insight-ingle-left-2
insight-ingle-left-3

April 21, 2023

Assess Third Party Vendor Risks with These Simple Steps

Vendors, third parties, service providers; all of these names can be confusing and overwhelming. What’s the difference? Who is considered one? To simplify, you can use these words interchangeably to describe business entities that provide services to your organization. In this article, we’ll use these terms interchangeably. 

Third parties make your life easier by oftentimes providing a robust environment, expertise, or tools for you to use for your business, cutting out considerable time, infrastructure, investment, and education required to run these large service providers; think Oracle, Amazon Web Services, Azure, and the list goes on.

Key Practices to Assess Third Party Risk

Third party and vendor risk management is a hot topic in all business areas, as more and more companies look to third party service providers to support their business needs. However, companies need to be sure to assess all the risks in this space before signing contracts and making payments. 

Does the service provider have a service organization controls (SOC) report available for review?

There are several different types of SOC reports. Look for a SOC 1 or SOC 2 type II. Both of these reports will be able to help you understand the key controls at the service organization and determine whether the controls are operating effectively. 

SOC reports also include complementary user entity controls (CUECs) which specify controls that the customer (you) should have in place to ensure the service provider’s controls are applicable. 

Develop and utilize a SOC checklist to ensure the appropriate information is addressed in the SOC report, including the areas listed below: 
  • Period covered by the report
  • Audit firm and reputation
  • Opinion type: unqualified (clean) or qualified
  • Are any subservice providers scoped out?
  • Applicable control objectives
  • CUECs and controls in place at your organization to address them
  • Exceptions noted throughout the report
  • Your conclusions on the impact of exceptions to the organization
Implement a periodic (no less than annually) third party risk assessment process to obtain and review the service provider’s SOC report.
If a SOC report is unavailable, you should develop your own framework to assess the control environment at the service provider. 

Management’s Response to Third Party Risk Assessment 

Based on the outcome of the risk assessments above, you and your organization can consider any gaps identified in your environment or the service provider’s environment and address them accordingly. For example:

  • The vendor’s SOC report is qualified – Consider following up with the service provider to understand their plan to address the report opinion; 
  • The SOC report lists CUECs and your company does not have a corresponding control in place to address this critical function identified by the service provider – Develop a control to address the gap and work with relevant business partners to design and implement the control; or  
  • The report does not cover the risks associated with the services the vendor provides for your organization – You may have to request a different type of SOC report to ensure that you are protected or develop a plan to ensure that the third party is not leaving your information vulnerable.

Key Takeaways

Implementing a recurring third party and vendor management process is a great way to ensure you’re considering vendor risks to confirm your organization is adequately assessing the holistic environment.

Third party vendor risks are ever present and protecting your organization is a top priority. For more information on this topic or to learn how Johnson Lambert can help, contact Kim Mobley, Partner, Business Advisory Services.

Jonathan Munneke

Jonathan Munneke

Senior Associate

Lauren Reischman

Lauren Reischman

Manager

Kim Mobley

Kim Mobley

Partner

Assess Third Party Vendor Risks with These Simple Steps

Vendors, third parties, service providers; all of these names can be confusing and overwhelming. What’s the difference? Who is considered one? To simplify, you can use these words interchangeably to describe business entities that provide services to your organization. In this article, we’ll use these terms interchangeably. 

Third parties make your life easier by oftentimes providing a robust environment, expertise, or tools for you to use for your business, cutting out considerable time, infrastructure, investment, and education required to run these large service providers; think Oracle, Amazon Web Services, Azure, and the list goes on.

Key Practices to Assess Third Party Risk

Third party and vendor risk management is a hot topic in all business areas, as more and more companies look to third party service providers to support their business needs. However, companies need to be sure to assess all the risks in this space before signing contracts and making payments. 

Does the service provider have a service organization controls (SOC) report available for review?

There are several different types of SOC reports. Look for a SOC 1 or SOC 2 type II. Both of these reports will be able to help you understand the key controls at the service organization and determine whether the controls are operating effectively. 

SOC reports also include complementary user entity controls (CUECs) which specify controls that the customer (you) should have in place to ensure the service provider’s controls are applicable. 

Develop and utilize a SOC checklist to ensure the appropriate information is addressed in the SOC report, including the areas listed below: 
  • Period covered by the report
  • Audit firm and reputation
  • Opinion type: unqualified (clean) or qualified
  • Are any subservice providers scoped out?
  • Applicable control objectives
  • CUECs and controls in place at your organization to address them
  • Exceptions noted throughout the report
  • Your conclusions on the impact of exceptions to the organization
Implement a periodic (no less than annually) third party risk assessment process to obtain and review the service provider’s SOC report.
If a SOC report is unavailable, you should develop your own framework to assess the control environment at the service provider. 

Management’s Response to Third Party Risk Assessment 

Based on the outcome of the risk assessments above, you and your organization can consider any gaps identified in your environment or the service provider’s environment and address them accordingly. For example:

  • The vendor’s SOC report is qualified – Consider following up with the service provider to understand their plan to address the report opinion; 
  • The SOC report lists CUECs and your company does not have a corresponding control in place to address this critical function identified by the service provider – Develop a control to address the gap and work with relevant business partners to design and implement the control; or  
  • The report does not cover the risks associated with the services the vendor provides for your organization – You may have to request a different type of SOC report to ensure that you are protected or develop a plan to ensure that the third party is not leaving your information vulnerable.

Key Takeaways

Implementing a recurring third party and vendor management process is a great way to ensure you’re considering vendor risks to confirm your organization is adequately assessing the holistic environment.

Third party vendor risks are ever present and protecting your organization is a top priority. For more information on this topic or to learn how Johnson Lambert can help, contact Kim Mobley, Partner, Business Advisory Services.

Jonathan Munneke

Jonathan Munneke

Senior Associate

Lauren Reischman

Lauren Reischman

Manager

Kim Mobley

Kim Mobley

Partner