition that doesn’t have an SOC report
  • Lets others know you take security seriously
  • Types of SOC examinations

  • SOC 1: internal controls over financial reporting, such as payroll
  • Soc 2: trust service criteria – focused on security and other than financial reporting; includes five trust service principles
  • Soc 3: trust service criteria general use report; a slimmed down version of the SOC 2 report to post on website
  • SOC for cybersecurity: cyber risk management report
  • SOC for supply chain – system for producing, manufacturing, or distribution
  • Types of reports

  • Type 1 – covers design and implementation of controls designed to address service commitments
  • Type 2 – once controls have been in place for some time; covers design and implementation, but also operating effectiveness of controls over a specified period of time
  • SOC 2 trust service criteria:

  • Security – required, the system is protected against unauthorized access
  • Availability – the system is available for operation and use as committed or agreed to
  • Processing integrity – what the system is processing is complete, accurate, and authorized
  • Confidentiality – if data is sensitive
  • Privacy – making sure personal information gathered is compliant with commitments in the entity’s privacy notice
  • Criteria common to SOC 2 reports: Help strengthen overall security posture and exist as best practices to have in place on organization’s controls

  • CC1: organization and management controls – focused on top guidelines for employees, procedures in place; demonstrate a commitment to integrity and ethical values
  • CC2: communication and information – relevant information is obtained and contained, and communicated to internal and external personnel
  • CC3: risk assessment – have a formal program in place to identify, assess, and mitigate risks; see how changes implemented impact the system controls; auditors can periodically assess risk for organizations that don’t have a formal program in place
  • CC4: monitoring – ensure you’re collecting and monitoring data and reporting to relevant individuals, and seeing that corrections are getting done
  • CC5: - control activities – ensure the entity selects and develops control activities that mitigate the risks identified in the risk assessment process
  • CC6: logical and physical access – wide ranging control; access controls related to specific areas of the company; dependent on the information included in the system for which controls are in place; the more sensitive the data, the more sophisticated the control required
  • CC7: system monitoring – for vulnerabilities and security events, including review of formal program of incident response
  • CC8: change management - ensure formal process is in place of testing and change implementation and continues to function properly, including software updates, security patches made
  • CC9: risk mitigation – identifies, selects, and develops risk mitigation activities for risk arising from potential business disruptions; manages risk associated with vendors and other business partners
  • Components of an SOC 2 report

  • Section 1: Independent service auditor’s report – provides auditor’s opinion on the system description, design, and operating effectiveness required to meet control objectives
  • Section 2: communicates facts and assertions made by management on what they have asserted to the auditor related to the systems under audit
  • Section 3: management’s description of the system – details the system being reported on; used to determine boundary, infrastructure, controls, user entity controls, and other system information
  • Section 4: identified controls and test of controls – shows criteria, management controls in place to address criteria, test performed by service auditor and the test results; can list exceptions and give management opportunity to address exceptions (which could be in a Section 5)
  • User entity controls: controls that the vendor has included with the system; means to implement these controls to achieve vendor’s objective
  • Service organization controls – controls management of the service organization assumes in the design of the systems that will be implemented as necessary to achieve the control objectives
  • Three steps for using reports to assess third-party risk:

  • List the third-party service providers
  • Obtain a SOC report for each
  • Review those reports to see how the vendors handle security processes, identify any gaps, and follow up with vendors on gaps
  • Misconceptions

  • “All we need to know is that the vendor has an SOC report”
  • “The vendor provided an old report and said nothing has changed”
  • Achieving SOC 2 status

  • Start with a readiness assessment: a consulting engagement to identify service commitments, system requirements and boundaries, and which criteria are most relevant for your organization; conduct interviews; review policies to identify controls in place and issue a formal letter for any gaps identified including recommendations on how to mitigate or reduce those weaknesses.
  • Do a Type I report
  • Move on to a Type II report, which involves returning after a specific period, testing the operating effectiveness of the controls in place, and reporting on any exceptions
  • About the Author(s)
    Bill Heaven is a senior director in HBK’s IT Department. He specializes in cybersecurity, IT security, external IT audit, internal IT audit, IT consulting, software development, IT governance, PCI-DSS, supply chain, system implementations, and e-commerce. You can reach Bill at 330.758.8613, or by email at wheaven@hbkcpa.com.
    Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.

    RECOMMENDED ARTICLES