360 of Vendor Management

Transcription

1 360 of Vendor Management Jay Brietz, CPA and CIA Shareholder Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC

2 Disclaimer This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo. Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 2

3 Agenda Overview of Vendor Management Vendor Management Steps SOC Report Reviews Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 3

4 Overview of Vendor Management Who are third party vendors: FDIC s definition is the most simple All entities that have entered into a business relationship with a financial institution. OCC s definition provides more examples of third parties that provide outsourced products and services, independent consultants, networking arrangements, merchant payment processing services so forth. The FRB and CFPB also have their own definitions. Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 4

5 Overview of Vendor Management Outsourcing dates back to the 1800 s 1970 s and 1980 s - Advancement of IT environments - Move from payroll outsourcing to IT outsourcing 1990 s and 2000 s - Y2K scare and the boom of IT consulting - Speed of change (broadband, storage, internet, and security) - Education and training Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 5

6 Overview of Vendor Management Think back to your bank in the 1980 s (maybe even in the 1990 s): - Core processing system was home grown (probably on a computer the size of a tank) - Payroll was one of the first processes outsourced - Most other functions were performed in-house Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 6

7 Overview of Vendor Management Common processes at banks that are outsourced today: - Core processing system and related bank products - Payroll processing - Investments safekeeping and recordkeeping - Benefit plan processing - Others Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 7

8 Overview of Vendor Management THOUGHT OF THE DAY: You can outsource the process but you still need to manage risks associated with the process. Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 8

9 Overview of Vendor Management Vendor Management is an important aspect of the bank s overall risk management program According to the FDIC: An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling risks arising from such relationships, to the same extent as if the activity were handled within the institution. (FIL , Guidance on Managing Third Party Risk ) Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 9

10 Overview of Vendor Management What are typical risks associated with the use of third parties? Strategic Risks Compliance Risks Credit Risks Operational Risks Transactional Risks Reputational Risks Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 10

11 Overview of Vendor Management Identifying Risk Responses Avoidance Exiting the activities giving rise to the risk Reduction Action taken to reduce the risk likelihood or impact or both Management s response to risk Sharing Reducing the likelihood or impact by transferring or sharing a portion of the risk Acceptance No action is taken to affect risk likelihood or impact Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 11

12 Overview of Vendor Management Use of third parties means you have Accepted the risk! Avoidance Exiting the activities giving rise to the risk Reduction Action taken to reduce the risk likelihood or impact or both Management s response to risk Sharing Reducing the likelihood or impact by transferring or sharing a portion of the risk Acceptance No action is taken to affect risk likelihood or impact Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 12

13 Overview of Vendor Management THOUGHT OF THE DAY: You can outsource the process but you still need to manage risks associated with the process. Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 13

14 Vendor Management Steps Risk Assessment Due Diligence Contracting Monitoring Effective vendor management programs typically contain four key steps: - Risk Assessment - Due Diligence - Contracting - Monitoring Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 14

15 Vendor Management Steps Risk Assessment Some key considerations in assessing vendor risk (always thinking WCGW what could go wrong): - Longevity of the relationship and/or service/product - Materiality of the contract to the Bank s financials - Significance of the process/services outsourced - How easily can service/product be moved or brought in-house - Where is critical/sensitive information housed and how quickly can it be recovered - Will third party have access to and/or transmit sensitive data - What are reputational risks if the services are not performed correctly - Compliance risks associated to outsourced services - Experience of internal personnel managing the relationship Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 15

16 Vendor Management Steps Risk Assessment Classifying Risks: High Moderate Critical Vendors - cannot be easily replaced if services are interrupted or terminated, which in turn may cause significant operational and/or financial impact Other High Risk Vendors - has unsupervised access to sensitive data, critical applications, technology infrastructure or related control systems, then they should be deemed as high risk. Low Moderate and Low Risk Vendors risks do not meet the criteria of a high risk category, and due diligence is typically performed less frequently. Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 16

17 Vendor Management Steps Due Diligence Items typically obtained and reviewed: Audited financial statements Insurance coverage and exclusions Experience of principals and business reputation External reports: - SOC reports - Compliance and regulatory reports - Peer reviews Hiring policies and use of background checks Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 17

18 Vendor Management Steps Due Diligence Items typically obtained and reviewed (continued): IT Security Policy, including: - Protection of confidential information - Business continuity and disaster recovery plans - Data removal and destruction policies and procedures Strategic plans for upgrades and changes to hardware and/or software Pending lawsuits Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 18

