Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit


Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

Download Samples

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

Over 800 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2020 Report

Read Report

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Friday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

Join the thousands of risk and compliance professionals who subscribe to Venminder

Understanding the COSO 2013 17 Principles in Vendor SOC Reporting

4 min read
Featured Image

COSO 2013 was way ahead of its time. Given that, it’s even more interesting to note that it took until 2019 for the COSO 2013 Principles to be applied to SOC 2 audits. For those of us that have been in the vendor management world for many years, we have had a front row seat in watching the development and maturity of third-party risk management, what it means to us and what our regulatory agencies expect of us. 

Just as some of the Trust Service Principle controls of the previous generation of SOC 2 reporting do, the incorporation of COSO 2013 with the Trust Service Criteria often overlap and build on each other. The benefit of this incorporation is the more granular look at existing controls and the addition of new, much needed, controls.

The Trust Services Criteria (TSC) are the following:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

5 Main Components of COSO 2013 Principles

Below, you’ll find a breakdown of the COSO 2013 principles and what we as vendor management professionals look for in the SOC 2 Report as we review to determine if these areas are covered. The 17 principles fall into 5 main components:

1. Control Environment


  • Demonstrate commitment to integrity and ethical values
    • Does your vendor have an established code of ethics?
    • Are employees required to acknowledge it?
  • Ensure the board exercises oversight responsibility
    • Is the vendor’s board of directors independent of management?
    • Are the members qualified and do they understand the business they’re responsible for governing?
    • Do they meet on a regular basis?
  • Establish structures, reporting lines, authorities and responsibilities
  • Demonstrate commitment to a competent workforce
    • Does the vendor conduct background screening on employees?
    • Are employees required to acknowledge governing policies and participate in regular security training?
  • Hold people accountable
    • Does the vendor make governing policies available to employees?
    • Are annual performance assessments conducted?

2. Risk Assessment


  • Specify appropriate objectives
    • Has the vendor established appropriate control objectives?
    • Is there an enterprise risk management program in place?
    • Is this program reviewed and updated at least annually?
    • Has the vendor established a strategic plan and an information technology strategic plan?
  • Identify and analyze risks
    • Does the vendor conduct regular penetration testing and vulnerability assessments?
    • Is this testing conducted by a third party?
    • Are third-party providers assessed against vendor’s policy on applicable trust criteria?
  • Evaluate fraud risks
    • Is there an enterprise risk management program in place?
    • Does the program consider potential for fraud in its risk assessments? 
    • Does the program consider various types of fraud?
  • Identify and analyze changes 
    • Is this program reviewed and updated at least annually?
    • Does the program consider changes in the external environment, the overall business model as well as changes in leadership and execution?

3. Control Objectives


  • Select and develop control activities that mitigate risk
    • Is there an enterprise risk management program in place?
    • Is this program reviewed and updated at least annually?
    • Does the vendor have an internal audit plan?
    • Are findings reported to management and the board of directors?
    • Does the vendor have established follow-up procedures for identified deficiencies or vulnerabilities?
  • Select and develop technology controls
    • Is the vendor’s management and personnel aware of their responsibilities based on the trust services criteria selected?
    • Are policies reviewed and approved regularly?
    • Is logical access based on roles and responsibilities?
  • Deploy control activities through policies and procedures
    • Does the vendor maintain an incident response program?
    • Are policies reviewed and approved regularly?

4. Information and Communication


  • Use relevant, quality information to support the internal control function
    • Does the vendor’s management meet regularly to discuss security and confidentiality requirements are being met?
    • Are policies reviewed and approved regularly?
    • Does the vendor conduct regular security assessments?
  • Communicate internal control information internally
    • Is the vendor’s management and personnel aware of their responsibilities based on the trust services criteria selected?
    • Are policies reviewed and approved regularly?
    • Does the board of directors maintain independence and review the actions of management and operational staff?
    • Has the vendor established procedures to document, log and remediate identified vulnerabilities and incidents?
  • Communicate internal control information externally
    • Does the vendor use an ethics hotline for reporting?
    • Is there a change notification process used to communicate changes to external parties?
    • Does the vendor maintain formal contracts with third-party vendors and are these relationships monitored?
    • Has the vendor established procedures to document, log and remediate incidents?

5. Monitoring


  • Perform ongoing or periodic evaluations of internal controls – or a combination of the two
    • Does the vendor conduct regular security assessments?
    • Are they performed by a third party?
    • Does the vendor have defined equipment build lists?
  • Communicate internal control deficiencies
    • Does the vendor have established follow-up procedures for identified deficiencies or vulnerabilities?
    • Are these findings reported to management and to the board of directors?

These are the types of questions you should be asking yourself and critically thinking about as you review a vendor’s SOC 2 audit report. It’ll help to see the big picture and if their controls in place are enough and effective.

Do you know the difference between SOC 1, 2 and 3 reports? Download the infographic.

New call-to-action

Sign Up For Our Newsletter

Get expert insights straight to you inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo