The importance of vendor management continues to grow, especially given the rise in outsourcing tasks or entire functions of an organization to a service provider. Many companies function more effectively and profitably by outsourcing tasks like data backups, cloud computing, network monitoring, telecommunications platforms, application development, managed security, bill processing, receivables collections, payroll services, and many more new services every day.
However, practicing this breadth of outsourcing exposes your organization to risk and underscores the need for effective vendor due diligence. Experience has shown that simple questionnaires and contractual clauses are not sufficient for critical vendors – businesses need to obtain an independent Service Organization Controls (SOC) report.
The American Institute of Certified Public Accountants states the following in its SOC Quick Reference Guide:
“Management of a user entity is responsible for assessing and addressing risks faced by the user entity related to financial reporting, compliance with laws and regulations, and the efficiency and effectiveness of operations. When a user entity engages a service organization to perform key processes or functions, the entity exposes itself to additional risks related to the service organization’s system. Although management of a user entity can delegate tasks or functions to a service organization, the responsibility for the service provided to customers of the user entity cannot be delegated. Management of the user entity is usually held responsible by those charged with governance (for example, the board of directors); customers; shareholders; regulators; and other affected parties for establishing effective internal control over outsourced functions.”
The SOC report that is provided to the service organization by an independent auditor is intended to provide the service organization’s customers and their auditors assurance on the internal controls over financial reporting over the outsourced services.
Understand SOC Reports
There are three different standards for SOC reports that a vendor may offer:
- SOC 1 also known as a SSAE No. 16, is designed for financial transaction processing. It is primarily used to validate controls over the completeness and accuracy of monetary transactions and financial statement reporting. Service organizations specify their own control objectives and control activities.
- SOC 2 is designed to certify the security, processing integrity, availability, confidentiality, and/or privacy of hosted systems and the data they store or process. Service organizations are held to a standardized set of controls criteria for each of the principles covered in their report. These reports can play an important role in:
o Oversight of the organization
o Vendor management programs
o Internal corporate governance and risk management processes
o Regulatory oversight
- SOC 3 report covers the same testing procedures as a SOC 2 report, but it omits the detailed test results and is intended for general public distribution.
Additionally, each of the SOC reports can be produced as either a Type I (point-in-time) or Type II (period of time) report. Type II reports are more valuable, since they validate the operating effectiveness of controls throughout the year.
Pressure Your Vendors
Some vendors don’t offer a SOC report at all. This is a serious risk that you need to consider during any vendor due diligence analysis. Strictly speaking, there’s no requirement for any vendor to produce a SOC report. The requirement for a SOC report needs to come directly from vendors’ clients and prospects, so be sure to inform the vendor of your due diligence criteria. Many vendors that are new to the industry might not know about the existence of the SOC reports until their customers start to levy pressure on them.
Ask for the Right Report
The SOC 1 report is more beneficial for evaluating the effects of the controls over financial reporting. If you’re more concerned with system security or availability rather than financial transaction processing, request a SOC 2 or SOC 3 report. These reports hold service organizations to a more rigorous standard in terms of security controls and are guaranteed to include testing of all relevant controls criteria because vendors can’t define their own control objectives.
Some organizations produce both a SOC 1 and a SOC 2 report depending on the types of services they offer to specific clients, so make sure you request the report that is most appropriate for your institution’s risks.
It is the user organization’s responsibility to request, obtain and review the SOC reports of the its service organizations and validate that the reports address the appropriate services received. A user organization is placing itself in a position of undo risk if it is not proactively monitoring its vendors and requesting a SOC report from its service providers.
If you have questions about which report you should request from your vendors, please do not hesitate to contact Debbie Risher at 404-874-6244 or email us. If your vendor cannot provide a SOC report, please consider referring them to Smith & Howard by contacting us. We would be happy to provide additional information or advice on the use of these reports.