There’s a common saying that a chain is only as strong as its weakest link. This is helpful to think of in relation to your vendor management program. Just one single vendor can expose your organization to significant risk, but what about those other links you can’t see? Remember, each of your vendors also has their own vendors, also known as your fourth parties.
Although you don’t have a contract with your fourth parties, this doesn’t mean they’re exempt from your vendor risk management activities. Certain fourth parties may provide products or services that directly affect your organization, in which case you’ll want to review their SOC report.
Why Fourth-Party Vendor SOC Reviews are Essential
Reviewing your fourth party’s SOC report might seem like a time-consuming task that doesn’t provide much value, but this process can help confirm the following critical details:
- The fourth party has controls in place. If a fourth party has access to your organizational or customer’s data, you need confirmation that it has controls in place to protect its system.
- The fourth party’s controls are operating effectively. The existence of a fourth party’s controls is just the first step; you also need to confirm that they’re effective.
- The fourth party’s controls have gone through independent testing. It never hurts to have an outside perspective on any of your third or fourth parties. This gives you an unbiased opinion on whether the vendor’s controls are effective.
3 Examples of When You Should Review a Fourth Party's SOC Report
Obtaining a fourth party’s SOC 1 or SOC 2 report can be challenging because these are considered confidential documents. The fourth-party vendor won’t typically provide confidential information to anyone that isn’t a direct client – including your organization. Therefore, you’ll often need to obtain this type of information from your third-party vendor, with whom you do have a direct relationship.
The following are examples of when you should obtain the information from your third-party vendor and review your fourth party’s SOC report:
- If the fourth party is used by one your critical vendors, since your organization might be impacted during a service outage or other unexpected event.
- If a vendor uses a subservice organization for data center services, your data is now outside the boundaries of your contract with the vendor.
- If a vendor uses a subservice organization for information system controls, server security, network security, patch management, etc., your data will be at risk if that fourth party doesn’t do their job effectively. This ultimately affects your organization, so it’s important to review the fourth party’s SOC report.
Steps to Properly Reviewing a Fourth Party’s SOC Report
Before you begin, you’ll need to review your vendor’s SOC report to identify your fourth parties. This should be straightforward, as the SSAE 18 report requires your third-party vendors to identify their subservice organizations. Focus on the fourth parties that provide a critical product or service to your vendor, such as a data center or information system service provider. These are the fourth parties that you should be reviewing in more detail, so ask your third-party vendor to provide their SOC reports.
Your subject matter experts (SMEs) are crucial to the review process. You should use a qualified expert or team of experts who have the capability and knowledge to review the SOC report.
Let’s now discuss the steps:
First step: Verify the report’s date and make sure you’re reviewing the most current version. For Type I reports, which cover a point in time, this should be no older than one year. Type II reports cover a period of time, usually six to twelve months. You may need to request a Bridge/Gap Letter if there’s a gap in “coverage” for the SOC report, or a significant amount of time has passed since the completion of the SOC audit.
Second step: Understand how to read the auditor’s opinion, which is generally categorized as unqualified, qualified, a disclaimer, or adverse. These specific words might not be used, so it’s helpful to understand the meanings:
- Unqualified opinion – The “baseline” state of a SOC report. It essentially means that an auditor believes a vendor’s controls are operating effectively.
- Qualified opinion – Indicates that at least one control is ineffective or not in place.
- Disclaimer – The auditor couldn’t prove or disprove that a control was in place or working effectively.
- Adverse opinion – Should be considered a red flag because it’s given to a vendor that held back or modified information to verify that a control was in place or working effectively.
Pro Tip: Ask your vendor for additional information on your fourth party’s controls if you see any disclaimers or qualified or adverse opinions in the SOC report.
Third step: Thoroughly examine the fourth party’s controls, which will generally include the following details:
- Management’s assertion – This is essentially a written statement from the fourth party’s management that describes its system at a high level. The assertation’s goal is to prove the validity of what’s stated in the System Description and Control Environment.
- Description of system and controls – The fourth party should provide information such as its security training and policies, along with the board of directors or executive leadership’s involvement in its risk management activities. You may also see evidence of complementary user entity controls (CUECs), which are controls that your vendor is responsible for implementing. You’ll want to regularly verify that your vendor has implemented these if they’re listed in your fourth party’s SOC report.
- Control objectives, activities, and testing – These details will provide evidence that the audit firm has tested the controls and whether they meet their objectives. You’ll want to note any exceptions found and determine their impact.
Overall, it’s essential to have a solid understanding of your fourth party’s entire control structure because their activities can impact your organization. Reviewing a fourth party’s SOC report can prevent unwanted exposure to risk that comes from an extension of your direct vendor environment.