When outsourced partnerships are established, the agreement binds the relationship. It defines each role and sets the structure, requirements, and boundaries of the arrangement. How well each role is executed will ultimately determine the success or failure of the joint venture. Success demands a 360-degree viewpoint, collaboration from all directions, self-examination, and accountability for meeting the agreed upon expectations. A continuous third party risk management (TPRM) life cycle requires active participation and Complementary User Entity Controls (CUECs) provide a great example of how insufficient contributions can result in failure.
Financial institutions routinely request and inspect SSAE SOC1/SOC2 reports that are provided by outsourced service providers. When applicable, vendor stated CUECs are contained within an SSAE SOC report to draw attention to and describe the roles, responsibilities, and obligations of the user entity. The service provider expects the user entity to implement the stated CUECs in order to meet the control objective of the vendor’s system.
Client control considerations are vital to outsourced partnerships. TPRM regulatory guidance directs management to implement processes that are appropriate for the level of risk and complexity of the third party relationships as well as the organizational structure. A financial institution (user entity) must effectively examine and assess its own internal controls to confirm that each relevant CUEC has been appropriately developed, implemented, documented, reviewed, and tested.
These steps are important to the on-going process of monitoring, modifying, and maintaining all necessary internal controls and expected safeguards:
- Review each vendor stated CUEC in depth
- Determine the relevance of each CUEC based on the product/service provided by the vendor
- Identify interdependent controls associated with multiple products provided by a single vendor
- Coordinate internal efforts and assessments to eliminate inefficient and/or redundant controls
- Avoid accidental breakage of established controls that are required by different lines of business
- Align internal practices with approved policy to remove unnecessary audit/regulatory findings
- Establish acceptable levels of risk exposure based on compensating controls and risk appetite
- Document the implementation, compensating factors, or non-applicability of CUECs in order to demonstrate that controls are in place, effectively operating, consistently practiced, and tested
- Procure internal audit to conduct independent, objective review and evaluation of each CUEC
- Formalize modifications through a change management process to ensure that all changes to CUEC implementation require monitoring and authorization
- Test the CUEC effectiveness periodically to improve safeguards, strengthen weak controls, and validate that the control objectives continue to be achieved
- Build accountability into the CUEC process to solidify internal adherence with secure practices, policy guidance, and acceptable risk mitigation (consider org structure and lines of defense)
CUECs are an essential component of the SSAE SOC report and should not be glossed over or diminished due to the extra work involved. Even minor vendor relationships can present surprising risk if applicable CUECs are not fully considered and adequately applied. If vendor provided CUECs are not executed (or compensating controls are not in place, even for minor vendors) the risk factors increase due to missing protections that are the responsibility of the financial institution.
When CUEC expectations are clearly defined and implemented by a financial institution, the process is easily demonstrated during internal audits and external regulatory examinations. If vendor stated CUECs are NOT adequately considered, unnecessary risk is invited into the outsourced relationship, the wheels of TPRM get clogged, and security can be compromised. The result can be costly and painful to resolve. However, with the necessary time and attention applied, self-inflicted risk is avoidable.
Fortrex can help your organization build a strong defense and a smooth TPRM operation. Contact us for more information regarding our Complementary User Entity Control and enhanced TPRM services.