The American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee (ASEC) has developed trust services criteria for organizations to use as a framework for demonstrating the confidentiality, integrity and availability of systems and data.
Organizations familiar with System and Organization Control (SOC) 2 audits will recognize that these trust services criteria are used to report on the effectiveness of their internal controls and safeguards over infrastructure, software, people, procedures, and data:
The SOC 2 Third-Party Compliance Checklist
This comprehensive checklist will help to simplify your third-party controls assessments against AICPA SOC 2.
Meeting SOC 2 TPRM Requirements
Here's how Prevalent can help you address SOC 2 third-party risk management requirements as communicated in the AICPA trust services criteria:
Trust Services Criteria | How We Help |
---|---|
CC2.3: The entity communicates with external parties regarding matters affecting the functioning of internal control. |
|
Communicates Objectives Related to Confidentiality and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality. Communicates Objectives Related to Privacy and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives related to privacy and changes to those objectives. |
The Prevalent Third-Party Risk Management (TPRM) Platform centrally manages dialogue about risks, reporting and remediations between organizations and their third-party vendors, suppliers and partners. In addition, the Platform enables reporting, policy documents, contracts and supporting evidence to be stored for dialogue, attestation and sharing. Together, these capabilities ensure that organizations have a single repository for visualizing and managing risks, vendor documentation and remediations. |
CC3.2: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. |
|
Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties — The entity's risk assessment process includes the analysis of potential threats and vulnerabilities arising from vendors providing goods and services, as well as threats and vulnerabilities arising from business partners, customers, and others with access to the entity's information systems. |
The Prevalent TPRM Platform enables organizations to automate the critical tasks required to assess, manage, continuously monitor, and remediate third-party security, privacy, compliance, supply chain and procurement-related risks across every stage of the vendor lifecycle – from onboarding to offboarding. The solution includes the ability to issue and manage point-in-time risk assessments using more than 750 different templates, analyze the results, as well as continuously monitor third-party cyber, business, reputational, and financial risks for a holistic view of third parties. Built-in reporting templates ensure that security and risk management teams can communicate risk assessment results to executives and other decision-makers and stakeholders. |
CC3.4: The entity identifies and assesses changes that could significantly impact the system of internal control. |
|
Assesses Changes in Vendor and Business Partner Relationships — The risk identification process considers changes in vendor and business partner relationships. |
The Prevalent Platform leverages customizable surveys and workflows to report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more during offboarding to ensure that as agreements change, so do responsibilities. In addition, Prevalent offers Contract Essentials, a solution that centralizes the distribution, discussion, retention, and review of vendor contracts. It includes workflow capabilities to automate the contract lifecycle from onboarding to offboarding. |
CC9.2: The entity assesses and manages risks associated with vendors and business partners. |
|
Establishes Requirements for Vendor and Business Partner Engagements — The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels. |
Prevalent Contract Essentials helps vendor management, procurement and legal teams simplify the process of establishing and negotiating contract terms and SLAs, managing redlines, and securing approvals through workflow. The solution is fully integrated with the complete TPRM Platform ensuring that organizations can manage vendor contracts with the same discipline that they manage vendor risks. |
Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic basis, the risks that vendors and business partners (and those entities’ vendors and business partners) represent to the achievement of the entity's objectives. |
The Prevalent Platform enables organizations to automate the critical tasks required to assess, manage, continuously monitor and remediate third-party security, privacy, compliance, supply chain and procurement-related risks across every stage of the vendor lifecycle – from onboarding to offboarding. |
Assigns Responsibility and Accountability for Managing Vendors and Business Partners — The entity assigns responsibility and accountability for the management of risks associated with vendors and business partners. |
With the Prevalent Platform, security and risk management teams can manually assign tasks related to managing assessments risks, or leverage a pre-packaged library of ActiveRules to automate a range of tasks normally performed as part of the assessment and review processes – such as updating vendor profiles and risk attributes, sending notifications, or activating workflow – utilizing if-this, then-that logic. |
Assesses Vendor and Business Partner Performance — The entity periodically assesses the performance of vendors and business partners. |
The Prevalent Platform enables vendor management teams to establish requirements to track and to centralize SLA and performance reporting against those requirements through a single reporting and analytics dashboard. |
Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments — The entity implements procedures for addressing issues identified with vendor and business partner relationships. |
The Prevalent Platform features reporting that reveals risk trends, status and exceptions to common behavior for individual vendors or groups with embedded machine learning insights. With this capability, teams can quickly identify outliers across assessments, tasks, risks, etc. that could warrant further investigation. |
Implements Procedures for Terminating Vendor and Business Partner Relationships — The entity implements procedures for terminating vendor and business partner relationships. |
The Prevalent Platform leverages customizable surveys and workflows to report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more during offboarding. |
Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s confidentiality commitments and requirements. Assesses Compliance with Privacy Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s privacy commitments and requirements and takes corrective action as necessary. Assesses Compliance with Privacy Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s privacy commitments and requirements and takes corrective action as necessary. |
The Prevalent Platform enables risk management and compliance teams to automatically map information gathered from controls-based vendor assessments to regulatory frameworks including ISO 27001, NIST, CMMC, GDPR, CoBiT 5, SSAE 18, SIG, SIG Lite, SOX, NYDFS, and more to quickly visualize and address important compliance requirements. |
P6.4: The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary. |
|
Discloses Personal Information Only to Appropriate Third Parties — Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements. |
Prevalent includes built-in assessments for data protection regulations such as GDPR, CCPA, HIPAA and NYDFS. Results from these assessments are mapped into a central risk register where security and risk management teams can visualize and take action on potential risks to data and compare a vendor’s actions against their contractual obligations. |
Remediates Misuse of Personal Information by a Third Party — The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. |
The Prevalent Platform includes built-in remediation guidance and recommendations. Security and risk management teams can efficiently communicate with vendors and coordinate remediation efforts through the Platform, capture and audit conversations, and record estimated completion dates. |
P6.5: The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident-response procedures to meet the entity’s objectives related to privacy. |
|
Remediates Misuse of Personal Information by a Third Party — The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. Reports Actual or Suspected Unauthorized Disclosures — A process exists for obtaining commitments from vendors and other third parties to report to the entity actual or suspected unauthorized disclosures of personal information. |
The Prevalent Third-Party Incident Response Service enables security and risk management teams to rapidly identify and mitigate the impact of data privacy incidents by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance. |
Align Your TPRM Program with ISO, NIST, SOC 2 and More
Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.
Easily track and remediate risks found in vendor SOC 2 reports without burdening your team.
How to audit and report against SOC 2 and the Trust Service Principles with third-party risk...
If you plan to use SOC 2 in your third-party risk management (TPRM) program, this on-demand...