Just Read It! - Managing Service Provider Risk through SOC Reports

clipboard reportOutsource - verb - obtain (goods or a service) from an outside or foreign supplier, especially in place of an internal source.

For years the word outsource struck fear in the hearts of the American workforce. Worried their jobs were heading overseas, people at all levels dug deep to prove their worth in hopes of not being the next victim. The world has changed and so has how a company thinks about outsourcing. Many organizations have taken a hard look internally and recognized that they don’t have to do everything themselves. Forward-thinking organizations are maximizing their internal resources by focusing on the company’s most important initiatives and activities while handing off those that a third party can do better. Software as a Service (SaaS), Infrastructure as a Service (IaaS), or a specialist who provides that focus on one particular service or product are en vogue. The sheer volume of service providers and their capabilities has radically changed. 20 years ago, few would have expected an online retailer like Amazon to be a service provider. We have entered a new world of outsourcing – one defined by changing ambitions, new priorities, and a different set of challenges. 

Third Parties

Reliance on third parties is increasing in every industry, as organizations can gain greater efficiency, effectiveness and cost savings by shifting non-core functions to more experienced providers. As outsourcing grows in popularity and provider options rapidly increase, regulatory oversight is also expanding to monitor the sensitive data and processes that third parties are managing. What must be remembered is that while processes can be outsourced, their inherent risks cannot. Consequently, companies must pay closer attention to how they manage third parties, as they handle sensitive information more often and as regulatory enforcement increases to protect that data.

Internal Controls

When defining your system of internal control, you must consider the additional risks and controls that are handled by the service provider. Your end to end business process will include activities and controls that you as the company execute, and controls that your service provider executes. It is critical to work in concert to minimize the overall risk to your organization. It is also imperative that you gain a level of assurance that the controls at the service provider are designed in a way that address the risk and are placed in operation throughout the fiscal year.

SSAE 18 SOC 1 SOC 2

The most typical way to gain this assurance is through a SSAE 18 SOC 1 or SOC 2 report.  SSAE 18 is the Statement on Standards for Attestation Engagements revision 18 in which the American Institute of Certified Public Accountants (AICPA) attempts to address concerns over the clarity, length, and complexity of its standards. The good news is the updated standard drives further commonalty amongst reports and raises the bar to meet the ever increasing standards set by regulators. Your expectation should be that your service provider will conduct such an assessment on an annual basis and provide you access to the final report.

There are two types of reports that are most commonly useful in this exercise:

SOC 1 a report on controls at a service organization that may be relevant to a user entities’ internal control over financial reporting.

SOC 2 a report based on the existing SysTrust and WebTrust principles. The purpose of a SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing, integrity, confidentiality or privacy.

You must decide what type of report is best for you. If financial controls are most important, then it’s a SOC 1. If technical controls, then it’s a SOC 2.

You do not manage third party risk with a “check the box” approach. It is not enough to receive a report and file it away. You would not assess your own control environment in such a way. This is the most important lesson that many organizations need to learn. If you are relying on a SOC report as part of your Sarbanes-Oxley efforts, the evaluation of the report needs to be thoroughly documented to demonstrate the effectiveness of the review to your auditors.

Report in Hand: Now What?

Step 1:  Read the report!

  • Sounds simple enough, but too often this does not happen
  • Does the report have a clean opinion?
  • Does it cover the specific services and locations you are concerned about?
  • Did a reputable audit firm issue the report?
  • Does the report include testing the operating effectiveness of controls for a specific period of time (Type 2 report) or does the report only cover a specific point in time (Type 1)?

Step 2:  Map the controls and key reports to your control environment

  • Does the report provide coverage of what you view to be the key controls and supporting reports in the process?
  • Are there exceptions and how do they impact the overall control objective?
  • Do you come to the same conclusions?
  • Does the scope include a subservice organization? If so, do you need additional comfort over their control environment? Often the answer is yes.

Step 3:  Review the complimentary user entity controls

  • For SOC 1 and SOC 2 reports, there are controls that you are responsible to perform to ensure the overall control objective or criteria within the report is achieved
  • Include the identification and testing of such controls in your overall evaluation

While third parties can increase productivity and provide financial benefits, you retain responsibility for their inherent risks. Implementing a robust process to manage third party risk, including an effective review of service provider issued attestation reports, is mission critical. This is your control environment, so own it.

Matt Hoverman, CISA contributed this blog. Matt is a Director with Gilmore Jasion Mahler, LTD and leads the Firm’s IT consulting practice. He has spent his career helping businesses assess their IT risk level and creating a plan to maximize their technology investments.

 

Established in 1996, Gilmore Jasion Mahler, LTD (GJM) is the largest public accounting firm in Northwest Ohio, with offices in Maumee and Findlay. Locally owned, GJM offers comprehensive services including assurance, business advisory, tax, risk advisory and healthcare management. The Firm’s professionals specialize in industries including construction & real estate, healthcare, manufacturing & distribution and utilities. Follow us on LinkedIn, Twitter and Facebook.

LinkedIn share
Twitter share
Navigation Opened. Press tab to navigate the menu.