SOC Hot Topics - Chapters Site · PDF fileSOC Hot Topics Third-Party Risk ... A master risk register, tied to the issues that the regulators are actively pursuing ... and on boarding

SOC Hot Topics

GRANT THORNTON

April 11, 2017

Table ofContents

AGENDA

© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 2

Third-Party Risk Management Frameworks

AICPA Clarity Project

AICPA's Consideration of Cybersecurity

HITRUST and SOC 2


SOC Hot TopicsThird-Party Risk Management Frameworks

GRANT THORNTON

Third-Party Risk Management FrameworksReal Business Risks


TPR FRAMEWORKS

• Third parties can provide real value to companies through the realization of cost-savings,revenue enhancement, or gained expertise.

• The number and complexity of third-party relationships continues to increase.• The quality of a Company's risk management program needs to keep pace with the level

of risk these third-party relationships cause.• There is an expectation of strong governance and oversight especially as it relates to

critical activities or services provided by a Company's third parties that may:‒ Cause significant risks to operations if the third party fails to meet expectations (e.g.,

core operations, data privacy, business continuity, financial viability)‒ Require significant investments in resources to implement the third-party relationship

and manage the risk (outsource an entire business function(s) as an example)‒ Have a major impact on the company’s operations if an alternative third party is

required or if the outsourced activity has to be brought in house

Third-Party Risk Management FrameworksThird-Party Risk – Common Barriers


TPR FRAMEWORKS

Limited Visibility

FragmentedResponsibility orLimited Authority

Fragmented ownership or lack of authorityover the full lifecycle of third-party risk

InconsistentProcesses/PoorData

Differing processes, multiple vendor masters,inaccurate service mapping, duplicate entries

Limited visibility to full complement of third-party services and key risks

ResourceConstraints

Risk-based focus; use of integrated technology Managed service offerings and emergence of risk

consortiums

Maintain a catalog of third parties, contracts, andresulting risks

Provide a risk-based segmentation of third-partyservices

Create a disciplined ownership, governance, andescalation framework

Establish three lines of defense, nominate IA SME

Increased regulatory demands requiringmore comprehensive and more frequentreviews

Work contracts through an upfront vetting process Make use of rules-based due diligence process, use

technology to drive consistency

Themes Issue Action Taken

Best Practices – TPR Frameworks


TPR FRAMEWORKS

FOCUSING ON THE CRITICAL AREAS FOR IMPROVEMENT

• Experience has shown that to arrive at a solid and best-in-class risk managementprocess, firms need to develop or improve in the following 10 areas:1. Be comprehensive – A detailed inventory of all third parties with whom the firm has a

relationship - start with the vendor master list and AP payment reports but also useenterprise-wide surveys and data algorithms to reconcile data.

2. Catalog risks – A comprehensive catalog of specific risks to which third parties canexpose the firm. Many institutions do not fully understand all the risks of their thirdparties. A master risk register, tied to the issues that the regulators are actively pursuingwill help start this process.

3. Risk-based segmentation of the supplier base – Not all suppliers or their servicescarry the same amount of risk. Devote the most effort to activities defined as critical.Tiering the third parties will help to ensure that those marked as high risk will be treatedin a similar fashion.



TPR FRAMEWORKS

4. Rules-based due diligence testing – Treating every third-party relationship the samedoes not make sense. Carefully designed rules can help firms focus their investigationson the most critical areas.

5. Disciplined governance and escalation framework – At many firms, third-party riskmanagement does not have a natural owner. Establishing one and giving that group theright decision-making power is essential.

6. Incorporate independence reviews – Plan for an independent review of criticalactivities to set a baseline for the third-party risk management framework andprocesses.

7. Streamlining third-party relationships – Company mergers, acquisitions, and lack ofcorporate-wide sourcing activities may have produced too many duplicative third partiesand services, and a rationalization initiative will not only save money but will also lowerrisk potential.

