Third-Party Service Providers – Managing Risk with Controls

Organizations often integrate Third-Party Service Providers (TPSPs) into their operations that become an extension of the business’s processes – serving as a critical contributor to operational effectiveness and efficiency. Take ADP, for example – as an outsourced payroll provider, they offer organizations a streamlined approach to managing payroll. However, providing third parties with access to sensitive employee information can lessen the security defenses the organization has established in-house. And ADP, while a common and well known TPSP for payroll, is not the only service company organizations rely on for third-party support. The use of third parties has extended into various operations, such as IT infrastructure in the cloud, communication and file sharing, customer relationship management, ERP systems warehouse management, supply chain logistics, and more.

Sharing access and data as well as relying on third-party processes and controls can leave organizations exposed to cybersecurity risks if proper controls aren’t in place. Managing third-party risks is a multi-layered responsibility organization must address. Here’s how best to handle it:

Why Third-Party Risk Management Should be a Top Priority

Cybersecurity attacks and data breaches represent a huge global risk, leaving organizations highly vulnerable. A successful attack can quickly spread, exploiting weaknesses across an entire network. This makes managing third-party risks a critical priority within businesses. To reduce an organization’s risk exposure, it is essential to establish a robust Third-Party Risk Management (TPRM) framework that sets clear, agreed-upon standards for security, privacy, continuous monitoring, and breach or incident response protocols. Such a framework ensures that vulnerabilities are minimized.

In addition to cybersecurity risks, organizations face significant threats when they lack an effective internal control environment, which extends to their TPSPs. As TPSPs become part of the contracting organization’s operations, ensuring their internal controls are robust is an important step for businesses to take.

Third parties offer System and Organization Controls (SOC) reports, which are independent audit reports of controls within the service provided to their customers, to organizations they partner with that demonstrate their control environment is designed and operating effectively.

Comparing SOC 1 and SOC 2 Reports

Two types of SOC reports are available for organizations to manage risks associated with third-party engagements:

How to Manage TPSP Risks with Controls

TPSP risks can be minimized through a successful approach to managing these relationships. This includes implementing governance through all phases of the partnership and evaluating risks and controls on an ongoing basis. Organizations can do so by following these steps:

• Establish policies and procedures related to initiating and managing TPSP relationships.
• Follow an annual process to determine which TPSPs are critical to the organization.
• Create policies and procedures to evaluate TPSPs’ control environments by SOC report reviews or alternative methods (e.g., creating added controls or going onsite to evaluate controls).
  • TPSPs that do not have an SOC report should be reviewed to ensure that controls are in place to mitigate potential risk exposure due to missing controls. Contracting organizations could execute the “right to audit” clause to evaluate the controls in processes applicable to the contracting arrangements.
• Coordinate with external auditors to determine TPSPs important to the audit and assessment requirements/procedures.

Areas of Focus in Your SOC Report

While reviewing an SOC report, pay particular attention to the following key areas:

1. Service being evaluated
2. Report coverage period
3. Complimentary User Entity Controls (CUECs)
4. Audit opinion
5. Deficiencies identified

Service Being Evaluated

Ensuring you have the right SOC report with appropriate service is important, as TPSPs have numerous service offerings across their customer base. Meaning, they may issue several SOC reports. Contracting organizations should review the report to validate whether they are evaluating the right report.

Report Coverage Period

Reports can also be issued at various cycles (e.g., annually, semi-annually, quarterly, etc.) and may not always provide complete coverage for the period needed. For example, a report issued annually on September 30 would cover the first quarter of the prior year and three quarters of the current year. However, if your evaluation period is for the current year, you would require a review of the current report plus a bridge letter from the TPSP to cover your organization’s evaluation period.

Complimentary User Entity Controls (CUECs)

CUECs are controls that TPSPs expect contracting organizations to have in place to promote an effective overall control environment. Evaluating CUECs and ensuring controls exist at the contracting organization is a crucial step in maintaining an effective control environment.

Audit Opinion

A qualified audit opinion means that there are material deficiencies impacting the TPSP’s control environment, and they should be flagged immediately. This requires added steps be performed at the contracting organization to ensure their control environment is not materially impacted.

Deficiencies Identified

Finally, deficiencies may be identified related to specific controls within the SOC report – each deficiency should be evaluated by the contracting organization to determine its impact on the overall control environment. Additional control or substantive procedures may need to be implemented to preserve the integrity of the information and results provided due to the control failure.

How Sikich Can Help

If your organization is working with outside parties, our governance, risk and compliance team can implement appropriate procedures for reviewing TPSPs, including leveraging AI for efficiency. We can also evaluate existing procedures to ensure they are appropriately designed. To learn more about our services, such as AI use cases, please contact us.

About Our Authors

Veronika Fritz, CPA, is a principal with audit and management expertise. She has led the planning, development and successful execution of financial, application and operational audits, compliance reviews, system implementations, and business process evaluations. Her focus is an integrated approach, and her experience spans all areas of business to help management with their process and control environment.

Sargon Youmara, CPA, is a principal with a deep understanding of financial reporting, project management, business process improvement and risk management. A trusted advisor, he provides expertise leading Sarbanes-Oxley compliance initiatives, including the requirements of the Public Company Accounting Oversight Board (PCAOB), the Securities and Exchange Commission (SEC), and the Committee of Sponsoring Organizations (COSO).