Due Diligence and Ongoing Monitoring

Hello Everyone, 

I'm the Contract Administrator for a technology company that specializes in human capital management. This is my first post although I actively read your posts, which are incredibly valuable in so many ways, which is why I'm coming here today on a topic I do not recall being discussed. If it has, please let me know where I can find the conversation. 

The conundrum: We've encountered a precedent this week. A new vendor for tax notice management is a fairly new company (less than one-year-old) and, among other things, does not have a completed SOC I report. The due diligence they already provided to us is predominately their internally composed documents (BCP, etc), which is a red flag in and of itself. Insurance is ok although I'd like higher limits given the subject matter. Couple that info with no SOC I, and I'm preparing to recommend the requesting department look for another vendor (think lead balloon). 

In the interim, I am interested to know how any of you have handled similar encounters. Is there something the vendor can provide to us other than an engagement letter from the SOC auditor? Is there such a thing as a preliminary SOC I report?

Your feedback is greatly appreciated. 

Kindest regards, 

Lynn

This message was posted by a user wishing to remain anonymous

If not done already, send a DDQ that asks the questions that you would review in a SOC report. 

What you primarily seem to be seeking (an independent review), simply doesn't exist. Asking the questions that cover your main concerns is the best available option here. It will take this new vendor a full year to implement a SOC program (at least).

If that approach leaves you unsatisfied, to address the lead balloon, you're going to have to demonstrate that the risks of this vendor are too high. Having a set of bland (or no) responses to fairly standard DDQ questions on information security should be enough to document what was attempted. If the decision to proceed is made somewhere above your pay grade, you'll know that you tried.
Original Message:
Sent: 10-13-2022 09:52 AM
From: Lynn Lancaster
Subject: Options when there's no SOC Report

Hello Everyone, 

I'm the Contract Administrator for a technology company that specializes in human capital management. This is my first post although I actively read your posts, which are incredibly valuable in so many ways, which is why I'm coming here today on a topic I do not recall being discussed. If it has, please let me know where I can find the conversation. 

The conundrum: We've encountered a precedent this week. A new vendor for tax notice management is a fairly new company (less than one-year-old) and, among other things, does not have a completed SOC I report. The due diligence they already provided to us is predominately their internally composed documents (BCP, etc), which is a red flag in and of itself. Insurance is ok although I'd like higher limits given the subject matter. Couple that info with no SOC I, and I'm preparing to recommend the requesting department look for another vendor (think lead balloon). 

In the interim, I am interested to know how any of you have handled similar encounters. Is there something the vendor can provide to us other than an engagement letter from the SOC auditor? Is there such a thing as a preliminary SOC I report?

Your feedback is greatly appreciated. 

Kindest regards, 

Lynn

Given that the company is less than 1year old, I'm not super surprised they don't have a SOC.  I think the suggestion of a DDQ is a good one, if you don't have one developed you could also ask if they have a SIG or SIG lite or a CAIQ (Consensus Assessment Initiative Questionnaire) if they are providing IaaS, PaaS, and SaaS (or ask for all of the above).  I would also request the supporting documentation, such as policy and procedures, for any questionnaire. 

It might be helpful to dig deeper into why this vendor was selected, if they are a fintech or have an innovative unique product/service.  When we work with fintechs or start-ups we take a look at where they are in their business development and maturity and think about how we can evidence appropriate controls based on where they are.  We also spend time to understand their roadmap- they may not have a SOC now as an example, are they planning to get one, where in that process are they, will they commit to that in writing?  For us, the additional risk of working with a start-up or fintech and not having some or even allot of due diligence that we would expect from an established or more mature firm may be worth it if we think the product or services is innovative or unique.

I would also suggest digging into their third party providers, given how new they are they may be significantly relying on third parties.  You can evidence those third parties (your fourth parties) as well to include obtaining SOC reports.

Finally, anytime we make an exception to our third party risk policy, such as approving a vendor based on alternative due diligence, we always document to include approval from head of TPRM or CRO depending on the risk of the relationship.  

Shelly




------------------------------
Shelly Chase
AVP Operational Risk
------------------------------

Original Message:
Sent: 10-13-2022 09:52 AM
From: Lynn Lancaster
Subject: Options when there's no SOC Report

Hello Everyone, 

I'm the Contract Administrator for a technology company that specializes in human capital management. This is my first post although I actively read your posts, which are incredibly valuable in so many ways, which is why I'm coming here today on a topic I do not recall being discussed. If it has, please let me know where I can find the conversation. 

The conundrum: We've encountered a precedent this week. A new vendor for tax notice management is a fairly new company (less than one-year-old) and, among other things, does not have a completed SOC I report. The due diligence they already provided to us is predominately their internally composed documents (BCP, etc), which is a red flag in and of itself. Insurance is ok although I'd like higher limits given the subject matter. Couple that info with no SOC I, and I'm preparing to recommend the requesting department look for another vendor (think lead balloon). 

In the interim, I am interested to know how any of you have handled similar encounters. Is there something the vendor can provide to us other than an engagement letter from the SOC auditor? Is there such a thing as a preliminary SOC I report?

Your feedback is greatly appreciated. 

Kindest regards, 

Lynn