As business models become more and more interconnected, organizations rely on third-party vendors to provide critical services, amplifying the importance of Third-Party Risk Management (TPRM). A major component of TPRM is the use of System and Organization Controls (SOC) reports that reveal insights into a third-party vendor’s internal controls and help organizations make informed decisions about which partners to trust with your sensitive data and operations.
In this interview, we explore the fundamentals of third-party risk management, examine the importance of SOC reports, and discuss their critical role in securing and strengthening your organization with guidance from Sargon Youmara, Principal on Sikich’s Governance, Risk and Compliance (GRC) team.
Q: Hello Sargon. You are a Principal in Sikich’s Corporate Governance, Risk and Compliance practice. You serve as the outsourced head of internal audit and head of Sarbanes-Oxley (SOX) compliance for a number of businesses. What is that like?
A: My background is mainly on the consulting side, starting in public accounting and moving into internal audit, but I have had the opportunity to lead internal audit departments throughout my career. This affords me a unique perspective in evaluating organizations from the outside looking in. This leadership role requires overseeing internal teams, external consultants and budgets, and has helped shape me in a professional sense. Working internally within one organization is distinct from the external consulting approach working with numerous clients. Internally, you handle projects and deal directly with people, navigating politics, building relationships, and continuously working with individuals post-audit to help guide them through areas of deficiencies. You are constantly involved, managing reputation and building the internal audit brand as a consulting organization within the company. In contrast, external audits are more transactional: you conduct the audit, add value wherever possible, and then move on.
Q: In those roles, how important is third-party risk management?
A: Third-party risk management is crucial. Organizations performing internal audits and risk assessments consistently rank it among their top priorities. This is because many organizations outsource work to third parties or use third-party applications, which could involve sending, processing, storing, and securing sensitive data. For example, using a third-party provider to process payroll is a fairly common practice, but it means sending the third party sensitive information. Sensitive information needs to be secured and protected. Just because a third party has the data, it doesn’t mean an organization absolves itself from managing the risks associated with nor relinquishes responsibility for data security and the corresponding internal controls. Ensuring the third party has a robust control environment is essential, and those controls need periodic evaluation to ensure they adequately and reliably protect the data and assets.
Q: What role does SOC reporting play in providing you with the assurance that third-party risks are managed?
A: SOC reports are critical, as they provide an independent assessment of a service provider’s internal controls. These reports, conducted by an external organization like Sikich, give customers confidence that the controls over the systems they rely on are designed and operating effectively. For publicly traded companies, SOX compliance requires an annual evaluation of these controls, whether outsourced or housed internally. Service providers hire independent consultants to audit their controls and share the results with their customers, providing necessary assurance.
Q: What do you look for in an SOC report?
A: When reviewing an SOC report, I first check the timing and services in scope to ensure it covers the relevant period and the service we receive is within the scope of the SOC report. The audit opinion is also crucial: an unqualified opinion means everything is materially okay, while a qualified opinion highlights material deficiencies. I look for any deficiencies reported, as these reflect on my client’s control environment. Complimentary User Entity Controls (CUECs) are also important; these are controls that the service provider expects us to have in place. Finally, I consider subservice providers, as no organization operates in isolation. If the service provider relies on others, their SOC reports need to be reviewed as well.
Q: What happens if a third party cannot provide an SOC report?
A: Many third-party agreements include a “right to audit” clause, subjecting themselves to numerous audits from clients that distract from business and consume a lot of time and resources. If a third party cannot provide an SOC report, the “right to audit” clause can be enacted. Alternatively, if it’s too costly to perform an independent audit, then the burden is back on my client to build their own internal controls to ensure the accuracy and security of their data and assets at the third party. This might involve implementing controls over data that is sent to the third-party service provider or validating reports sent back against internal data to ensure their accuracy and completeness. Service industry organizations benefit from issuing SOC reports; otherwise, they might lose customers to providers who do have them.
Q: How often should SOC reports be reviewed? Is it a one-time exercise or on a regular cadence?
A: SOC reports should be reviewed regularly according to the service provider’s reporting cycle. Every time an SOC report is issued, it should be reviewed promptly. Not all SOC report opinions are unqualified – therefore, timely review is essential to address any identified deficiencies or issues, ensuring that the organization’s data and assets remain protected.
Q: What advice would you give to others in your position, who have concerns about third parties?
A: Maintaining data security and ensuring data privacy is critical, and as we’ve seen, many data breaches have originated from a third party. For service providers, it is important to engage reputable companies for the SOC engagement. Trusted organizations provide detailed and reliable SOC reports, unlike some lesser-known firms. For customers, always request SOC reports, as they are primary sources of information about the effectiveness of a provider’s controls. Additionally, implement other monitoring best practices to ensure services meet expectations and provide the necessary assurance. Review SOC reports thoroughly and make sure CUECs are appropriately implemented and examined.
Our team of internal controls specialists has extensive expertise conducting evaluations of third parties to support your organization. Learn more about the importance of SOC reporting and TPRM as your organization strengthens its internal controls by contacting our team here.