Expertise Beyond the Numbers

Countering Cyber and Privacy Challenges Through Compliant Third-Party Vendor Management [Podcast]

In the following podcast interview, Anthony DiGiulian of SC&H Group discusses key insights from the ISACA North America CACS 2016 Conference, and also highlights new AICPA updates regarding vendor management and third party data assurance.

Increased cyber threats and ongoing privacy concerns continue to be critical challenges for any organization – especially when working with service organizations that host, manage, or transport their data.

As a result, customers and regulators are continually assessing the processes and controls of third parties in order to best reduce the likelihood of a data breach, and minimize the impact of a cyber attack.

The Dramatically Changing Vendor Management Landscape

In the past, auditors provided independent assurances of service providers through a combination of questionnaires, onsite assessments, agreed-upon procedures, SOC reports, and other certifications.

Today, many companies are embracing SOC 2 Plus reporting, which examines additional criteria, and advocates for the use of more customizable principles that are intended to close the gap on regulatory compliance. This allows service providers to group agreed-upon procedures, questionnaires, and onsite audits into one report to meet any industry specific criteria – whether NIST or Cloud Security Alliance standards.

Important TSP Section 100 Update

In addition, the AICPA recently provided an update to the Trust Services Principles and Criteria (TSP Section 100), which will impact any reporting effort on or after December 15, 2016.

This update calls for more detailed/illustrative reporting, adds more explicit scoping requirements specifically for reports addressing Confidentiality and Privacy, clarification on including complementary user entity controls, and requires the creation and testing of a true vendor management program. The update also aims to align the privacy principle with the common criteria, which will ultimately make privacy more attainable for organizations.

SC&H Group is urging service organizations to read the new criteria, and meet with their service auditors to fully understand how these changes impact reporting efforts. The firm also advocates for customers to thoroughly review all reporting efforts by third parties, as well as ensure that their service organizations are reporting under the new standard.

To learn more about SC&H Group’s audit expertise with SOC/SSAE 16 reporting frameworks, click here. In addition, if you have any questions about the changes to TSP Section 100, we welcome you to contact Anthony here.