The purpose for the creation of the SSAE 18, in May 2017, was to clarify the auditing standards and to reduce duplication within similar standards covering examinations, reviews and agreed-upon procedure engagements, specifically SSAE Nos. 10-17. These now fall under SSAE 18.
It supersedes the SSAE 16 and condenses other standards down to a more manageable state. Instead of making reference to SSAE 16, it’s best to just call System and Organization Control (SOC) reports, SOC 1 Type I or II and SOC 2 Type I or II. With the new guidance comes additional assistance which you can use in your vendor management process.
The Differences Between Vendor SOC Reports
The uses are meant to be different between SOC 1, SOC 2 and SOC 3. These include:
- SOC 1: Meant to be used to attest that controls at a service organization, your vendor and relevant to your internal control over financial reporting, are in place, with Type I, and operating effectively, with Type II reports.
- SOC 2: Meant for a much broader audience and includes many more IT controls. SOC 2 also follows the Trust Services Criteria - Availability, Confidentiality, Processing Integrity, Security, and Privacy - which makes it more structured and consistent.
- SOC 3: Meant for general use and can be openly available on vendors’ websites if desired. SOC 3 contains much less detail and doesn’t include controls or the testing associated with it. These can be used for initial vendor vetting, but a SOC 1 and/or 2 should be reviewed prior to vendor selection.
SSAE 18 Addresses Fourth Parties
With SSAE 18, SOC reports now require creation and inclusion of Complementary Subservice Organization Controls, when applicable, which is when your vendor relies on one of their critical third parties to deliver a service to you – aka your fourth party. The good news about this is that your vendor must provide more clarity on how they are addressing their own vendor management obligations.
So, what does this really mean? It means that if your third party vendor is using a subservice provider that is critical to your organization’s delivery of products or services, then the vendor must be identified within the SOC report. You’ll be able to better manage your organization’s fourth party vendors.
SSAE 18 Helps Protect Your Organization
Ways SSAE 18 helps protect you are:
- Guarantees your third party fully discloses fourth parties critical to your operations so that you’re aware of them
- Clearly identifies responsibilities your third party relies on fourth parties
- Gives you a better understanding of how your third party manages the fourth parties so you can ensure there are no gaps you need to be concerned with
When Should You Review a Fourth Party SOC Report?
You should complete due diligence on your fourth party vendors. Therefore, you should collect and review fourth party SOC reports. But, which ones?
- It’s necessary to review the fourth party SOC report when the services they provide could directly affect your business. For example, if your vendor uses a fourth party for data center services, your data may now be outside the boundaries of your contract with your vendor. If your vendor uses a fourth party for information system controls, server security, network security, patch management, etc., or if the fourth party does not do their job, your data is at risk, which ultimately affects your business.
- If the fourth party provides a “make or break” service to your vendor like a data center service or information system services or if your vendor is just a reseller of another vendor’s product.
Who Is Responsible for Obtaining a Fourth Party SOC Report?
SOC 1 and SOC 2 reports are considered confidential. Sometimes, the fourth party vendor will not provide you with their due diligence information as your business in not their client. It’s the responsibility of your third party vendor to provide you with the fourth party’s SOC report(s) and additional due diligence documentation, which should be in your contract. You can also point to resources such as OCC Bulletin 2017-21. Be aware that the term subcontractor is used by the OCC – it’s a term that means fourth party.
When a fourth party provides a critical service to your vendor, contact your vendor and request the necessary fourth party SOC report, or a due diligence package if a SOC is unavailable. Again, you should be reviewing and analyzing critical fourth party SOC reports, just as you would if the fourth party was your direct vendor.
In addition, if there are Complementary User Entity Controls (CUEC) in the fourth party SOC report, you should verify that your third party has taken those into consideration and reviews them regularly to make sure that all bases are covered.
Don’t Let Your Fourth Party Be a Weak Link
Even if you don’t have a direct contractual relationship with a vendor, sometimes understanding a fourth party’s controls are equally as important as a lack in information security could directly impact your organization.