Where companies notice their vendors and other third parties are getting weary of the questionnaires and other inquiries to satisfy risk concerns, assurance experts are beginning to craft new solutions.
At Compliance Week’s annual conference, Karl Shimmeck, executive director and global head of vulnerability management at Morgan Stanley, said companies are looking for better ways to get assurance that their information is secure in the hands of third parties. “This is the most costly area for oversight and we get the least amount of risk reduction when it’s all said and done because of diverse ways to do it,” he said.
Public companies increasingly are held accountable for wrongdoing at the third parties they engage to provide various types of outsourced services, giving companies heightened incentive to dig deeper into controls at service organizations to minimize their own risk of liability for any wayward acts.
The audit procedures and inquiries such service organizations might face in such an environment can be daunting. Imagine the complexity of getting audited by every individual customer. That inspired the American Institute of Certified Public Accountants to develop a standardized means by which service organizations can give their customers a single audit report that ought to meet their needs. The AICPA updated its audit standards for different types of audits at service control organizations in 2011, establishing one specifically for internal controls over financial reporting (SOC 1 reports) and another focused on controls around security, processing integrity, confidentiality, and privacy (SOC 2 reports).
As it turns out, some companies find those reports don’t cover enough territory to satisfy their own individual needs for assurance, according to PwC. “There are varied degrees of effectiveness” in the standardized audit processes, said Jeff Trent, third party assurance vendor risk management leader for PwC at the same conference. “Vendors want to deliver the best service at the greatest value, but they’re distracted by numerous questionnaires and sight visits.”
That led the folks at PwC to develop a framework to add to the assurance provided by a SOC 2 report. PwC calls it a “SOC 2+” approach, building on the AICPA SOC 2 reporting principles by allowing a more independent, standardized assessment. The report format is similar to SOC 1 and SOC 2 reports, but adds principles that meet the assurance needs of a specific vendor’s customers. It is meant, PwC says, to provide the necessary level of assurance while restoring confidence in the vendor process.
“Through a working group, we undertook an effort of what could we do?” said Trent. “We wanted something that was more flexible than what’s in the marketplace. We started with the baseline of security, availability, confidentiality, and then we added components that people are concerned about from a risk management perspective.” The result so far is getting favorable feedback from regulators, he said.