3 rd Party Vendor Risk Management

3 rd Party Vendor Risk Management Session 402 Tuesday, June 9, 2015 (11 to 12pm)

Session Objectives The need for enhanced reporting on vendor risk management Current outsourcing environment Key risks faced by vendors and customers from outsourcing arrangements Why the current approach to achieving assurance over vendor operations is no longer sufficient Practice Approach to a Vendor Risk Management Program A better solution on controls assurance What are the components of the SSAE16 / SOC 2 assurance report? What s next Determining what s the right fit for your company 3

Current Outsourcing Environment: Today s service based economy has put third party vendors front and center. Advantages of outsourcing: Reduce costs and increase business agility. Data hosting, cloud, and business-process services of vendors, companies can redirect in-house resources back to the business and focus on core competencies. Employing third party vendors opens a company up to additional risks. Data errors to supply chain disruptions 4 th Party Vendor Risks - supplier relationships that are invisible to the end client, thus allowing for additional risk exposures. 4

Current Outsourcing Environment: cont. Vendors experiencing more stringent oversight from customers Increasing requests for on-site audits and other assessments Increased time required to oversee outsourced arrangements Regulators are casting a watchful eye on vendors and their customers, driving the need for a more effective and efficient solution to providing assurance over vendor operations. 5

Key risks faced by vendors and customers from outsourcing arrangements: Strategic Risks Social, Ethical & Environmental Risks Continuity Risks Financial Risks Operational Risks 6

Vendor Risk Management Lifecycle

Planning Selection Contract Monitoring Termination Vendor Risk Management In choosing to outsource components of their business to a third party service provider, risk needs to be considered throughout the process. Identifying business requirements RFP process, due diligence during evaluation Clarity, SLAs, Right to Audit, problem resolution Relationship owner, metrics for SLAs, Review of performance Contingency plans, transition, loss of data

Planning Planning A good plan prior to beginning the RFP and vendor selection process will help to mitigate many third party risks. Risk Identification Who is impacted? What will have to change (people, process, technology)? Cost benefit analysis Goes beyond the savings of outsourcing vs insourcing Need to include the costs to control the risks (direct and indirect) Process to Select, Assess, and Monitor Vendor Appropriate approval based on activity being outsourced

Selection Selection Due diligence during the vendor selection process is critical to managing third party risks. Evaluate company stability Financial Condition Business Experience and Reputation Qualifications and Backgrounds of Company Principals Evaluate the solution Information Systems and processes Information Security Resilience (Disaster recovery, business continuity, insurance) Risk Management Standards and certifications Independent assessments of controls SOC reports

The Contract Contract Everything in the vendor relationship comes back to the contract. Companies need to make sure all of the appropriate provisions are in their agreements. Legal processes and requirements Contract approval and legal entity descriptions Intellectual property ownership Complete and explicit terms for contract termination Scope Clear delineation of responsibilities Detailed description of services to be provided Out of scope services Contract term and renewal dates

The Contract Contract Service Level Agreements How to measure adherence to SLAs (metrics) Include both qualitative and quantitative metrics Evaluate the SLAs to ensure they reflect your business requirements Payments Defined payment schedule How variable costs are calculated and supported Chargebacks due to service issues Problem Resolution Process and responsibilities need to be clearly defined Tie process (and response) to performance evaluation

The Contract Contract Performance Reporting Content, distribution, and frequency Penalties for nonperformance; rewards for performance Security Clearly defined information and security access requirements Nondisclosure and confidentiality agreements Right-to-Audit Not only includes right to audit but also the ability to monitor performance and require remediation when issues are identified Accessibility to perform audit procedures Access to vendor s audit reports while reserving the right to conduct its own audits

Monitoring Monitoring Outsourcing is not a turn-key solution but requires ongoing monitoring to ensure risks are mitigated for the duration of the vendor relationship. Assignment of responsibility who is managing the relationship? Ongoing performance measurement against SLAs both vendor reported and independent measures (where possible) Escalation and communication when issues are identified Formal review process Not only operational but should include a refresh of due diligence steps

Termination Termination Things change and sometimes a company will need to transition vendors or bring activities in-house. Create a detailed termination / transition plan that has allocated enough time and resources. Data retention and destruction and other technology related issues. Handling of joint intellectual property developed during the course of the arrangement. Reputation risks to the company if the termination happens as a result of the vendor s inability to meet expectations.