19 Vendor Management Steps Contracting Contracting considerations: Ensure scope and key terms are clearly defined Incorporate performance measures, such as SLAs and project plans Legal language, such as indemnification provisions and limits of liability Right to audit clause or requirements for SOC reports Use of subcontractors (prior notice/approval) Data privacy confidentiality and security Business continuity and disaster recovery plans Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 19

20 Vendor Management Steps Monitoring Monitoring Considerations: Who person with the requisite knowledge and skills to critically review all aspects of the relationship What established performance benchmarks such as financial condition, performance against stated terms or project plans, reputation, and external reviews/soc reports When frequency determined by risk classification How typical monitoring procedures include separate evaluations and ongoing monitoring efforts Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 20

21 Vendor Management Steps THOUGHT OF THE DAY: You can outsource the process but you still need to manage risks associated with the process. Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 21

22 SOC Report Reviews SOC reports are important part of the vendor management program, so it is important to know how to leverage these reports In this final section, we will cover: - An overview of SOC reports - Key aspects of these reports to leverage - Bank s responsibilities related to SOC report reviews and User Control Considerations (UCCs) Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 22

23 SOC Report Reviews Why do companies get a SOC report? In an audit of a user organization's financial statements, the user auditor obtains an understanding of the entity's internal control sufficient to plan the audit as required by AU-C Section 315, Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement. User Organizations' Auditors If a service organization provides transaction processing or other data processing services to the user organization, the user auditor may be required to gain an understanding of the controls at the service organization. Independent Accounting or Auditing Firm (Service Auditor) User Organizations Services Subservice Organizations Service Organizations The service organization will engage the independent accounting firm to perform a SOC examination and issue a report on the organization's internal controls Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 23

24 SOC Report Reviews Let s compare the three SOC reports SOC 1 Who Why What User entity management and user auditors Audit Controls relevant to user entities internal controls over financial Reporting SOC 2 User entity departments other than accounting Governance Risk and Compliance programs Oversight Due diligence Controls relevant to security, availability, processing integrity, confidentiality, or privacy SOC 3 Any users with need for confidence in service organization s controls Marketing confidence without the detail Seal and easy to read report on controls Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 24

25 SOC Report Reviews There are two Types of reports for both SOC 1 and SOC 2 Type 1 Type 2 Type 1 Type 2 Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 25

26 SOC Report Reviews Difference between a Type 1 and Type 2 Type 1 A report on management s description of the service organization s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date. Type 2 A report on management s description of the service organization s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 26

27 SOC Report Reviews What reports are required to be reviewed? - Key processes that are outsourced Investment recordkeepers and pricing services Payroll service providers Core processing package - Other processes that may need reviewing Benefit plan and claims processors Certain add-on modules from the core processor Data centers Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 27

28 SOC Report Reviews Scope We have examined Example Co., Inc. s ( Example or the Company ) description of its Payroll Processing Services system and related controls for processing user entities transactions (the Description ) throughout the period July 1, 2014 to June 30, 2015 ( Specified Period ) and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the Description. The Description indicates that certain control objectives specified in the Description can be achieved only if complementary user entity controls contemplated in the design of the Company s controls are suitably designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls. Processes or functions covered by this report Audit period covered Type I vs. Type II User entity controls are a key part of the internal control system. Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 28

29 SOC Report Reviews Scope (continued) The Company uses various subservice organizations for certain functions of its Payroll Processing Services system and related controls, as described in Section Three. The Company s control objectives and related controls, which are listed in Section Four of this report, include only the control objectives and related controls of the Company and exclude the control objectives and related controls of the subservice organizations. Our examination did not extend to the controls of the subservice organizations. This paragraph describes the subservice organizations that are carved-out or excluded from the scope of this report. Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 29

30 SOC Report Reviews Scope (continued) The information presented in Section Five titled Other Information Provided by the Service Organization describes additional processes performed by the Company. It is presented by the management of the Company to provide additional information and is not a part of the Company s Description. Information presented in Section Five has not been subjected to the procedures applied in the examination of the Description and the suitability of the design and operating effectiveness of controls to meet the related criteria stated in the Description and accordingly, we express no opinion on it. This paragraph describes other information presented by the Company not included in the scope of the opinion Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 30

31 SOC Report Reviews Basis for Qualification The Company states in it Description that it has controls in place to review the accuracy of fee schedule codes applied to new account setups or maintenance to existing accounts. However, as noted on page 117 of the description of tests of controls and results thereof, these controls were not operating effectively throughout the Specified Period. As a result, controls were not operating effectively to achieve the control objective, Controls provide reasonable assurance that trust fees are accurately calculated and recorded throughout the Specified Period. This paragraph describes the reason for the Qualified Opinion is provided just before the opinion paragraph Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 31

