Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit


Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

Download Samples

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

Over 800 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2020 Report

Read Report

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Friday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

Join the thousands of risk and compliance professionals who subscribe to Venminder

SAS 70, SSAE 18 and now the Vendor SOC 2 Alignment with COSO…Oh My!

3 min read
Featured Image

Just as the world is constantly changing, so is the world of vendor management. Thankfully, the world of vendor management is changing to improve vendor security and oversight for the better via SOC 2 reports! We’re going to delve further into what we mean and why it’s important.  

Vendor Security and Oversight Changes

So, what’s the big change? And what do you need to look for?

First, let’s recap a couple of the most eye-catching changes announced in 2017 that also come into play here:

  1. Renaming of Trust Services Principles (TSP) to Trust Services Criteria (TSC)
  2. Renaming the SOC acronym – transitioning from Service Organization Controls to System and Organization Controls

Many have been using these terms since.

Now, announced by the American Institute of Certified Public Accountants (AICPA), the latest, major change that focuses on improving vendor security and oversight: The SOC 2’s alignment with Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013.

If you’re not familiar, COSO was organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting. It also developed recommendations for public entities and their independent auditors, for the SEC, other regulators and for educational institutions.

In 2013, there was an update to the Internal Control — Integrated Framework as it’s called, which helps organizations design and implement internal control in light of the many changes in business and operating environments since the issuance of the original framework in 1992. The update broadened the application of internal control in addressing operations and reporting objectives and clarifies the requirements for determining what constitutes effective internal control.

3 Important Things to Know About the SOC 2 Alignment with COSO

Three important things that you should know about the SOC 2 alignment with COSO are:

  • Again, it only affects SOC 2 reports.
  • The changes affect reports with review periods ending after December 15, 2018.
  • Now, with the addition of COSO, there are more specific control requirements that fall under the existing Trust Services Criteria which are the evaluation of security, availability, processing integrity, confidentiality and privacy. With the addition of COSO, the evaluation can include the entire entity, the entity’s subsidiaries and more so it takes it a level deeper.

5 Components of COSO 2013

There are five components of COSO 2013. They are:

  1. Control Environment
  2. Risk Assessment
  3. Control Activities
  4. Information and Communication
  5. Monitoring

There are 17 principles that fall under these five components. The two main components that impact the SOC 2 reports are risk assessment and control activities. Let’s discuss both further:

  • Risk Assessment requires that the vendor establish an appropriate risk assessment program. This component states that your vendor should identify, select and develop risk mitigating activities that will better allow your vendor to manage risks arising from possible business interruptions and the use of third party vendors and business partners.
  • Control Activities require your vendors to develop control activities that assist them in the mitigation of risks through appropriate policies and procedures, either through business processes or the use of technology.

There’s a common standard format of the SOC 2 layout, yet there are some slight variations depending on who prepared the report which will determine how you’ll see the change reflected. With that said, the report should identify how the Trust Service Criteria is mapped to the COSO 2013 Principles. Basically, it takes it a step further and ties TSC with COSO principles.

To help you better understand how the report will incorporate the COSO 2013 Principles, here’s a good example regarding the Security TSC with COSO Principles incorporated:  

COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.

COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

COSO Principle 3: Management establishes, with board oversight, structures, reporting lines and appropriate authorities and responsibilities in the pursuit of objectives.

COSO Principle 4: The entity demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.

COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

And finally, tying it together, all will be mapped to Criteria Group 1: These are the 5 COSO principles that will now be tied to the Security TSC.

Overall, we live in a constantly changing world where the regulatory environment needs to remain fluid. Ultimately, it’s our combined responsibility to verify that our vendors are abiding by these new SOC 2 reporting practices. Fortunately, for your customers and organization, these changes are resulting in enhanced controls that aim to protect us all!

Need a better breakdown of vendor SOC report terms? Download the dictionary.

New call-to-action

 

Sign Up For Our Newsletter

Get expert insights straight to you inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo