Due Diligence and Ongoing Monitoring

Hi,

We have a relatively mature information security third party risk mgmt practice up and running for more than 6 yrs now. We conduct third party risk assessments mainly using CAIQ and SIG as part of the vendor onboarding process and subsequent monitoring. To date none of our third party IT solutions with been marked as within scope of our SOX compliance requirements. I'm anticipating this will change and would like to be ready. Naturally, we have internal IT controls that we operate for our internal SOX compliance and we could look to drive these controls down into our IT solution providers (mainly offprem SaaS in this case) but I was curious what others are doing. Do you have special procedures for evaluating whether your SaaS IT service providers are SOX compliant? I'm sure many companies have already been down this road so I thought I'd raise this here to see what the collective wisdom reveals. Many thanks in advance for any information shared. Cheers, 

Stuart

Hi Stuart – 

One way we see our customers incorporating vendor SOX compliance into their programs is by reviewing SOC reports, and more typically, SOC 1 reports as their purpose is to review internal controls over financial reporting. Section 404 of SOX concerns such internal controls over financial reporting; thus SOC 1 reports assist with SOX compliance. Vendors with impact to your internal controls over financial reporting should have a SOC 1 report, though that may not always be the case. In conversations I've had with different audit firms, I've received differing opinions on the acceptance of SOC 2 reports where a SOC 1 report would be more appropriate. That said, a SOC 2 should be better than no SOC report at all. We're always interested in hearing how others are handling these scenarios, so I look forward to seeing other responses as well.

I am in agreement with the prior response.  When we identify that a supplier has an impact on our company's SOX (i.e. accuracy of financial reporting), we request and review the supplier's SOC 1 report.  Depending on if other risk criteria are present (i.e. the supplier has access to confidential information), we may need to review a SOC 2 as well.  If no SOC report is available, then we document the internal controls that our organization has put into place.