One of the Trust Services Criteria that organizations sometimes struggle with in SOC 2 examinations is common criteria (CC) 9.2, The entity assesses and manages risks associated with vendors and business partners. Related to CC9.2 is description criteria (DC) #6, which requires that the system description disclose “controls that the subservice organization uses to monitor the services provided by the subservice organization.” There are a variety of ways that companies can address CC9.2 and DC6. One of the most common is to obtain and evaluate the SOC reports of significant vendors and subservice organizations and / or perform vendor risk assessments. These are effective ways to address CC9.2 and DC6, however, these controls must be performed during the audit period.
There may be instances where the standard vendor management controls identified above are not performed for one reason or another during the period covered by the SOC 2 report. In these situations, it is important to determine if there are other controls in place that operated during the period that effectively address CC9.2 and DC6. If there are other effective vendor management controls in place, companies may be able to avoid a qualified SOC 2 opinion with regard to CC9.2 even if they did not review vendor SOC reports or perform vendor risk assessments during the period.
Any time there are exceptions in a SOC 2 report that could lead to a qualified opinion, it is crucial for company management and SOC auditors to discuss whether there are compensating controls that may reduce the risk of the exceptions and prevent a qualification. Following are 2 customized controls that were added to SOC 2 reports for companies that failed to review vendor SOC reports or perform vendor risk assessments during their audit period:
- The Company uses a third-party software tool, ServiceNow, for vendor risk management. Risk assessment and continuous monitoring are performed for all critical vendors in ServiceNow, enabling the Company to identify emerging risks with third-party providers. The software has risk scoring functionality, which helps quantify the risk assessment process. It also serves as a ticketing system to automate vendor issue generation and design remediation plans.
- Vendor and business partner risks are evaluated as part of the annual risk assessment and are covered in the risk management program. In addition, executive and operational teams assess supplier management in the annual Risk Management Review Meeting.
Despite failing to review and evaluate their vendor and subservice organization SOC reports and perform vendor risk assessments, both of the companies were able to avoid a qualification of CC9.2 by leveraging the controls identified above.