Just as the world is constantly changing, so is the world of vendor management. Thankfully, the world of vendor management is changing to improve vendor security and oversight for the better via SOC 2 reports! We’re going to delve further into what we mean and why it’s important.
So, what’s the big change? And what do you need to look for?
First, let’s recap a couple of the most eye-catching changes announced in 2017 that also come into play here:
Many have been using these terms since.
Now, announced by the American Institute of Certified Public Accountants (AICPA), the latest, major change that focuses on improving vendor security and oversight: The SOC 2’s alignment with Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013.
If you’re not familiar, COSO was organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting. It also developed recommendations for public entities and their independent auditors, for the SEC, other regulators and for educational institutions.
In 2013, there was an update to the Internal Control — Integrated Framework as it’s called, which helps organizations design and implement internal control in light of the many changes in business and operating environments since the issuance of the original framework in 1992. The update broadened the application of internal control in addressing operations and reporting objectives and clarifies the requirements for determining what constitutes effective internal control.
Three important things that you should know about the SOC 2 alignment with COSO are:
There are five components of COSO 2013. They are:
There are 17 principles that fall under these five components. The two main components that impact the SOC 2 reports are risk assessment and control activities. Let’s discuss both further:
There’s a common standard format of the SOC 2 layout, yet there are some slight variations depending on who prepared the report which will determine how you’ll see the change reflected. With that said, the report should identify how the Trust Service Criteria is mapped to the COSO 2013 Principles. Basically, it takes it a step further and ties TSC with COSO principles.
To help you better understand how the report will incorporate the COSO 2013 Principles, here’s a good example regarding the Security TSC with COSO Principles incorporated:
COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.
COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
COSO Principle 3: Management establishes, with board oversight, structures, reporting lines and appropriate authorities and responsibilities in the pursuit of objectives.
COSO Principle 4: The entity demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.
COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
And finally, tying it together, all will be mapped to Criteria Group 1: These are the 5 COSO principles that will now be tied to the Security TSC.
Overall, we live in a constantly changing world where the regulatory environment needs to remain fluid. Ultimately, it’s our combined responsibility to verify that our vendors are abiding by these new SOC 2 reporting practices. Fortunately, for your customers and organization, these changes are resulting in enhanced controls that aim to protect us all!
Need a better breakdown of vendor SOC report terms? Download the dictionary.