Companies must perform some type of vendor assurance review or audit to make sure the vendor is not placing them at risk when they outsource their services to third party service providers. Organizations which outsource parts of their business operations whether it is for account management, mortgage application processing, software development, or system management, expect and rely on the vendor to manage risks associated with the outsourced activities. Such risks may be related to the privacy of sensitive customer data (i.e. account numbers, social security numbers), security, unauthorized access by internally or externally, system functionality, availability of data for recovery purposes, and business continuity and disaster recovery plans. Unfortunately, no single manual exists when it comes to ensuring vendors have all the right controls in place, or that they meet regulators’ expectations, however, companies can decide the risks they are willing to transfer or accept and design vendor assurance audits to make sure their risk tolerance is not violated when they outsource certain tasks and transfer risks.
Organizations which outsource all or parts of their business operations to third party service providers are ultimately responsible for ensuring that the procured services do not have an adverse affect on their business because any impact arising from unmanaged risks by third parties can have a variety of negative consequences including lost revenues, lawsuits, negative publicity and penalties for non-compliance.
In order to ensure vendor risks are properly managed, organizations must perform some type of due diligence such as request information regarding vendor’s practices by asking vendors to complete and submit a Request for Information questionnaire (RFI), perform audits of their vendors themselves, and/or request independent audit reports such as the SSAE 16 and FISMA or ISO compliance audits.
RFIs are inherently less reliable since the vendors attest to their own internal controls without the verification of an independent party. Audits conducted by the outsourcer or an independent third party are more reliable but can be expensive. In order to be strategic in their vendor assurance efforts, companies should assess the potential risks, identify vendors to be audited, determine the type of audits they will require, define the scope of their audits, and establish the frequency of the audits.
Some vendors may have previously participated in an independent audit and be able to furnish a recent audit report. Companies may be familiar with the term "SAS 70" which was replaced in 2011 with "Standards for Attestation Engagements No. 16", or SSAE 16 for independent audits of service providers. SSAE 16 audits exist in two forms: Type I audits provide limited assurance and is based on a single point in time, whereas Type II audits cover a period of time and provide the highest level of assurance that proper controls, procedures, and process are in place as management intends. Due to the increased regulatory oversight and laws such as the Sarbanes-Oxley act; many customers are now requiring their vendors to undergo a SSAE 16 audit report.
While SAS 70 was originally intended for financial and accounting auditing, the SSAE 16 audit was established to verify operational and security excellence.
There are three types of reports under the framework for examining controls at a service organization also called Service Organization Control (SOC) reports. While the SOC 1 report is mainly concerned with examining client defined controls over financial reporting, the SOC 2 and SOC 3 reports focus more on the benchmark controls related to security, processing integrity, confidentiality, or privacy of the client systems and information.
Within the SOC 2 framework is a comprehensive set of criteria known as the Trust Services Principles or TSP that are composed of the following five (5) sections:
SOC 3 is for public use, and provides the highest level of certification and assurance of operational excellence. A SOC 2 report includes auditor testing and results, while SOC 3 provides a system description and the auditor’s opinion.
With an understanding of the risks that companies face and must address, organizations can take the necessary steps to minimize vendor risks and ensure quality services, security and compliance.