Why the current approach to achieving assurance over vendor operations is no longer sufficient: Many vendors are receiving multiple and varied questionnaires from a significant number of customers and may result in an inconsistent level of quality in their responses. Vendors are finding themselves investing additional time and resources to meet the demand. Some vendors have tried using SOC (Service Organization Controls) 1 or 2 reports to respond to questionnaires On-site assessments performed by customers also seem deficient because they are performed at a specific point in time, and fail to provide an overall view of a vendor s operations or environment. Vendors are seeking a way to take control of this challenging situation 16

A Better Solution on Controls Assurance: The SOC audit report, is built upon the AICPA s SOC reporting principles, allows an independent, standardized assessment to be performed over vendor operations and eliminates the need for the time consuming and costly vendor questionnaire process. The report format makes it easy for both vendors and their customers to digest. The report provides the necessary level of assurance and can help restore a customer s confidence in vendor processes, which in turn will increase customer satisfaction and preserve valuable vendor/customer relationships. 17

A Better Solution on Controls Assurance : cont. Benefits to Vendors include: Reduced time and money spent on resources dedicated to the vendor questionnaire process. More time to proactively address risks and deliver value to customers. A decrease in the number of on-site audits. Enhanced vendor marketability as the report can be used to differentiate a vendor from its peers. A greater understanding of expectations and what vendors are being measured against, regardless of the customer. Benefits to Customers include: A greater level of assurance over vendors operations (positive assurance). Savings associated with the reduction in the need to perform onsite visits. Savings associated with not having to create questionnaires, or having to evaluate inconsistent reports, with varying criteria from vendors. 18

Determining whether a SOC report is the right fit for your company: For Vendors: How many customers ask you to complete Are you receiving adequate comfort over their vendor risk annual questionnaires? the management of key risks from your How much time, effort, and cost is put into vendors? answering vendor risk annual Are you obtaining sufficient comfort from questionnaires? completed vendor questionnaires? Do your customers obtain the required How much time, effort, and cost are you comfort from the questionnaire responses spending on developing vendor and/or from other control reports provided questionnaires and following up on (such as SOC 1 and 2 reports) or are there remediation activity? gaps in coverage? Do you have on-site audits performed by customers, impacting your resource time and availability? How much internal time do you spend on managing vendor risk management processes relating to satisfying your customer inquiries/questionnaires and/or on-site audits? For Customers: Are on-site audits costing you unnecessary time and effort, and only providing comfort to you at a point in time? 19

Planning and Scoping Considerations Identify the existing services, systems and/or processes that you are interested in having audited. Does your organization process transactions on behalf of its customers (SOC 1)? Which principles are most likely to be of interest and concern to your customers (SOC 2/SOC 3)? Who will be users of the report? Assess what, if any, specific audit reports are required by your customer contracts, and whether contracts have right to audit clauses. Do your organization s services, systems and/or processes impact the financial reporting controls of its clients? If so, how and which financial statement accounts? Is there a need to include any products or services provided by outsourcing or co-sourcing partners in the scope of the audit? Determine the type of report to be provided and period covered.

SOC Report Overview and Comparison Focus Report Users Internal control over financial reporting Operational Controls SSAE16 SOC 1 SOC 2 SOC 3 Controls relevant to financial reporting. Most applicable when service provider performs financial transaction processing or supports transaction processing systems. Detailed report for user organization s accounting/finance office and user auditors. Concerns regarding security, availability, processing integrity, confidentiality or privacy. Applicable to a variety of systems. Detailed report for Management, Regulators, Auditors, Others. Web site seal and easy to read report for General Public or any users with need for confidence in service organization s controls.

