Exams or Audits

 View Only
Ncontracts State of TPRM 2026
Back to discussions
Expand all | Collapse all

SOC Report

  • 1.  SOC Report

    This message was posted by a user wishing to remain anonymous
    Posted 03-07-2024 08:59 AM
    This message was posted by a user wishing to remain anonymous

    How you properly explain to a client/vendor or an upcoming organization why they need to have a SOC report?



  • 2.  RE: SOC Report

    Posted 03-07-2024 09:09 AM

    Our (contractual) language is: 'Service Provider shall at least annually engage a qualified, independent external auditor to conduct periodic reviews of the Service Provider's organizational security practices and the effectiveness of designed controls against recognized audit standards...'  Since we are a global organization and engage global vendors, we do not restrict the audit to AICPA (SSAE or SOC) but also accept international and localized audit frameworks such as ISO, ISEA, and others.



    ------------------------------
    L. Beachy
    ------------------------------



  • 3.  RE: SOC Report

    Posted 03-07-2024 12:04 PM

    Our tiers have specific Due Diligence questions that are sent to the vendor. For top-tier vendors, we request SOC reports in the questionnaire. We also use Nvendor to monitor our tiers 1-3 so after the initial gathering they take care of gathering the yearly reports for us. 


    Original Message


  • 4.  RE: SOC Report

    Posted 03-08-2024 04:22 PM

    This question/comment is piggybacking on your conversion...

    I'm in the middle of our third-party CPA/internal audit on Vendor Management.  

    The auditor is telling me that Privately Owned companies (vs Publicly Owned) are not required to provide us with SOC (SSAE 16/18) reports, or with Financial Statements.   In my 15 years of handling vendor due diligence and contracts, I don't believe I've ever segregated vendors and my expectations of them, in this way.

    Does anyone know if this is a hard truth or some kind of confusion about what small or less risky companies may have (opposed to SOCs) and their willingness to provide their non-public financial information?



    ------------------------------
    Wendi M Inglis
    Compliance Officer
    TRU·FI CU
    ------------------------------

    Original Message


  • 5.  RE: SOC Report

    Posted 03-08-2024 05:45 PM

    Hi Wendi,

    Being publicly traded or not does preclude a necessity of a SOC report or financial statements, unless your CU has a policy surrounding what is acceptable vendor due diligence documentation.  It's harder to obtain financial statements from private companies, however, it is still doable and valid to ask for (at least a financial affirmation statement from the CFO).  And the rest of this thread gives good reasoning explanations for the various SOC report types.  Good luck!


    Original Message


  • 6.  RE: SOC Report

    Posted 03-11-2024 06:22 AM

    Wendi,

     

    I'm right there with you. The risk and oversight requirements are the same regardless of Private or Public.  Ultimately, it depends on how you have set the expectation in your contracts.  When onboarding a new vendor, we request all the standard due diligence, this is "before" we have signed a contract.  It gives us a good indication of how willing they are to share while we are in the "courting" period of the relationship.  If there are certain items they are unwilling to share, we look for mitigating controls, like virtual or onsite meeting with key stakeholders to review controls etc.  And truly... if you want to proceed with a relationship if they are not willing to share and you feel that the missing evidence presents to much risk for proceeding with the relationship.  But never a blanket, if they are private, don't ask for financials or SOC reports.  And always get the contractual clauses to relevant to the due diligence you expect.  

     

    Hope that helps.

     

    Veralyn Hensley

    SVP, Director of Vendor Management

     

     

     

     

     

     

     




    Original Message


  • 7.  RE: SOC Report

    Posted 03-11-2024 06:23 AM
    Hello

    I have been told that private companies are not required to share their financial statements. That does not stop me from asking for them though.  Most of the time they will share with a signed NDA.

      I ask for the same documents from all my vendors to allow them to tell me what they don't have or refuse to provide.  That was a tip from FDIC.  Now as for SOC reports. I have never heard of private companies not needing to share those.  

    From my understanding at 17 years experience is being private only applies to financial. Like I mentioned above though it doesn't stop me from asking for them.  It is just how hard I can push back if they say no.  

    Thanks 
    Sent from my iPhone



    Original Message


  • 8.  RE: SOC Report

    Posted 03-11-2024 11:22 AM

    It is to the vendor's advantage to share the SOC 2 reports as those provide you the ability to review security posture without having to conduct all that audit work yourself.  If they don't provide the SOC 2, then your contractual audit rights are more applicable and the questions get more lengthy and time consuming.  Financial data, on the other hand for private companies, is another story.

     

     

    signature_2449658008

       

    Frank M. Delker, CPA, CISA, CIPM 

    Sr. Director of Compliance

     

     

     

     




    Original Message


  • 9.  RE: SOC Report

    Posted 03-11-2024 06:29 AM

    This is not true. I receive SOC 1s and SOC 2s from most of our privately held. However, financial statements are rare, so I ask for a Financial Condition Letter, which a Chief (or equivalent) needs to attest to – all of the privately helds provide these without objection. Some of these Letters are prepared by external CPAs.

     

    image003.png@01D94DD5.FC8EF3A0

     

    Gene Fox

    VP, Third-Party Risk Management Officer

    -------------------------------------------




    Original Message


  • 10.  RE: SOC Report

    Posted 03-11-2024 09:18 AM

    Agree - SOC1 and SOC2 are provided by privately held companies if available, particularly ones keenly aware of business value they provide to FI and is indicative of strong partnership to support regulatory commitments. For private companies who avoid financial transparency, a Financial Condition Letter in addition to 1:1 CFO:CFO discussions - i.e. walking through key numbers is a quite possible. The FI CFO can then attest to the confidence of the FCL. In some instances, based on the strategic importance/significance and financial viability risk of the privately held third party to the FI, lack of financial transparency can be showstopper for onboarding; or flag contingency plan considerations for existing.  Need for financial provisions should be contemplated in many agreements.


