Experienced Auditor's Perspective on Vendor Cybersecurity, SOC Reports, and Best Practices

Recently, as part of our Venminder Thought Leadership series, I had the opportunity to speak with Mike Morris at Porter Keadle Moore (PKM). In this series we speak with the industry’s sought-after thought leaders for their perspective and advice on third parties, mitigating risk, best practices, trends, and more.
Mike is a systems partner at PKM. Since joining PKM in 1999, he's overseen projects including Sarbanes-Oxley IT404 testing, FDIC Improvement Act testing, network vulnerability and penetration testing, stock reporting and IT general controls for data processing companies, financial institutions and insurance companies. You can listen to the full interview here.

During our time, we covered:

• Best practices for managing risk
• Addressing today's cybersecurity threats and risks
• Top areas of concern for a SOC audit report
• And more...

The Highlights

Right away Mike enlightened me with his thoughts on how organizations are doing as a whole regarding third-party risk management. If we’re using a grading system, he’d give the majority of organizations a C+ average based on his experience working with clients.

He has found that time management seems to be a difficult issue for a lot of organizations which, in turn, has brought a lot of room for improvement in their third-party risk departments. With that setting the stage, I thought it’d be a good idea to learn what Mike sees as some of the best practices that organizations can implement to help manage risk effectively.

Best Practices for Managing Risk

Here are two best practices that Mike shared with me:
1. Analyze the business risks and the impact of each vendor to the organization
2. Follow the regulatory guidelines

I’d have to agree with his recommendations. Doing these two things will help to satisfy regulators. Regulators are looking to see that you’re not just managing the guidance, but also continue to evolve and improve your program.

Cybersecurity – Today’s Threats and Risks

In Mike’s opinion, he sees organizations struggling greatly in this area. He shared that cybersecurity is an area that we need to focus on continuously improving, and remember, when an organization is hacked it is often times a security hack through their vendor. You rarely hear the vendor’s name brought up in discussions or by the media. It’s your organization that is often impacted by reputation risk.

Understanding the gaps and controls in cyber resiliency and cyber security at the third party vendor level is critical. He left us with these words to think about regarding cybersecurity – “trust or verify and understand what they, the vendor, are doing”.

SOC Audit Reports – What You Need to Know

Mike has an extensive SOC audit background, so I thought it’d be great to get his perspective and better understand the top areas of a SOC audit report that organizations should pay close attention to. He shared the following areas of concern regarding SOC reports:

• Understanding any change management issues and the impact (e.g., around application changes, the way controls function)
• Understanding subservice organizations (your fourth parties)
  • Identifying the subservice organizations
  • Analyzing risk posed to your organization by the subservice organization
  • Monitoring subservice organizations effectively

Luckily, with the introduction of the SSAE 18 in May 2017, monitoring fourth parties has become increasingly easier.

Address Third-Party Risk

Mike concludes with sharing compassion and an understanding as to how tough third-party risk management can be. However, he knows the regulatory requirements are not going away anytime soon. He says, “with regulation or not, third party risk and cybersecurity are areas that are going to continue to cause risk or pose risk to organizations, and we need to make sure we're addressing those.”

On behalf of Venminder, I would like to thank Mike and Porter Keadle Moore for participation in this thought leadership interview. It was very insightful, and I think our audience has gained a ton of great perspective.

Want to learn how to properly review and analyze a SOC report? Download our eBook now where we will help you do just that.