Tom is a trusted advisor on procurement and third-party management to organizations across the United States. Having worked with over 120 organizations over his 30-year career, he has a unique ability to bring creativity and discipline to finding solutions for even the most complex challenges his clients face.
If you’re a financial institution, you’re hopefully already aware that you’re required to collect SOC reports from your vendors. If you’re not a financial institution, you might want to consider collecting them anyway. Why? Because SOC reports, particularly SOC 2 reports, are the perfect vendor management tool. And the best part is that the work is already done for you, all you have to do is request them from your vendor.
The Service and Organization Controls, or SOC, independent audit and reports were introduced in 2011 by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Although there are three types and multiple subtypes of SOC reports, they all generally do the same thing – provide insight into how your vendors run their business, maintain internal controls, and mitigate risk.
SOC 2 is arguably the most useful out of the three. While SOC 1 and 3 just require one audit and report per fiscal year, SOC 2’s require an examination of an organization’s controls over a period of time. At a high level, it tests controls for the security, availability, processing integrity, confidentiality, and privacy of a system.
This information is the Holy Grail of risk assessment tools for the apt vendor manager, and is typically collected from technology service vendors, or any vendor with whom you share your organization’s or your customers’ data in any way, shape, or form. In an age where the phrase “data breach” sends a chill up every executive’s spine, this sort of exam and report is an absolute must-have.
Not only is this report extremely useful when examining the controls of a vendor, but it also gives you insight into your vendor’s vendors. That’s right, we’re talking 4th-party risk assessment potential. It truly is the perfect vendor management tool. But how can it be used in practice? Let’s run through the six stages of the vendor management framework to find out.
Stages 1 & 2: Sourcing & Procurement:
If you’re looking to find the right vendor that you can trust, then you’ll have to do your due diligence. Typically, this is done by reviewing the vendor’s security practices, its criticality to your business operations, and the risk level it presents you based upon its access to private data. Instead of conducting this search and sending out questionnaires yourself, try to request a SOC 2 report. While you may have to sign a nondisclosure agreement, this document will provide invaluable information on the vendor’s controls and will help take some of the load off your shoulders.
Stages 3 & 4: Contracting & Onboarding:
Stages 3 & 4 are where you and your vendor should be getting everything out in the open. While contracting and onboarding a vendor, you should be making very clear your expectations through the negotiation of Service Level Agreement (SLAs), limits of liability, and so on; as well as developing your regulatory compliance oversight plan. A SOC 2 report would go a long way in use as a baseline for mutual agreement regarding security controls throughout this process.
Stages 5 & 6: Purchase to Pay & Oversight / Optimization:
From billing information security to regulatory compliance and risk management, SOC 2 reports will help you ensure that your vendor is not only maintaining adequate controls in their auditor’s eyes, but that they are also living up to your own expectations and agreements as made clear during the contracting phase. The reports will give you insight into the effectiveness of their security controls and enable you to continually mitigate risk, ensure compliance, and drive higher performance out of your vendor.
In short, SOC reports are becoming a critical piece to the vendor management process. If you outsource any private information to a service vendor (and almost every organization does) then you should be requesting these reports to ensure your data is in safe hands.
For more information on SOC reports, we recommend visiting the AICPA’s website, or contacting us here.
