“The Race to the SOC Report”

Cybercriminals thrive on complexity. The much-publicized data breach at Target is being blamed on a combination of security weaknesses in the networked business process connecting Target, its HVAC vendor and its outsourced invoicing service.  The complex workflow and tiers of vendor relationships there has exposed “third-party vendor risk” as one of the biggest areas of weakness in corporate control environments. Target is not alone.  In the rush to the cloud to outsource work and focus on core competencies, most operations now include multiple connections to third parties making up a “virtual supply chain.”  Such supply chains offer significant efficiencies in processing as each entity focuses on a specific piece. The most basic list often includes a data center (rack space and server maintenance), email provisioning, desktop support, invoice processing, paper shredding and physical security.  More aggressive companies outsource accounting, human resource and core business software.  Often lost in this race to efficiency is an understanding of the big picture. When the big picture is lost, the nuances of the control environment and how controls interrelate can be completely lost.  It is understandable that companies without an internal audit function or a risk management group are vulnerable. Who is responsible for maintaining this “big picture” and the implications on the overall control structure?

Service Organization Control Reports

One group working to help are accountants and their Service Organization Controls (SOC) reports.  These professionals dig into the details of which key controls are in-house and which are outsourced.  They identify and test key controls and point out controls that rely on third-parties.  In the banking industry the Office of the Comptroller of the Currency has spelled out in greater detail how this risk management process should be conducted and the role of these SOC reports (sometimes referred to as SSAE 16 or SAS 70 reports).  http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html Vendors to the banking industry are being told they need to be in-line with these guidelines or their contracts will be dropped.  These vendors are turning to accountants to perform these Service Organization Control reports to address the complexity.  The task of securing these complex third-party networks will take time.  (It is unlikely the “race to the SOC report” will match the speed with which businesses “raced to the cloud.”)  But at least there is a solution.  For more, see the AICPA’s SOC reporting portal at http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/sorhome.aspx or contact Robert Ramsay, CPA, CISA, CITP at (513) 929-6002.