Exams or Audits

Our External Auditor's are requesting that we need to obtain our 4th Parties SOC Report.  This has posed a challenge with confidentially since the 4th Party does not have a relationship with us.  In evaluating 4th Parties, I have typically reviewed our third parties SOC Report to assess the controls over sub-servicers, and when applicable requested the results or a summary of the results of our third parties assessment of the vendor.  My overall goal is to make sure our third party is completing the necessary due diligence to risk assess the vendor, and has a process in place should the 4th parties service fail.  

Just looking to get thoughts on this situation; other 4th party experiences that you may have encountered; as well as, what steps others might be taking to monitor/assess 4th parties.  

Thank you. 

Two suggestions:

1) We have executed NDAs with the Fourth Parties to gain access to the SOC 2 Reports, and 

2) Our third parties share their summary of due diligence - just what was reviewed - Such as the SOC Report, financials, COIs , etc.

Fourth party to nth party risk is evolving and there really is not much guidance on it from regulators but they do expect oversight.  It really does come down to your risk appetite and tolerance within your third party oversight program.  Whenever we board a new vendor, we definitely follow data to determine if we need to monitor a fourth party as a third party.  Historically, we would evaluate our third parties TPRM program, gain assurance that their practice aligns to ours, and call it a day but now that has evolved.  If we deem a 4th party risk high enough, we will board them into our program and review them as we would our third party.  This would mean additional review than just obtaining a SOC report.

Contractually, you have to ensure you have audit rights and sharing of confidential data in your agreements.  Whether it is directly with the fourth party or via the third party.  We have had both scenarios where we have worked with the fourth party directly or we have asked our third party to obtain the relevant information needed to gain assurance that data is protected.

Sometimes a list of sub service providers from your third party also helps because often time they could also be part of your third party portfolio therefore you have oversight to those fourth parties.

Yes, that's a solid approach.  Certain 4th parties may have SOC (or related compliance) information available online for access but it is far better to have the assurance that your vendor is reviewing the compliance artifacts that they should be in the course of their own risk program.  In that theme, it is good to have them contractually commit to a baseline of compliance review for their own third-party vendors (you own 4th).

GM, Michael

your approach is solid.  Never heard IA requesting 4th SOC reports, that is ridiculous.   Your approach leverages your TP relationship and controls over their TPs.  perfect.

Do your contracts have provisions re your TP having  TPRMO in place and you as the client can review that policy, procedures and result ( annually for your critical suppliers). That, I think, would put a bow on it!

You can always do more, but your process is a risk based approach and right on

Happy to chat, johnfxpeck@gmail.com 

cheers, John