Third Party Risk ManagementTPRM Tuesday

TPRM Tuesday #7: Unwrapping the review of SOC report for Third Party Risk Management Program

It’s Tuesday and it’s time for our TPRM Tuesday posting. Today we will be unwrapping the review of the SOC reports from a Third-Party Risk Management Program (TPRM) standpoint.

πŸ€” What does a SOC report Do?

Reviewing a SOC report can help you accomplish the following tasks:

βœ” Verify the vendor has sufficient controls in place to protect their system

βœ” Confirm the controls in place are operating effectively and if there are any control exceptions (Type II)

βœ” Provide a detailed overview of the product or service being provided to the customer

βœ” Assist greatly with the due diligence and residual risk determination, vendor selection and contract management, and ongoing monitoring stages of the vendor lifecycle and help guarantee compliance with regulatory expectations.

πŸ€” When should one obtain and review a SOC Reports?

πŸ“„ Reviewing a vendor SOC report should be performed during the residual risk determination, vendor selection, contract management, and ongoing monitoring stages. It’s important to validate the vendor’s internal control environment prior to entering a contract and verify it’s sufficient and aligns with customer expectations and risk appetite.

πŸ€” What Are Complementary User Entity Controls (CUECs)?

🏭 CUECs are found within SOC reports, and are the controls the vendor relies on customers to implement to achieve the vendor’s control objectives.

πŸ€” Why Is Reviewing the CUEC Section Critical?

There are three important reasons to review the CUEC section:

1️⃣ It’s essentially a control guide provided by the vendor to help protect the customer organization. The vendor is letting the customer know what they must do in order for their controls to be supported and effective.

2️⃣ If controls are missed or not reviewed, this could have a negative impact on the customer organization as the controls in place have not been evaluated and confirmed.

3️⃣ If not properly reviewed and implemented, then there is a chance for increased risk to the customer organization.

πŸ‘‰ Sometimes a SOC report will have very few CUECs listed – think 5 or less – but in other instances, there can be as many as 30 controls. It varies by the report. If CUECs aren’t disclosed, the Vendor is stating that their controls are self-sustaining.

πŸ€” Why Is Reviewing the CSOCs Section Critical?

Just like customers need a vendor to provide critical services, most of those vendors also need a vendor to provide critical services. In SOC reports, those third and fourth parties are called sub-service organizations and are discussed under complementary sub-service organization Control (CSOC).

🎯 The How – 6 Key Areas to Review in a SOC Report:

πŸ‘‰ The Reporting Period – Make sure the report is the most current one available. If a SOC review wasn’t done within the last 12 months based on the period of SOC report vendor-provided, request additional information from the vendor.

The vendor may be able to provide a gap letter, also known as a bridge letter, which is a letter issued by the vendor that covers the gap between the last SOC report period ending date and the date of the letter. It can be used by the customer as an interim assurance by management while waiting for the next audit, but it is not a substitute for an updated report.

πŸ‘‰ Organization and Administration – This section gives customer more information about the vendor which will usually answer the following questions:

βœ… How are they set up?

βœ… Who is responsible for what?

βœ… What kind of management structure do they have in place?

βœ… What are their governance processes?

πŸ‘‰ Products and Services – Make sure that the report you are reviewing covers the products and services the you utilizes from the vendor. Many vendors have several reports for different products and services, and they could all be different. You may need more than one report for the same product. Take a close look at the sub-service organization section to better verify this.

πŸ‘‰ The Information System – Understanding what type of information the vendor processes and how they protect it is critical. The vendor should provide information regarding how they secure servers, networks, computers, and information systems.

πŸ‘‰ Data Canter Information – It’s important to understand the access controls, environment, and the monitoring of this infrastructure, as they are crucial to protecting information. Make sure you understand how the vendor manages their data center and ensures their infrastructure is resilient and available at all times.

πŸ‘‰ Control Objectives and Activities – This is where the audit firm will determine if the controls are in place (type I) and test them for operating efficiency (type II). It’s important to identify any audit findings and assess how well management responded to them. These are important tools to determine whether the vendor can effectively provide the contracted product or service.

We are glad to bring you these postings. Please let us know if you have questions and how we can help you continue to have an effective and efficient third party risk management program.