Due Diligence and Ongoing Monitoring

Expand all | Collapse all

Reviewing 3rd Party Attestation reports

  • 1.  Reviewing 3rd Party Attestation reports

    This message was posted by a user wishing to remain anonymous
    Posted 06-02-2021 05:24 PM
    This message was posted by a user wishing to remain anonymous

    Looking for some assistance on how to review our 3rd party's reports, SOC reports for example.
    Is there a checklist or similar that can be used to ensure that what is covered in the SOC report is adequate?

    Appreciate any insights.


  • 2.  RE: Reviewing 3rd Party Attestation reports

    Posted 06-02-2021 05:52 PM
    Generally I'm reviewing the exceptions that the auditor called out in addition to the critical third parties utilized by the vendor. The outlined exceptions usually have a "management response" (what is being done to address the finding). I will often request an update on the management response or updated control.

    Hope that helps,

    Garrett

    ------------------------------
    Garrett Grossman
    ------------------------------



  • 3.  RE: Reviewing 3rd Party Attestation reports

    Posted 06-03-2021 09:20 AM
    ​In addition to what was previously mentioned, we use the following checklist:

    Review Area

    Where Addressed

    Backup and Recovery

     

     

    Disaster Recovery Planning

     

     

    Physical Security

     

     

    Logical Security

     

     

    Policies and Procedures

     

     

    Change Management

     

     



    I also use the SOC to verify policies and procedures as I have found that certain vendors won't release copies of some policies (3rd party/vendor management etc) however, you can verify that they have them and get some pretty good details around allot of a vendor's policies from the SOC.  Similarly, have multiple vendors that don't release BCP or similar testing or specifics on their plan however you can usually verify that they have a plan and are completing associated testing from the SOC.  You can't usually tell the results of the testing but at least you can verify it was completed.

    Shelly




  • 4.  RE: Reviewing 3rd Party Attestation reports

    Posted 06-03-2021 09:22 AM

    I actually created a checklist [which the auditors seem to like mainly because it creates consistency] mostly because there isn't one 'gold standard' that I ever found.

     

    The main thing for that, though, is to ask a few questions:

                    What is the main purpose of the review?   [Mine is data security mostly]

                    What are the most important things in a SOC report that you want to see covered?

                                    One technique I used in the beginning was to use a 'strong' SOC as a model.  [By strong, I mean from a company that you just feel is doing things right.]

     

    Some categories I found useful:

                    Qualified or Unqualified report

                    New Hire Background checks

                    Staff Confidentiality/Code of Ethics

                    Firewalls

                    Malware protection

                    Physical Security

                    Environmental Security

                    Disaster testing

                    Penetration Testing

                    IDP/IDS

                   

     

    These are just top-of-mind categories that I find good to tag/make note of in a SOC report review.  Your mileage may vary.

     

    Thanks,

          Dave

     

    David Howe

    Chief Information Officer