The business discipline of vendor management, or the process of driving value out of vendors through a structured approach, has long been inching its way into new territories. Procurement departments have largely adopted the vendor management framework and data protection regulations, such as GDPR, have begun to acknowledge the importance of integrating vendor risk management.
Not surprisingly, the auditing and reporting standards released by the American Institute of Certified Public Accountants (AICPA) have also evolved dramatically within the past half-century to stress the importance of vendor relationship/risk management. This point is conveniently made clear with the AICPA’s newest project in development – the System and Organization Controls (SOC) for Vendor Supply Chains.
But this wasn’t always the case. Once upon a time, before the term ‘vendor management’ had even been coined, vendor oversight often took a back seat to a company’s internal needs or was ignored altogether. The epiphany that an entity’s vendors presented it with financial, operational, and reputational risk – and therefore should be managed/scrutinized – did not happen overnight.
This shift in perception was the product of a rapidly-changing business environment and the accompanying increase in the process of outsourcing. It was soon recognized that service vendors, such as those which process transactions and/or data for a customer (user-entity), would need to be scrutinized as closely as an in-house department would be, if not more so. In order to standardize this process and the criteria surrounding it, the AICPA stepped in.
Thus, the stone age of vendor management was over and its bright future was carved out. The standardization of service vendor oversight evolved quite rapidly soon after. We’ll guide you through this transformation by beginning with the first widely-accepted Statement on Auditing Standard (SAS).
SAS No. 70 (1992)
Before SAS 70, a company’s relationship with its service vendors was largely disconnected. The company would outsource a service such as payroll processing to the cheapest or most convenient vendor and call it a day. At some point, it became clear that this wasn’t good enough and that placing full faith in vendors wasn’t exactly business-savvy. These service vendors were processing the user entity’s data frequently and thus presented a serious operational, financial, and security risk to that organization. Thus, the SAS 70 was born and service organization audits became widespread as user entities demanded more transparency into their vendors’ internal control environment.
SSAE No. 16 (2010)
Fast-forward almost twenty years to the AICPA’s replacement for SAS 70 – the Statement on Standards for Attestation Engagements (SSAE) 16. This new guide for service organization reports fulfilled the demand for enhanced insight into service vendors’ internal controls. Service vendors’ were held to a higher standard during audits and vendor relationships were enhanced with the release of the Service Organization Control (SOC) reports.
These reports streamlined communications between service vendors and their user entities. They also offered more transparency into control environments in accordance with specific criteria relating to security, availability, processing integrity, privacy, and confidentiality. Once again, the idea that vendors present a security risk to their user entity was reinforced.
However, fourth-party risks were still largely ignored. What if a service vendor’s own vendor (fourth-party) failed to uphold a secure control system? In that case, the user entity would be threatened by fourth-party risk. At this point in time, organizations typically weren’t looking so far down the food chain.
SSAE No. 18 (2017)
When the newly expanded auditing standard (SSAE 18) was released in 2017, it once again changed the way user entities viewed their relationships with their service vendors. In doing so, it created new life for vendor management. The SSAE 18 requires service vendors to engage in diligent vendor management and examine the controls of their own vendors (sub-service vendors) just as closely as their customer (the user entity) is examining them. Confusing, we know, but it’s also important to understand. Service vendors must now prepare evidence of due diligence reviews, risk assessments, performance reviews, and ongoing oversight for their audit and reports. For the first time, vendor relationships are creating a chain-link of oversight and vendor management is truly transparent.
If your organization works with a service organization that has access to private information, financial transactions, or any type of restricted data, be sure to request a SOC 2 report from them. We emphasize this simply because it is such an easy task that is too often neglected. This report will provide priceless insight into the controls (or lack thereof) and risk management practices employed within the vendor that you trust with your data, your customers’ data, and thus your reputation. It’s worth looking into.
SOC for Cybersecurity (2017)
This nearly brings us to the present state of vendor management. User entities now have transparent insight into the internal controls of their vendors. They also, thanks to the requirements for the service organization’s vendor management program, have transparent insight into the controls and risks associated with their vendors’ vendors (fourth-party vendors). However, who really has access to this information? In reality, the access is typically restricted to the audited service organization and a few people at the user entity – not very transparent after all. With all of the recent data breaches covering the headlines in the past couple of years and the outrage from victimized customers, this scope of access was just not good enough by itself.
So, the AICPA also released the SOC for Cybersecurity examination and report in 2017. This came with a framework to standardize the cybersecurity risk management efforts across the board, as well as offer a much broader scope of access. This report is intended for use by the boards of organizations ensuring their data (and reputation) is in safe hands, to customers or investors who want to do their due diligence before committing to a company. For once, anyone looking to seriously assess the risk of doing business with a company can.
SOC for Vendor Supply Chains (TBD)
The AICPA has announced a forthcoming release of a new report, this time for vendor supply chains. The goal of this report is to shed some light onto the risks underlying the increasingly-complex global supply chain and how vendor management processes can contain this risk. The specifics of the next SOC release have yet to be announced by the AICPA; however, one thing is clear. No matter what it contains, the report will help to mitigate more risk and further evolve the discipline of vendor management. While businesses, supply chains, and risks continue to evolve and become increasingly complex, vendor management practices will adapt with them. That is made apparent from the past, and will continue to ring true going forward.
If you have questions about standards, reports, or vendor management, please don’t hesitate to reach out to us here.
Author: Tom Rogers
Job Title: CEO
Organization: Vendor Centric
Tom is the founder and CEO of Vendor Centric, he has been a trusted advisor to nonprofit organizations for 30 years, with a focus on helping them align the right people, processes and systems to mitigate third-party risk and drive more value from third-party contracts and relationships.