As your organization’s risk universe expands and third-party (3P) data breaches make headlines, your investors and clients want to know you’re doing everything you can to bolster cybersecurity. A System and Organization Controls (SOC) 2 report demonstrates your commitment to preventing attacks and protecting information by identifying and mitigating threats according to AICPA trust service criteria, and the process can be time-intensive and complicated.
To get the most out of your investment in a SOC 2 report and truly protect your data, you’ll need a risk assessment of all dealings with 3Ps and outside vendors to evaluate your organization’s IT control processes and protect your data.
Why Do You Need a 3P Risk Assessment for SOC 2?
A SOC 2 evaluation will require a thorough listing and ranking of potential risks, including details about mitigating them. As discussed in our previous article, if your organization isn’t careful to stay on top of documentation and evaluations for cybersecurity risks, you probably don’t have a comprehensive view of the threats that could impact your business.
Thorough risk assessments that detail involvement with and controls from 3Ps will uncover threats and risks that could potentially be overlooked during a more general risk assessment. These assessments can be done in various ways and require different levels of involvement from you. For starters, you will need to create a complete inventory of your vendors and service providers. A good source of this information may be your Accounts Payable group to identify any sources of IT payments to 3Ps over the past twelve months. Reliance on departmental shared drives alone often lends itself to missing some possible critical vendors.
Once you have your initial inventory, you should begin to risk rate each vendor based on the possible impacts to your business. Considerations as part of this evaluation may include:
- Does your outsourced provider or vendor manage or maintain any possible sensitive data? If so, ask yourself the following:
- Do they have a SOC 2 report they can share to show how they protect their data? If not, do you have a right to audit them as to their controls? Remember, security questionnaires are all well and good, but at the end of the day they’re a self-assessment and not a strong indicator of real risk.
- What is the 3P’s data destruction policy? Will they provide evidence of destruction at the termination of your contract?
- Does the company have a policy in place to notify you in the event that a breach of their systems occurs?
- What is the inherent risk of dealing with reputable 3Ps? Research to determine if there are any recent negative news articles on the vendor and their key management may be worth the minimal time required. Also, do you have insight as to the financial stability of the vendor? Investing in a relationship takes a lot of time and effort and you want to ensure your partners will be around for the journey with you.
- Does your firm have controls in place to monitor independent 3P relationships? Periodic reviews should be performed to ensure proper due diligence has been done when renewing (or issuing new) contracts. No one likes to consider fraud risk within their own walls but it’s a reality that cannot be ignored.
Once you have compiled a fair evaluation of risk ratings for each vendor, then management should determine appropriate review procedures. While it may seem companies should review all 3Ps annually, this is often not realistic. Thus, companies should develop a risk-based model of ranking their vendors into high, medium, and low-risk categories. High-risk vendors, for example, may mandate annual reviews. Medium risk vendors may be reviewed at a lesser frequency (e.g. every two years or 18 months). And lower-risk vendors, at a lesser frequency than that. Your program may also include a pool of medium/lower risk vendors (e.g 10% or 25%) that are randomly reviewed annually. The model can be tailored to suit the needs of your business.
Having a clear view of 3P risks facing your organization can also help you make sound decisions for the future regarding contracts and suppliers. While it may seem like a large undertaking to review your 3P relationships in addition to managing your own internal risks, companies should ask themselves, is it worth the risk to ignore them? Often, it is not.
Where Can I Learn More?
For more information on why 3P risk assessments are a crucial part of SOC 2 reports, please contact us.
Published on March 22, 2022
© Copyright CBIZ, Inc. and MHM. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ). MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and MHM are members of Kreston International Limited, a global network of independent accounting firms. This publication is protected by U.S. and international copyright laws and treaties. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.