    Original Message


  • 11.  RE: SOC Report

    Posted 03-07-2024 10:05 AM

    It is going to be different by SOC Report (and make sure they provide a Type 2 and if not, provide a justification as to why not). The following is just a starting point but should give you an idea for each:

     

    SOC 1 Type 2: Our organization relies on your company [obviously, you can personalize this for names and such] to process, value, account for, etc., transactions on our behalf. These transactions are recorded in our financial statements and as such, we will need to understand your company's Internal Controls over Financial Reporting, which are detailed and independently tested in your SOC 1, Type 2 Report. We will also need a Bridge/Gap letter covering the end of the Report period to year-end [either December 31 if you are calendar year-end, or the date of your financial statements].

     

    SOC 2 Type 2: Your organization provides technologies, Cloud Hosting services, and/or has access to our Confidential data [including employee/customer NPPI, if applicable]. As such, we need to understand the controls that you have in place to safeguard our data, which are detailed and independently tested in your SOC 2 Type 2 Report.

     

    image003.png@01D94DD5.FC8EF3A0

     

    Gene Fox

    VP, Third-Party Risk Management Officer

    -------------------------------------------

     



    Important Message to our valued customers: Fraud, phishing and e-mail compromise are on the rise.

    Never share sensitive personal information via unsecure email. Talk to your banker about our Secure Messaging Portal.


    NOTICE TO RECIPIENTS: The information contained in and accompanying this communication may be confidential, subject to legal privilege, or otherwise protected from disclosure, and is intended solely for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that the use, distribution, disclosure or reproduction of the message or attachments, as well as any reliance thereon, is prohibited. In such a case, please notify the sender by return e-mail immediately and erase all copies of the message and any attachments. This communication does not reflect an intention by the sender, Stellar Bank ("Stellar"), to conduct a transaction or make any agreement by electronic means. Unless a specific statement to the contrary is included herein, nothing contained within either this message or any attachment shall satisfy the requirements for a writing, and nothing contained herein shall constitute a contract or electronic signature under the Electronic Signatures in Global and National Commerce Act (ESIGN), any version of the Uniform Electronic Transactions Act (UETA), or any other statute governing electronic transactions. The recipient should check this e-mail and any attachments for the presence of viruses. We accept no liability for any loss or damage from the receipt or use of any e-mail transmission. We reserve the right to monitor all e-mail communications through our network.

    We will never request that you provide personal or financial information via unsecured e-mail. Please report to us any suspicious e-mails you receive that request personal or financial information and claim to be from us.






  • 12.  RE: SOC Report

    This message was posted by a user wishing to remain anonymous
    Posted 03-07-2024 10:06 AM
    This message was posted by a user wishing to remain anonymous

    I presume you're past the threshold question: Why is the Vendor Owner considering a relationship with a key service provider that doesn't have a SOC report already?

    With that out of the way, the discussion with the prospective service provider comes down to something akin to this:

    "We require (see the contractual suggestion made earlier) that our key service providers have an independent organization verify that the controls and procedures used to perform our services meet acceptable standards and are being routinely used by your organization. We require that assurance so that we don't need to do that work ourselves AND know that your services should meet our expectations and needs."

    The questions to ask yourself are: How many other providers are there? Do those providers typically provide SOC reports? (A powerful counterargument when the candidate continues to object is to say that the competition provides these reports.) Do those SOC reports cover the services you seek? Or, is this a service that does NOT typically provide SOC reports and virtually none of the service providers have a SOC report? Because, if that's the case, you need to think about how you'll verify that their service is working properly with a well-tuned SLA.




  • 13.  RE: SOC Report

    Posted 03-11-2024 11:22 AM

    I perform third party assessments for public agency - local government, and within our policy, we do specify the following:

    • SOC 2 (Type 2)  
    • If they do not have a SOC 2 or other external audit report

    I fully expect that the vendor will have us sign an NDA in order to receive the documentation.

    Here is the wording of the request when we initiate the process:

    ITS Security will contact the Third-Party Vendor with the Third-Party Risk Assessment questionnaire, (industry standard known as the Standard Information Gathering (SIG) questionnaire) and request the following documents:

    • SSAE 18 SOC 2 Report (Privacy and Security Controls) along with an attestation bridge (gap) letter of control environment is also required - A bridge letter (also known as a gap letter) bridges the gap between the end of the last SOC 2 report audit period and the current date. 
    • For a Cloud Hosted Solution, any Cloud Security Alliance (CSA) documentation for Star Alliance, such as a CAIQ.  
    • If applicable, PCI Compliance documentation, such as Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC).

    We also are adding in StateRAMP assessments/approval/authorization as this is a new requirement for SLTT community.

    Our contracts include language with an either/or/and statement around right to audit at cost to vendor or they perform an external assessment very similar to this statement: "Service Provider shall at least annually engage a qualified, independent external auditor to conduct periodic reviews of the Service Provider's organizational security practices and the effectiveness of designed controls against recognized audit standards..."

    We do inquire on the financial health of the organization, using Lenix Nexis or requesting those details from the vendor if we have concerns. 

    And we do tier third parties based on the data and risk profile, and follow the FedRAMP/StateRAMP Low guidance for scoping requirements based on the data and exposure.