As organizations responded quickly to the disruption of COVID-19 on their day to day operations, nearly all businesses had to adapt their risk management approach and, consequently, their internal control environments without time to fully analyze their decisions. In reflecting on operational dependencies, organizations may initially focus on their own financial or operational performance, yet a major dependency on outside vendors and service organizations came into play as businesses dealt with business disruptions and shelter at home mandates. The risks associated with heavy reliance on outsourced service providers, such as third party hosted services or outsourced operations, significantly increased and must also be a focus for organizations.
The assumption that “we are covered” can be a fatal flaw when relying on our vendors to manage their own risks. Over the years we’ve witnessed major public company failures because they overlooked what seems like a “minimal” risk that became an operational and reputational nightmare – especially when their vendor, a service organization, has its own operational problems. A service organization’s SOC audit report—when evaluated appropriately—can help identify the potential or unlikeliness of these failures.
As a result of COVID-19, vendor dependencies are even more critical to continuing operations and protecting data, so, what can we do to minimize our exposure?
Firstly, evaluate your vendor relationships. Now more than ever the need to evaluate your vendor relationships is important. An evaluation should take into account your dependencies on the specific vendor, your monitoring of that vendor and identification of what might have changed in your vendor’s world as a result of COVID-19 that could directly impact the services they provide you. At the end of the day, your vendors’ control environment needs to continue to be effective and adaptive to different circumstances, and it is your responsibility to understand how your vendors are going to achieve their contractual obligations with you during these times of rapid change.
Secondly, review your vendors’ SOC report in detail. SOC reports provide a significant amount of material for organizations to review. Ultimately you can use this information to determine if your vendor is adhering to the contractual obligations defined when you chose them as your vendor for a specific service. The content within a SOC report should speak to the specific risks related to the services that matter to you, as their customer. Additionally, the test procedures should define the extent of testing performed to give reasonable assurance over the operating effectiveness of the controls. If you identify a weakness during the review of your vendors’ SOC report, either through the service auditors’ identification of a deviation or through your perceived gap in the control environment, you should evaluate the extent and exposure that the particular gap or deviation has on your organization. Note, not all SOC reports are created equally, which is why it’s important that a reputable, experienced and knowledgeable CPA firm perform the SOC report.
For critical dependencies where a SOC audit or equivalent attestation is not available, companies should pay particular attention on (a) how the service organization/vendor provides transparency to their internal control environments to ensure expectations are being achieved, and (b) how beyond inquiry, the service organization/vendor can convey consistency and reliability on that internal control environment.
Ultimately it’s still up to companies to evaluate and monitor risks to their organization. By working with service organizations that are transparent about their internal controls and risk areas, you can continue to serve your clients and customers with as few disruptions as possible. Over time, as you begin to navigate the path back to normal operations, you should repeat these steps to understand how you rely on service organizations. You may even find that disruptions from the pandemic led you to new and better ways to operate in the future.
Weaver can help you further address and evaluate dependencies on service organizations to ensure compliance. Contact us for more information.