Meeting AICPA SOC 2 Requirements for Third-Party Risk Management

How to audit and report against SOC 2 and the Trust Service Principles with third-party risk management solutions
By:
Scott Lang
,
VP, Product Marketing
March 16, 2022
Share:
White paper soc2 compliance checklist 0322

This post reviews considerations for third-party risk management under AICPA SOC 2, and explains how you can meet SOC requirements through combined vendor risk assessment and third-party monitoring.

AICPA Trust Services Criteria and Third-Party Risk Management

The American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee (ASEC) developed trust services criteria for organizations to use as a framework for demonstrating the confidentiality, integrity and availability of systems and data.

Organizations familiar with System and Organization Control (SOC) 2 audits will recognize that these trust services criteria are used to report on the effectiveness of their internal controls and safeguards over infrastructure, software, people, procedures, and data.

Trust Services Criteria in SOC 2

SOC 2 audits provide a comprehensive view into the following AICPA trust services categories:

  • Security: Protecting information and systems against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
  • Availability: Ensuring the availability of information and systems for operation and use to meet the entity’s objectives.
  • Processing integrity: Ensuring that system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
  • Confidentiality: Protecting information designated as confidential to meet the entity’s objectives.
  • Privacy: Ensuring that personal information collected, used, retained, disclosed, and disposed meets the entity’s objectives.

Types of SOC Reports

Once the controls audit is complete, outputs can include two types of reports:

  • Type 1 report: looks at a service provider’s system and the suitability of the design of controls at a point in time
  • Type 2 report: adds to the Type 1 report by also looking at the operating effectiveness of controls over a period of time

How SOC Reports Are Used

Organizations across multiple industries use SOC 2 reports to demonstrate due diligence to clients, differentiate themselves from competitors based on their security posture, or be proactive with auditors in measuring compliance against data protection regulations.

The SOC 2 Third-Party Compliance Checklist

This comprehensive checklist will help to simplify your third-party controls assessments against AICPA SOC 2.

Read Now
Featured soc2 compliance checklist

SOC 2 Requirements Relevant to Third-Party Risk Management

Prevalent third-party risk management solutions can enable you to address the following trust services criteria:

CC2.3: The entity communicates with external parties regarding matters affecting the functioning of internal control.

The Prevalent Third-Party Risk Management (TPRM) Platform centrally manages dialogue about risks, reporting and remediations between organizations and their third-party vendors, suppliers and partners.

In addition, the Platform enables reporting, policy documents, contracts and supporting evidence to be stored for dialogue, attestation and sharing.

Together, these capabilities ensure that organizations have a single repository for visualizing and managing risks, vendor documentation and remediations.

CC3.2: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

The Prevalent TPRM Platform enables organizations to automate the critical tasks required to assess, manage, continuously monitor, and remediate third-party security, privacy, compliance, supply chain and procurement-related risks across every stage of the vendor lifecycle – from onboarding to offboarding.

The solution includes the ability to issue and manage point-in-time risk assessments using more than 125 different templates, analyze the results, as well as continuously monitor third-party cyber, business, reputational, and financial risks for a holistic view of third parties.

Built-in reporting templates ensure that security and risk management teams can communicate risk assessment results to executives and other decision-makers and stakeholders.

CC3.4: The entity identifies and assesses changes that could significantly impact the system of internal control.

The Prevalent Platform leverages customizable surveys and workflows to report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more during offboarding to ensure that as agreements change, so do responsibilities.

In addition, Prevalent offers Contract Essentials, a solution that centralizes the distribution, discussion, retention, and review of vendor contracts. It includes workflow capabilities to automate the contract lifecycle from onboarding to offboarding.

CC9.2: The entity assesses and manages risks associated with vendors and business partners.

CC9.2: The entity assesses and manages risks associated with vendors and business partners.

The Prevalent Platform enables organizations to automate the critical tasks required to assess, manage, continuously monitor and remediate third-party security, privacy, compliance, supply chain and procurement-related risks across every stage of the vendor lifecycle – from onboarding to offboarding including:

  • Sourcing & Selection: Prevalent Contract Essentials helps vendor management, procurement and legal teams simplify the process of establishing and negotiating contract terms and SLAs, managing redlines, and securing approvals through workflow. The solution is fully integrated with the complete TPRM Platform ensuring that organizations can manage vendor contracts with the same discipline that they manage vendor risks. Learn more about our vendor sourcing and selection solution.

  • Intake & Onboarding / Inherent Risk Scoring: The Prevalent Platform features reporting that reveals risk trends, status and exceptions to common behavior for individual vendors or groups with embedded machine learning insights. With this capability, teams can quickly identify outliers across assessments, tasks, risks, etc. that could warrant further investigation. Learn more about our vendor onboarding solution and inherent risk scoring solution.

  • Assessment & Monitoring: With the Prevalent Platform, security and risk management teams can assign tasks related to managing assessments manually, or leverage a pre-packaged library of ActiveRules to automate a range of tasks normally performed as part of the assessment and review processes – such as updating vendor profiles and risk attributes, sending notifications, or activating workflow – utilizing if-this, then-that logic. Learn more about our risk assessment solution and continuous monitoring solution.

  • SLA & Performance Management: The Prevalent Platform enables vendor management teams to establish requirements to track and to centralize SLA and performance reporting against those requirements through a single reporting and analytics dashboard. Learn more about our SLA & performance management solution.

  • Offboarding & Termination: The Prevalent Platform leverages customizable surveys and workflows to report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more during offboarding. Learn about our vendor offboarding solution.

P6.4: The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary.

Prevalent includes built-in assessments for data protection regulations such as GDPR, CCPA, HIPAA and NYDFS. Results from these assessments are mapped into a central risk register where security and risk management teams can visualize and take action on potential risks to data and compare a vendor’s actions against their contractual obligations.

The Prevalent Platform includes built-in remediation guidance and recommendations. Security and risk management teams can efficiently communicate with vendors and coordinate remediation efforts through the Platform, capture and audit conversations, and record estimated completion dates.

P6.5: The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident-response procedures to meet the entity’s objectives related to privacy.

The Prevalent Third-Party Incident Response Service enables security and risk management teams to rapidly identify and mitigate the impact of data privacy incidents by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance.

Align Your TPRM Program with ISO, NIST, SOC 2 and More

Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.

Read Now
Featured resource compliance handbook cybersecurity

Addressing SOC 2 with Prevalent

The AICPA SOC 2 report is an industry-standard framework for IT services companies to assess their controls over customer data. Since some organizations that lack internal resources for responding to security assessments will provide a SOC 2 report to their customers instead, it can be time-consuming and complex for teams to map SOC 2 report results into a risk management solution for proper risk tracking.

With Prevalent, you can address SOC 2 third-party risk management requirements by:

  • Assessing third parties with a comprehensive SOC 2-based questionnaire
  • Automatically generating a risk register upon survey completion to zero in on potential areas of concern
  • Creating an audit trail that maps documentation and evidence to risks and vendors
  • Reporting against SOC 2 compliance

We also offer a SOC 2 Exception Analysis Service, which is a managed service delivered by the Prevalent Risk Operations Center (ROC) that transposes SOC 2 report control exceptions into risks in the Prevalent Third-Party Risk Management Platform. The resulting unified risk register enables coordinated risk response and remediation following a standardized approach and ensures that you have a comprehensive profile of all vendors – even for those that submit a SOC 2 report in lieu of a full security assessment.

To learn more, visit our SOC 2 solutions page or request a demo today.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo