This post reviews considerations for third-party risk management under AICPA SOC 2, and explains how you can meet SOC requirements through combined vendor risk assessment and third-party monitoring.
The American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee (ASEC) developed trust services criteria for organizations to use as a framework for demonstrating the confidentiality, integrity and availability of systems and data.
Organizations familiar with System and Organization Control (SOC) 2 audits will recognize that these trust services criteria are used to report on the effectiveness of their internal controls and safeguards over infrastructure, software, people, procedures, and data.
SOC 2 audits provide a comprehensive view into the following AICPA trust services categories:
Once the controls audit is complete, outputs can include two types of reports:
Organizations across multiple industries use SOC 2 reports to demonstrate due diligence to clients, differentiate themselves from competitors based on their security posture, or be proactive with auditors in measuring compliance against data protection regulations.
The SOC 2 Third-Party Compliance Checklist
This comprehensive checklist will help to simplify your third-party controls assessments against AICPA SOC 2.
Prevalent third-party risk management solutions can enable you to address the following trust services criteria:
CC2.3: The entity communicates with external parties regarding matters affecting the functioning of internal control. |
The Prevalent Third-Party Risk Management (TPRM) Platform centrally manages dialogue about risks, reporting and remediations between organizations and their third-party vendors, suppliers and partners. In addition, the Platform enables reporting, policy documents, contracts and supporting evidence to be stored for dialogue, attestation and sharing. Together, these capabilities ensure that organizations have a single repository for visualizing and managing risks, vendor documentation and remediations. |
CC3.2: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. |
The Prevalent TPRM Platform enables organizations to automate the critical tasks required to assess, manage, continuously monitor, and remediate third-party security, privacy, compliance, supply chain and procurement-related risks across every stage of the vendor lifecycle – from onboarding to offboarding. The solution includes the ability to issue and manage point-in-time risk assessments using more than 125 different templates, analyze the results, as well as continuously monitor third-party cyber, business, reputational, and financial risks for a holistic view of third parties. Built-in reporting templates ensure that security and risk management teams can communicate risk assessment results to executives and other decision-makers and stakeholders. |
CC3.4: The entity identifies and assesses changes that could significantly impact the system of internal control. |
The Prevalent Platform leverages customizable surveys and workflows to report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more during offboarding to ensure that as agreements change, so do responsibilities. In addition, Prevalent offers Contract Essentials, a solution that centralizes the distribution, discussion, retention, and review of vendor contracts. It includes workflow capabilities to automate the contract lifecycle from onboarding to offboarding. |
CC9.2: The entity assesses and manages risks associated with vendors and business partners. |
CC9.2: The entity assesses and manages risks associated with vendors and business partners. The Prevalent Platform enables organizations to automate the critical tasks required to assess, manage, continuously monitor and remediate third-party security, privacy, compliance, supply chain and procurement-related risks across every stage of the vendor lifecycle – from onboarding to offboarding including:
|
P6.4: The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary. |
Prevalent includes built-in assessments for data protection regulations such as GDPR, CCPA, HIPAA and NYDFS. Results from these assessments are mapped into a central risk register where security and risk management teams can visualize and take action on potential risks to data and compare a vendor’s actions against their contractual obligations. The Prevalent Platform includes built-in remediation guidance and recommendations. Security and risk management teams can efficiently communicate with vendors and coordinate remediation efforts through the Platform, capture and audit conversations, and record estimated completion dates. |
P6.5: The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident-response procedures to meet the entity’s objectives related to privacy. |
The Prevalent Third-Party Incident Response Service enables security and risk management teams to rapidly identify and mitigate the impact of data privacy incidents by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance. |
Align Your TPRM Program with ISO, NIST, SOC 2 and More
Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.
The AICPA SOC 2 report is an industry-standard framework for IT services companies to assess their controls over customer data. Since some organizations that lack internal resources for responding to security assessments will provide a SOC 2 report to their customers instead, it can be time-consuming and complex for teams to map SOC 2 report results into a risk management solution for proper risk tracking.
With Prevalent, you can address SOC 2 third-party risk management requirements by:
We also offer a SOC 2 Exception Analysis Service, which is a managed service delivered by the Prevalent Risk Operations Center (ROC) that transposes SOC 2 report control exceptions into risks in the Prevalent Third-Party Risk Management Platform. The resulting unified risk register enables coordinated risk response and remediation following a standardized approach and ensures that you have a comprehensive profile of all vendors – even for those that submit a SOC 2 report in lieu of a full security assessment.
To learn more, visit our SOC 2 solutions page or request a demo today.
Leverage these best practices to address NIS2 third-party risk management requirements.
12/03/2024
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024