My last blog, SOC it To Me in 2017 – Preparing for the SSAE 18 highlighted the changes and differences to the planning, scoping, and execution of an SSAE 18 engagement from the service organization’s point of view. For part II, I plan on sharing tips on the downstream implications to third party risk and the inspection of the service organizations’ overall Third Party Service Provider (TPSP) oversight or Vendor Management Programs.
Heightened expectations for third party risk oversight have continued to evolve across industries as the usage of third parties has grown exponentially. The focus on cybersecurity risk has triggered a broadened need for maturity in the structure, development, and implementation of third party risk oversight programs. The update to the AICPA standards and evolution of the SSAE 16 to the SSAE 18 standard triggers additional clarity and focus on the third parties that are in scope for a specific external assurance audit engagement.
Defining the CSOC
While subservice organizations have been incorporated into prior external audit engagements, the updated standard has created a new definition. The “Complementary subservice organization control” or CSOC is a new term to understand in both creating and reviewing an SSAE18 report. The CSOC is designed to be described within management’s description of the systems and the environment, but are not controls that are tested or extended to the service auditor within the engagement. Part of the driver for the change is to ensure that recipients of the report have a good understanding of the controls that the primary service provider owns, and what controls are assumed to be handled by the service provider’s vendors/subcontractors. The service provider must define and disclose the key subservice organizations in not only the assertion criteria but with fair and clear language in the description of what controls are ‘assumed’ or ‘complementary’ to the controls tested in the audit engagement. Here’s an example:
- A service provider outsources data center operations to a colocation facility or hosting services to a cloud service provider.
- The service provider assumes the colocation vendor or cloud provider has implemented the controls for physical/logical security of the environment
- These physical security safeguards would complement the controls of the primary service provider and should be included in the system description.
In fact, the type of outsourcing involved in the applications is scope for the engagement can trigger a bigger impact to the service provider’s vendor management program based on the methodology used in the scoping of the audit engagement.
Implications based on methodology
There are basically two approaches to how a service provider can incorporate the role or function of their subcontractors from an audit methodology perspective: The “Carve out” or the “Inclusive” method. In the carve-pout method, the control activities performed by the subservice org are excluded from the actual service auditor portion of the report. And in the inclusive, they are within the scope of the report. If you use the inclusive method, then you need to get a management assertion of the controls from the subservice organization. The subservice provider needs to be willing and able to work with your service auditors on the engagement based on the needs of the customer base. However, it is important for both approaches that a program is in place to review and assess the effectiveness of the controls at each sub-service organization. The evolution of the standard will trigger a deeper review of not only the design of the program but the implementation/execution of continuous monitoring of the specific third parties in scope for the engagement.
Continuous monitoring within the TPSP program
The enhanced maturity of the oversight of the CSOC organization can be demonstrated in many ways for each service provider based on the task or function that is outsourced. Examples of continuous monitoring may include:
- Reviewing reports related to services, scope or operations
- Periodic discussions/meetings regarding the control environment
- Site visits to inspect or verify controls
- Testing of controls
- Reviewing SOC reports
- Monitoring communication
Each service provider should define in advance the type and level of evidence or artifacts that can be provided to address how the controls are confirmed with clear accountability and ownership. A key factor in that analysis is to ensure that the service provider has fully read and identified any control assumptions identified in the report. In the past, some subcontractors pushed back on the cost or expense of performing their own SOC engagement due to the expense or attempted to shift that cost to the service provider. The shift in the standard will likely expand the acknowledgment that SOC audits are basically table stakes in the outsourced services or service provider marketplace.