With the rise of cloud computing and software-as-a-service (SaaS) playing a key role within higher education institutions, outsourcing certain functions to third parties is becoming more frequent.
Since third parties are being held accountable for providing services, computing, processing, storage and the protection of customer data, higher education institutions are requiring these third parties to complete a System and Organization Controls (SOC) report, or similar, prior to engagement. Depending on the services being provided by the third party, a different report might be provided.
SOC 1 reports are specifically intended to meet the needs of entities that use service organizations (user entities) in evaluating the effect of the controls at the service organization on the user entities’ financial statements. SOC 2 reports are designed to provide assurance for the security, processing integrity, availability, confidentiality, and/or privacy of other services provided by a service organization that does not impact the user entities’ financial statements. Service organizations are held to a standardized set of control criteria for each of the categories covered in the report.
SOC reports can be classified as either a Type 1 report or a Type 2 report. Type 1 reports represent a point-in-time and only opine on the design of the controls at the time at which the report was completed. Type 2 reports represent a period over time and reflect the operating effectiveness of controls throughout the review period. Thus, Type 1 reports provide less assurance of third-party controls, and the Type 2 reports are typically required to provide a greater level of assurance. If no report is available, a third-party security questionnaire should be provided to these third parties to be completed and returned.
SOC reports should be reviewed on a frequency commensurate with the criticality of a third party. Criticality of third parties depends on many attributes including, without limitation, on the type of data they receive, the type of access they have to your network, the institution’s Recovery Time and/or Point Objective (RTO and RPO), which should be based on a Business Impact Analysis (BIA). A good rule of thumb is that all critical and high-risk third party SOC reports should be reviewed annually, moderate risk third parties should be biennial, and low risk subservice organizations should be triennial.
With this process of reviewing SOC reports growing as the industry standard, some higher education institutions might not be staffed and/or prepared to complete the tens to hundreds of SOC reports that require regular review. This is where the Internal Audit function at institutions is proven to be a natural fit. For example, our Risk Advisory team issues hundreds of SOC reports annually, and therefore, maintains a deep understanding of SOC report requirements. SOC reports are not built equally, so having a trusted SOC expert to perform the review of other reports brings the assurance process full circle and produces otherwise unrealized value-added recommendations.
As part of Schneider Downs’ SOC report review process, we review the following areas to verify the security of the higher education institution’s third parties. You can also use the AICPA’s SOC Report Review Template to guide your review (Download it at schneiderdowns.com/TPRM) or reference “How to Review a Vendor’s SOC Report”:
Control Objectives (SOC 1) and Trust Services Criteria (SOC 2)
Audit Firm Reputation
Results of Testing
Once the review of the report is complete, Internal Audit also assesses the CUECs and CSOCs by leveraging other audits performed for the institution. Complementary controls are essential to ensure the third party’s controls operate effectively, so the practice of mapping them to an institution’s internal controls allows for a true gap analysis to be performed.
In summary, utilizing the Internal Audit function to perform third-party assessments is a practical approach for assessing and monitoring the controls of third parties and allows your institution to further focus on achieving its core mission.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.