Overview and Comparison of SOC Reporting Options Service Organizations Customer Need Internal control over financial reporting Operational Controls SSAE16 SOC 1 SOC 2 SOC 3 Service providers touching financial data payroll providers, trust companies, healthcare claims processors, payment processors, third party administrators. Financial statements audits. Concern over the entry, processing and reporting controls in place for financial processing. Heavily geared toward technology companies -- data centers, managed service providers, cloud collaboration, Software as a Service (SaaS) entities, statement printers. Service organizations that want to display something on their websites for marketing purposes. Detail not needed. ERM, Internal Audit programs, oversight and due diligence. Concern over the security, integrity and confidentiality of data handled.

Overview and Comparison of SOC Reporting Options Internal control over financial reporting Operational Controls SSAE16 SOC 1 SOC 2 SOC 3 When Appropriate Annually and if the transactions are material to the customer s financial statements. Annually or when services provided are changed. When the service organization feels it provides them with an advantage.

Executing the Engagement: The service auditor can assist in any or all of the phases, typically, progression is as follows: Phase1 (Readiness) During this phase an assessment is done to determine readiness including key customer identification. A health check on the control environment of Vendors is also done during this phase. Phase 2 (Remediation) Management performs activities to rectify control weaknesses identified in phase 1. Phase 3 (SOC 2+ Assessment) The service auditor performs an SOC 2 assessment and expresses an opinion on the vendor's control environment. 24

Value Proposition of SSAE16 / SOC Reporting Provides a competitive advantage and differentiator to prospective clients by demonstrating confidence in the establishment of control objectives and effective activities. Builds trust and transparency with your user organizations (i.e., customers) You want you re clients to say Your good stewards of effective governance over key risks that impact my business. Without a current Auditor's Report, an organization may have to entertain multiple audit requests from its customers and their respective auditors. Very often this process results in the identification of opportunities for improvements in many operational areas.

Value Proposition Specific to SOC 2 and SOC 3 Reports Provides communication of the service organization s control environment to a broader group of customers and stakeholders than is allowed in a SOC 1 audit. Allows the service organization to benchmark its internal controls against published principles and criteria from a recognized standards organization. Provides customer with a high level of comfort as to the security, privacy and confidentiality of their data and the availability and processing integrity of the services provided under their SLA agreements. A logo from the AICPA can be added to the service organization s website to communicate to the website visitor that the service organization has undergone a SOC 2 audit to ensure that internal controls are properly designed, implemented and effectively operating.

SOC Considerations for Your Vendor Management Program Ask for the right report. Review the scope and review period. Review the Independent Service Auditor s Report (aka The Opinion ). Read the Description of the System. Review Section 4 - Control Objectives / Principles & Criteria, Controls, and Test Procedures. Evaluate the complementary user entity controls against the controls within your environment. Be skeptical do not rely only on the SOC report.

Three Lines of Defense Drives Governance Structure Clarity of Roles and Responsibilities Structured into Three Lines of Defense Senior Management Board of Directors / Audit Committee 1 st Line of Defense 2 nd Line of Defense 3 rd Line of Defense Administration Controls Internal Control Measures Financial Control Security Risk Management Quality Legal Compliance Assurance & Validation INTERNAL AUDIT External Auditor / Regulator

Thank You! Jerry Ravi, Partner Eisner Amper LLP 111 Wood Avenue South Iselin, NJ 08830 jerry.ravi@eisneramper.com (732) 243-7590 www.eisneramper.com Derek Danilson, Senior Manager Smart Devine 1600 Market Street, 32 nd Floor Philadelphia, PA 19103 DDanilson@smartdevine.com 610-994-1532 www.smartdevine.com

Please Complete the Session Evaluation Form on the Conference App