Vendor Pre-Qualification: What we Learned From Our Own Process
Published on by Robert Ramsay in SOC Reports, Technology
While considering the steps necessary to complete the vendor prequalification process, it is important for your organization to come prepared with the right information. At Barnes Dennig, we help companies gain credibility with their vendors every day by generating CPA-provided SOC reports. However, the tables were turned when we found ourselves required to demonstrate our data security credentials with one of the 50 largest banks in the United States in order to be an approved vendor. Experiencing this process from the other side, we have an even better understanding of what our clients experience every time we go through these same controls with them for their annual SOC reports. Here are some of the key things that we learned:
Throughout the process, you will be required to submit security policies, vulnerability scan results, compliance verifications, and SOC reports from our own vendors. You will answer questions about your history of privacy and security related to protecting your clients’ data throughout the history of your organization. You will submit organization charts and job descriptions for your security officer, privacy officer and quality control committee.
One key thing that we learned is that aggregating all of the pertinent information and making it all referenceable from one place was an extremely useful exercise. Information that you will be required to provide includes:
- Security and privacy assurances with third-party vendors
- Internal privacy and data security training
- Insurance coverage for cybersecurity
Sure, we thought that our PCI compliance and HIPAA compliance were barometers for our data security infrastructure, but it was eye opening to experience the number of forms and questions required for submission to this bank’s compliance portal.
As a large, regional firm with offices in multiple states, it is reassuring to see that the practices were applied uniformly and communicated throughout all locations. We leaned heavily on the AICPA’s already high confidentiality requirements that we must meet as a CPA firm in order to maintain the trust of the general public. We were humbled at the same time with the appreciation for the effort it takes to meet these vendor requirements year-in and year-out.
In the end, we were able to successfully locate and provide everything that we needed to become a qualified vendor. Consistent with our SOC methodology, we celebrated the achievement. Although, that doesn’t mean that we weren’t glad it was over!
Barnes Dennig is committed to remaining on the leading edge of SOC practices, and ensuring that our team applies techniques that adhere to AICPA standards. This commitment ensures that our clients’ examinations are conducted effectively and in accordance with current authoritative guidance aligned with leading practices.
Contact us with questions regarding SOC engagements and visit our SOC reporting services page to learn about the services that the Barnes Dennig offers.