32 SOC Report Reviews Opinion Opinion 1: Description was fairly stated. In our opinion, except for the matter in the preceding paragraph, in all material respects, based on the criteria described in the Company s assertion in Section Two of this report: The Description fairly presents the Payroll Processing Services system and related controls that were designed and implemented throughout the Specified Period. The controls related to the control objectives stated in the Description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the Specified Period and user entities applied the complementary user entity controls contemplated in the design of the Company s controls throughout the Specified Period. The controls tested, which, together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the Description were achieved, operated effectively throughout the Specified Period. Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 32

33 SOC Report Reviews Opinion Opinion 2: Controls were suitably designed. In our opinion, except for the matter in the preceding paragraph, in all material respects, based on the criteria described in the Company s assertion in Section Two of this report: The Description fairly presents the Payroll Processing Services system and related controls that were designed and implemented throughout the Specified Period. The controls related to the control objectives stated in the Description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the Specified Period and user entities applied the complementary user entity controls contemplated in the design of the Company s controls throughout the Specified Period. The controls tested, which, together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the Description were achieved, operated effectively throughout the Specified Period. Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 33

34 SOC Report Reviews Opinion Opinion 3: Controls were operating effectively. In our opinion, except for the matter in the preceding paragraph, in all material respects, based on the criteria described in the Company s assertion in Section Two of this report: The Description fairly presents the Payroll Processing Services system and related controls that were designed and implemented throughout the Specified Period. The controls related to the control objectives stated in the Description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the Specified Period and user entities applied the complementary user entity controls contemplated in the design of the Company s controls throughout the Specified Period. The controls tested, which, together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the Description were achieved, operated effectively throughout the Specified Period. Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 34

35 SOC Report Reviews This is an excerpt of the User Entity Controls (also referred to as User Control Considerations (UCCs)) Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 35

36 SOC Report Reviews Evaluating UCCs Create a matrix of all UCCs that are applicable to your Bank, including: - Service organization - User entity control (listed in the SOC report) - Applicable to the bank (Yes or No) - Control at the bank to address the UCC - Test procedure and results of testing Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 36

37 SOC Report Reviews Example UCC Documentation and Testing Matrix Service Organization XYZ Payroll Service XYZ Payroll Service UCC Description The user organization is responsible for notifying the service organization of changes in the authorized contacts list. The user organization is responsible for ensuring that only authorized and properly trained personnel are allowed logical access to service organization s systems, fax input worksheets and coversheets. Control Activity at Company Jane Doe is the only individual at the Company who is currently on the authorized contacts list. Authorized Company personnel would notify the service organization immediately of any changes to be made to the list. The Company has procedures in place for ensuring that only authorized and properly trained personnel are allowed logical access to the service organization s systems, fax input worksheets and coversheets. Design Applicable to the Bank? Designed Properly? Remediation Needed? Yes/No Yes/No <1> N/A or Description of required remediation Yes/No Yes/No <1> N/A or Description of required remediation Implementation & Operation Implemented & Operating Remediation Effectively? Needed? Yes/No <2> N/A or Description of required remediation Yes/No <2> N/A or Description of required remediation Reliance on UCC Appropriate? Yes/No Yes/No <1> Should retain documentation of what factors considered (i.e. specific control objectives addressed, relevant assertions, etc., as appropriate). <2> Should retain documentation of what procedures performed to evaluate implementation & operation effectiveness. Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 37

38 SOC Report Reviews SOC Report Review and Vendor Management Summary Key Aspects of the Opinion: - Processes/functions covered by the report - Audit period covered and Type I versus Type II - Subservice providers carved out you may need to request their SOC report separately - Other information included but not covered by the opinion (usually in Section Five of the report) - Any qualification(s) or emphasis of a matter Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 38

39 SOC Report Reviews SOC Report Review and Vendor Management Summary (continued) Other Key Aspects of the SOC Report: - Complementary User Entity Controls/UCCs - Exceptions in the testing procedures and management s response to those exceptions - Bridge letters not necessarily a key part of vendor management but can be important when using the SOC report for Sarbanes-Oxley and financial reporting Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 39

40 SOC Report Reviews THOUGHT OF THE DAY: You can outsource the process but you still need to manage risks associated with the process. Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 40

41 Questions? Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 41

42 Jay Brietz, CPA, CIA Phone: Mobile: Website: Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com. Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC 42