When it comes to compliance audits, one should never follow the “one-size-fits-all” mentality. The type of audit you need often depends on your organization’s industry, specific client requests or type of data stored. “Which Compliance Audit is Right for Me?”
Managed service providers (MSPs) provide a valuable service by enabling companies of all sizes to outsource their key information technology processes. Many of those companies who look to engage an MSP ask whether a SOC 1 or SOC 2 Examination has been completed to assess the MSP’s security posture.
For any organization that stores, interprets and manages sensitive data, complying with cybersecurity requirements is of utmost importance. The most comprehensive way to test the strength and effectiveness of these systems is through a compliance assessment. Beginning this process, however, is no easy feat. “Top Tips for Effective Audit Preparation”
At A-LIGN, integrity is everything. Being accountable for your work is a value celebrated through our annual value awards at CLIMB, A-LIGN’s annual employee team-building event. This year, Emily is the winner of the “Do the Right Things, Always” award. “Featured CLIMBER:
Do you understand the SOC 1 examination process? Our assessors take you from scoping through report delivery to understand all of the steps needed to complete an examination.
Cybersecurity examinations are an important undertaking for your organization, its health and projected future. With no shortage of firms and examination types to choose from, preparing to undergo an audit or assessment can feel like a massive undertaking. Is the firm cutting corners reliable? Is the accessor able to deliver on their lofty promises? And how can you tell if they’re providing quality work?
Bridge letters are an important element of SOC 1 and SOC 2 examinations that you may not be aware of and can help provide your clients with additional confidence regarding the effectiveness of your organization’s controls environment at no additional cost or time.
Your client requested a SOC report, but what’s next? For organizations seeking a SOC 1, SOC 2, or ISAE 3402, there are two attestation options available: Type 1 and Type 2. Additionally, a readiness assessment can be performed to prepare your organization for the attestation.
The SOC 1 standard requires that service organizations implement and describe their vendor management practices for third-party service organizations.
In order to help organizations meet these updated requirements, our assessors have assembled a list of vendor management best practices to help organizations, better-manage third-party vendors.
What is Third-Party Management?
Third-party management is the process whereby companies monitor and manage interactions with all external parties with which it has a relationship.
A third-party is typically a company that provides an auxiliary product not supplied by the primary manufacturer to the end-user (the two principals). Countless third-party add-on and plug-in products keep the technology industry advancing at a rapid pace.
A service organization is an entity that provides services to a user organization that is part of the user organization’s information system.
A user organization is an entity that has engaged a service organization and whose financial statements are being audited.
Outsourcing aspects of one’s business to a third party is and will continue to be a common practice. The responsibility for monitoring the third-party provider from a controls perspective and how that third party may affect the controls of its clients, however, is and has always been the responsibility of the service organization.
With that in mind, let’s revisit some vendor management best practices that have been around for a while.
Vendor Management Best Practices
- Develop a plan. Make sure that clear roles and responsibilities have been established within your organization regarding who will obtain documents from vendors, monitor vendor performance, etc.
- Perform due diligence. An example of this is determining if your vendors are audited or assessed by an outside party.
- Pull Reports. Identify reports that you should be receiving from vendors to monitor their performance on a periodic basis.
- Keep monitoring. Good vendor management requires ongoing monitoring procedures to make sure that the vendor continues to meet expectations.
- Review risk. Consider what types of data is accessible by your third-parties, what types of transactions they perform, etc., to determine the risk associated with each vendor.
- Be resilient. Know what you would do if the vendor terminated their relationship with you or if you find it necessary to terminate your relationship with them.
Vendor Management Recommendations
- Communicate: Hold regular discussions with subservice organizations to ensure that you are aware of changes in the environment, and make regular visits when possible to gain a better understanding of operations.
- Monitor: Monitoring can include reviewing and reconciling output reports, testing controls at the subservice organization by members of the service organization’s internal audit function, or monitoring external communications like customer compliance that are relevant to the services provided by the subservice organization.
- Review: Review existing audit and assessment reports, such as Type 1 or Type 2 SOC reports on the subservice organization’s system.
Evaluating SOC Reports Provided by Third-Parties
If a sub-service organization has provided you with a SOC 1 report, the controls tested relate to the controls that can impact the user organization’s internal control over financial reporting. A SOC 2 report evaluates an organization’s system relevant to security, availability, processing integrity, confidentiality and/or privacy.
Type 1 reports simply provide a report of controls an organization has put in place as of a point in time. In addition to the aspects in a Type 1 report, Type 2 reports have a review period (typically six months to a year) and provide evidence that the controls operated effectively.
Type 1 assessments are a good starting point for vendors to get to the goal of successful Type 2 assessments. Ultimately, a Type 2 report will show how those internal controls are operating in an organization. That said, a user organization can rely more heavily on a Type 2 than a Type 1 report.
For more information regarding third-party vendor management best practices or to learn more about our SOC services, contact A-LIGN today or call 1-888-702-5446.