Third-Party Vendor Management Best Practices
The new SOC 1 standard, SSAE 18, was made effective May 1, 2017. This standard requires that service organizations implement and describe their vendor management practices for third-party service organizations.
In order to help organizations meet these updated requirements, our assessors have assembled a list of vendor management best practices to help organizations better-manage third-party vendors.
What is Third-Party Management?
Third-party management is the process whereby companies monitor and manage interactions with all external parties with which it has a relationship.
A third-party is typically a company that provides an auxiliary product not supplied by the primary manufacturer to the end user (the two principals). Countless third party add-on and plug-in products keep the technology industry advancing at a rapid pace.
A service organization is the entity that provides services to a user organization that are part of the user organization’s information system.
A user organization is the entity that has engaged a service organization and whose financial statements are being audited.
Outsourcing aspects of one’s business to a third party is and will continue to be a common practice. The responsibility for monitoring the third-party provider from a controls perspective and how that third party may affect the controls of its clients, however, is and has always been the responsibility of the service organization.
With that in mind, let’s re-visit some vendor management best practices that have been around for a while.
Vendor Management Best Practices
- Develop a plan. Make sure that clear roles and responsibilities have been established within your organization regarding who will obtain documents from vendors, monitor vendor performance, etc.
- Perform due diligence. An example of this is determining if your vendors are audited or assessed by an outside party.
- Pull Reports. Identify reports that you should be receiving from vendors to monitor their performance on a periodic basis.
- Keep monitoring. Good vendor management requires ongoing monitoring procedures to make sure that the vendor continues to meet expectations.
- Review risk. Consider what types of data is accessible by your third-parties, what types of transactions they perform, etc., to determine the risk associated with each vendor.
- Be resilient. Know what you would do if the vendor terminated their relationship with you or if you find it necessary to terminate your relationship with them.
Vendor Management Recommendations
- Communicate: Hold regular discussions with subservice organizations to ensure that you are aware of changes in the environment, and make regular visits when possible to gain a better understanding of operations.
- Monitor: Monitoring can include reviewing and reconciling output reports, testing controls at the subservice organization by members of the service organization’s internal audit function, or monitoring external communications like customer compliance that are relevant to the services provided by the subservice organization.
- Review: Review existing audit and assessment reports, such as Type 1 or Type 2 SOC reports on the subservice organization’s system.
Evaluating SOC Reports Provided by Third-Parties
If a sub-service organization has provided you with a SOC 1 report, the controls tested relate to the controls that can impact the user organization’s internal control over financial reporting. A SOC 2 report evaluates an organization’s system relevant to security, availability, processing integrity, confidentiality and/or privacy.
Type 1 reports simply provide a report of controls an organization has put in place as of a point in time. In addition to the aspects in a Type 1 report, Type 2 reports have a review period (typically six months to a year) and provides evidence that the controls operated effectively.
Type 1 assessments are a good starting point for vendors to get to the goal of successful Type 2 assessments. Ultimately, a Type 2 report will show how those internal controls are operating in an organization. That said, a user organization can rely more heavily on a Type 2 than a Type 1 report.
For more information regarding third-party vendor management best practices or to learn more about our SOC services, contact A-LIGN today at firstname.lastname@example.org or 1-888-702-5446.