Hi Danielle
In my experience that can be tricky information to get. Usually what I see is a mention of subservice provider's CUEC's in my vendor's SSAE 18 SOC Report in the Provider's Assertion section. Normally it states something like...'the description (description of my vendor's system) presents xxxxxx's (my 3rd party vendor's) controls, the applicable trust services criteria, and the
types of complementary subservice organization controls assumed in the design of xxxxxx's controls. The description does not disclose the actual controls at the subservice organization(s)'. Not always exactly that, but something to that effect. If by chance your 3rd party provider gives you SOC reports for their subservice providers, you would be able to see the CUEC's and cross check those against your vendor's controls that are in scope of their SOC report. It seems to be getting more difficult to get subservice providers' SOC reports from our 3rd party vendors due to privacy and confidentiality concerns.
I have never had an auditor or examiner ask for that level of due diligence for 4th parties (and beyond). They normally are satisfied that the subservice providers are identified and that our 3rd party vendor provides evidence that they have a vendor management program and are doing their due diligence including compliance with CUEC's.
Original Message:
Sent: 05-05-2020 05:00 PM
From: Danielle Shanahan
Subject: Complementary User Entity Controls for Vendors
Hi Everyone,
I was wondering if anyone would be willing to share how their organization deals with their vendors complementary user controls of their third parties (our 4th parties). This is one item I struggle with as it's an additional duty I'm responsible for and I'm the only person responsible for vendor management within my organization. It's been suggested by management that we should be asking for this so I thought I'd ask what everyone else does. We currently review and complete any applicable controls that our organization is responsible for, but does anyone ask their vendor to provide the controls for their 3rd party (our fourth party)?
Is it something that I should be trying to obtain?
Has anyone ever had an auditor request or suggest they start doing this?
Thanks!