It’s no secret that key business functions routinely share critical information assets with third-party service or solution providers. Of course, along with third-party vendors comes added risk, particularly when it comes to those that have access to an organization’s data. Whether working with cloud providers, consultants, business process outsourcers, third-party transaction processors or others, as data moves out of the organization’s protected infrastructure, a certain degree of control is relinquished.
When entrusting third-party service providers, organizations must take appropriate measures not only to protect their information assets, but also to ensure compliance with a changing landscape of security and privacy regulations, many of which differ by industry, state and country.
Handling third-party risk can be approached in a number of ways. For many organizations, the best approach is to incorporate third-party risk as part of a full enterprise risk management program. However, it is not necessary to wait until a full enterprise risk management program is established. Organizations can create such a “universe” or listing relatively easily by starting with the contracts that are in place. Following are some special considerations.
The onus is on user organizations to select vendors with an appropriate approach to risk management. In order to do so, user organizations need to carefully vet vendors prior to selection and then actively monitor their security, privacy and other control environment aspects throughout the life of the contract. Monitoring third-party data security and privacy risk requires a strong and effective process for ongoing vendor management that starts long before the contract is signed.
When negotiating a contract with a third-party provider, it is critical for organizations to request third-party attestation and the right to audit. The best and most common way to do this is by obtaining a Service Organization ControlSM (SOC) report, which helps vendors demonstrate the strength of their internal controls to current and would-be customers. However, it is up to the user organization to carefully read and thoroughly understand the content of the SOC report of that provider. This includes evaluating and determining how weaknesses in their own user control environment may affect the overall control environment.
There are three different types of SOC reports:
SOC 1SM reports provide a vehicle for reporting on a service organization’s system of internal controls that are relevant to a user organization’s internal controls over financial reporting. SOC 1 reports are intended to be auditor-to-auditor communications, with specific content dependent on the service auditor and the service organization’s system.
SOC 2 SM reports offer service auditors and service organizations a reporting option they can use when the subject matter is not relevant to controls over financial reporting. The SOC 2 report addresses controls at a service organization that are pertinent to the joint AICPA/Canadian Institute of Chartered Accountants Trust Services Principles and Criteria.
The report includes many of the same elements as a SOC 1 report — specifically, the independent service auditor’s report, management’s assertion letter, a description of the system, and a section containing the service auditor’s tests of the operating effectiveness of controls and the related test results.
SOC 3 SM reports allow service organizations to provide user organizations and other stakeholders with a report on controls that are also relevant to the Trust Services Principles. Unlike SOC 1 and SOC 2 reports, which provide detailed description of tests of controls and related test results, SOC 3 simply reports on whether the service organization achieved one or more of the Trust Services Principles and criteria. SOC 3 reports are shorter, publicly available documents and can be freely distributed or posted on service organizations’ websites.
Obtaining a SOC report can be a critical difference for an organization when taking on a third-party provider. However, in order for the report to be useful, it is important to know what to look for and to ensure that it addresses the right controls, those that are relevant to financial reporting (SOC 1) or compliance and operations (SOC 2).
In many cases, the cost for third-party services may appear disproportionate to the risk of the service that is being outsourced. For example, a company may pay $100,000 per year for certain data center storage services. For a large company, this would not be considered a large expense. However, the information being stored, housed or processed at that third-party data center may be very sensitive in nature. If the data were lost or breached in any way, it could result in millions of dollars in expenses, fines, civil penalties and brand erosion.
Intellectual property may be similarly at risk with the potential to cost the organization dearly in terms of lost investment. For this reason, it is important for organizations to recognize that even when the spend for the service contract is small, the risk can be huge, and therefore the organization must make vendor considerations accordingly. Additionally, this concept supports the call for effort to be undertaken to ensure that a user organization understands its “universe” of third-party service providers and what is potentially at risk, beyond the dollars of accounts payable spend for such services.
When it comes to choosing third-party providers, there are often a lot of moving parts. Even when the spend seems relatively small, user companies must be vigilant and engaged in all aspects of the decision-making process, including contracting, vendor management, risk management and risk control monitoring. The right SOC report is one step in providing critical information that will help to credit or discredit a potential provider and ultimately select the one that is the best organizational fit. Once a third-party provider is vetted and selected, organizations must also be prepared to continue to spend time carefully monitoring their security and privacy control environments, which may include additional internal audit procedures beyond the SOC reports.
 Service Organization Control, SOC 1, SOC 2 and SOC 3 are proprietary service marks of the AICPA.
About the Author
Warren Stippich is the National Governance, Risk and Compliance Solution Leader and the Market Leader of the Chicago Business Advisory Services Group at Grant Thornton LLP. He has more than 20 years experience working with multi-national, entrepreneurial, and high-growth public companies, including boards of directors and audit committees.
Warren brings experience to the business risk consulting and internal audit services areas from both the public accounting firm and industry perspectives. He leads many Sarbanes-Oxley consulting, internal audit services and SAS 70 projects for a wide-array of publicly traded and private businesses with international operations. He has worked extensively with international internal audit, Sarbanes-Oxley and business consulting assignments in Europe, Russia, China, Southeast Asia, Central and South America and Canada.
The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Warren is the National Governance, Risk and Compliance Solution Leader and the Market Leader of the Chicago Business Advisory Services Group at Grant Thornton LLP. He has over 20 years experience working with multi-national, entrepreneurial, and high-growth public companies, including boards of directors and audit committees. Warren brings experience to the business risk consulting and internal audit services areas from both the public accounting firm and industry perspectives. He leads many Sarbanes-Oxley consulting, internal audit services and SAS 70 projects for a wide-array of publicly traded and private businesses with international operations. He has worked extensively with international internal audit, Sarbanes-Oxley and business consulting assignments in Europe, Russia, China, Southeast Asia, Central and South America and Canada. He has lectured on governance, risk and compliance.
Warren began his career with Arthur Andersen in the external audit practice and later in the internal audit services practice. Later, he joined DEKALB Genetics Corporation, a $500 million multi-national public company, as the Vice President of Internal Audit and Worldwide Consulting. Subsequent to DEKALB, Warren was a Managing Director at American Express Tax and Business Services and a Partner in the related attest entity of Altschuler, Melvoin & Glasser LLP and worked in the attest and business consulting areas.
Bachelor of Science in Accountancy -University of Illinois at Urbana – Champaign.
Warren writes a regular column, Internal Audit Revolution, for CCI.