Analyzing Vendor SOC Controls

Video Transcript

Welcome to this week’s Third Party Thursday! My name is Aaron Kirkpatrick and I’m the Information Security Officer here at Venminder.

In this video, we’re going to cover how to review the control section in SOC reports.

Let’s start with Complimentary User Entity Controls. To find this control section, look towards the bottom of SOC 1 and SOC 2 reports – it will normally be called “Complementary User Entity Controls” or just “User Entity Controls”. These are some of the most important controls in the report. In this section, the vendor is telling you that for their controls to be effective, you have a role in supporting those controls.

NOT doing so will have a negative impact and increase the risk to your institution. We’ve seen SOC reports with 0 as they’re not required, but we’ve also reviewed reports with over 75.

In an effort to reclarify their original intention, the AICPA notes in SSAE 18 that Complementary User Entity Controls should directly relate to the products or service the vendor is providing and be associated with the vendors control environment.

It was becoming common to find generalized best practice controls listed as Complementary User Entity Controls. Some vendors structure their controls to where they claim Complementary User Entity Controls are not required to and are self-sustaining.

In regards to Complimentary User Entity controls, expect your regulator to ask 2 things:

1. First, to see a list of vendors where complementary user entity controls are identified in a vendor(s) SOC report, especially for critical and/or high risk products. This is your chance to demonstrate you read the report and know where these controls exist.
2. Second, they’ll ask to see evidence of processes and/or procedures you have put in place to ensure you are executing internally on those controls. Be ready. We know this commonly happens during client exams.

Vendor Control Objectives and Activities

Let’s switch over to the vendor’s control environment which consists of Control Objectives, a general category of policies and practices in place meant to achieve a common goal, and Control Activities, those policies and practices.

An important area to look at within this section are at the tests the auditor actually performed to determine whether the control activities were operating effectively throughout the period covered by the report. Looking into how the controls were tested sometimes reveals how well the auditors know the product or service type.

As you review these controls, are there any exceptions noted on any of them?

Exceptions are noted deviations from the documented control environment as discovered by the audit entity or in other words, the vendor stated they have a control in place, the auditor tested it and discovered either a gap in the process or a case, or multiple, where the control failed.

A significant exception is one that could have or could still pose a risk to the vendor to the point of internal systems being compromised by malicious outsiders.

A common exception we see in our reviews concerns user management, specifically user terminations. We’re constantly reporting on exceptions showing months went by without administrative accounts being disabled or deleted.

If that user were terminated and was malicious, they’ve just given extended access to someone with potential for malicious intent that has intimate knowledge of how your system works.

It's typical that the vendor's management will respond to exceptions. You should pay attention to if these responses cover the mitigating controls that were in place at the time of the exception as well as whether there has been action taken to fix the failed process.

Management responses are either noted in the same area as the control activities, or, sometimes they are noted in section 5 of the report which you’ll find at the end.

You should review exceptions and determine if additional action is required. If the noted exceptions are severe enough, the vendor may need to have increased monitoring in your vendor management program. Other actions may include reviewing previous reports to determine if a negative or positive trend is occurring within the vendor’s environment.

Overall how well do they cover these items?

Were there critical or high risk exceptions? You should develop a rating system for consistent reviews for all your vendors. This rating system should inform your overall risk assessment on the vendor and carefully identify any remaining risk associated with doing business with the vendor.

The SOC report is only one element, although an important one, in your overall risk assessment process.

So there we go, now you know:

Where to find the controls section, what control objectives and activities are, and what to look out for in findings and exceptions.

Again, I’m Aaron Kirkpatrick and thank you for watching! If you haven't already, please subscribe to the Third Party Thursday series.