Organizations continually look for opportunities to implement efficiencies and cost savings, which may lead to outsourcing.
As a result of COVID-19, many organizations also moved data to the cloud to be more accessible in a remote working environment. Some common service providers include enterprise resource planning (ERP) systems, payroll providers, and investment managers and custodians. Not-for-profit organizations might also use donor and grant management systems. However, new risks can occur when outside providers perform operational duties and store or process data.
Organizations can reduce the risks of using outside service providers by implementing appropriate controls and systems to prevent fraud, theft, and cyberattacks. To address the risks related to outside service providers, organizations can hire certified public accountants (CPAs) to perform system and organization controls (SOC) examinations. Organizations should obtain SOC reports from vendors whenever they’re looking into working with a new vendor.
What Needs to Be Considered During Vendor Due Diligence?
The SOC reports should be reviewed with all the following considerations in mind:
- Type of report
- Accounting firm
- Auditor opinion
- Service scope
- Covered period
- Description of processes and controls
- User entity control considerations
- Complementary subservice organization controls
- Testing results
The checklist below covers a series of questions your organization could ask as it’s making its way through all the considerations.
If you need more information on what type of report you should request from your vendor, please see definitions of all SOC reports and their uses in our article What Is a SOC Report, and Why Is It Important?
A Checklist to Help You Review Vendors’ SOC Reports
We’re Here to Help
If you have any questions about obtaining your vendors’ SOC reports or the types of questions you should be asking, please contact your Moss Adams professional.