Due Diligence and Ongoing Monitoring

  • 1.  HR Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 10-08-2021 03:20 PM
    This message was posted by a user wishing to remain anonymous

    We review the SOCs/SSAEs for our payroll and retirement provider, but does anyone review these documents for other HR vendors such as health insurance and life insurance vendors for employees? TIA


  • 2.  RE: HR Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 10-08-2021 04:20 PM
    This message was posted by a user wishing to remain anonymous

    Yes. We review (annually) any vendors with access to Employee or Client PII or NPI.


  • 3.  RE: HR Vendors

    Posted 10-23-2021 05:51 AM
    Is there anything specific or special you review for HR vendors that you wouldn't review for perhaps an IT vendor?


  • 4.  RE: HR Vendors

    Posted 10-25-2021 08:44 AM
    GM, Kimberly

    I think it boils down to service, data and delivery (e.g., on prem, externally hosted, CSP, use of subcontractors...), regardless of vendor category (HR, IT, etc)

    Many vendors outside of HR vendors may collect PII or PHI, and payment data such as gyms.

    Data needs to be protected (e.g., PII, PHI, GDPR...) using controls aligned to the inherent risk, so these types of services require a deep dive.  Certainly, you should consider reviewing SOC reports as well as other key assessments such as pentests...

    happy to chat, if you want

    cheers, enjoy the weekend