Third-Party Risk Management FrameworksBest Practices – TPR Frameworks


TPR FRAMEWORKS

8. Use of integrated technology and MIS workflow – Increase efficiency and accuracyof risk assessments: purpose-built off-the-shelf applications have matured over the lastfew years and may be the right answer for third-party risk management needs, asbuilding them can prove difficult.

9. Identifying an Internal Audit “central point of contact” (CPC) – Designate anInternal Audit CPC for third-party risk management similar to other enterprise risks. Thisperson should be your czar in understanding what the regulators are looking for andshould find and address weaknesses before the examiners do.

10. Establish three lines of defense – Organize third-party risk management programacross three lines of defense:̶ Business Owners: They own the risk and need to implement actions for risk identification and

mitigation.̶ Third-Party Oversight: They establish the policies and procedures, provide oversight for key

risks, and identify opportunities for improvements, as third-party risk regulations change.̶ Internal Audit Department: They set the audit standard for you’re the third-party risk

management program, conduct reviews, and identify potential risks that require remediation.

Third-Party Risk Management FrameworksBest Practices – TPR Frameworks

Third-Party Risk Management FrameworksKey Risk Summary


TPR FRAMEWORKS

• This table summarizes the key third-party risks for which companies should plan to protect the interestsof their clients, employees, and the overall health of their operations.

• These risks may contribute to operational and reputational harm if not handled properly with a potentialfor Significant Revenue Impact.



TPR FRAMEWORKS

Text

CORPORATEDRIVERS

KEY RISKDOMAINS

THIRD-PARTY RISKLIFECYCLE

Text

Text

Third-party risk framework

Governance:How best tostructure theorganization(committees,specific roles

andresponsibilities,escalations) formanaging third

parties

Policies andStandards:

Thedevelopment of

third-partypolicies and

standards thatconvey bothmanagement

and regulatoryexpectationsaround risks

BusinessProcesses:

Efficientprocesses to

identify,segment, andmanage risksacross the full

third-partylifecycle

Tools andTechnology:

Tools andtechnology that

effectivelysupport the

third-party riskmanagement

processes anddata

integrationneeds

Risk Metricsand

Dashboard:Identifies risk

andperformance

associated withthird parties,

tailoredtowards

multiple levelsof

management

Risk Culture:Tone at the

top, clarity onrisk appetite,appropriatetraining and

awareness, topromote

positive riskculture

Contractual Risk

Continuity ofService/Product Risk

Financial ViabilityRisk

Personnel/Phys-ical Security Risk

CreditRisk

4th Party Risk(subcontractors)

Legal/RegulatoryRisk

Geo-political Risk

InformationSecurity Risk

StrategicRisk

Planning, riskidentification

Due, diligence,third-partyselection

Contract negotiationand on boarding

Termination andoff-boarding

Growth/innovation(products/services)

Improved ClientExperience

CostOptimization

Improved Time toMarket

Risk andComplianceManagement

On-going monitoringand mitigation

Continuous improvement

Third-Party Risk Management FrameworksA changing landscape


TPR FRAMEWORKS

• Current bilateral processes are inefficient, expensive, and do not providecentralized functionality across planning, due diligence, contracting, ongoingmonitoring, and termination.

Current Practice

ClientsThird Parties

Risk Consortiums

ClientsThird PartiesOne-to-One Many to One to Many

Third-Party Risk Management FrameworksBenefits to a third-party risk consortium


TPR FRAMEWORKS

• KY3P is a centralized data hub which enables firms to standardize and simplify the third-party risk management process, including due diligence and ongoing monitoring processes,and to reduce duplication and more efficiently distribute and communicate risk criticalinformation.

RegulatoryPressure

Evolving industryregulations require

increased due diligence

Increased Resources

Duplicative, manual, andinefficient processes are

expensive to maintainand require extensiveresources for upkeep

Best Practices

Streamlined processes helpfirms implement industry

best practices andensure audit readiness

Cost Reduction

Reduce costs by facilitatinga more efficient third-party

oversight process

Customer Onboarding

Standardized processesenable firms to collaboratequickly and more effectively

Time to Market

Information required fromcustomers needed within

specifictimeframes

Efficiency

Efficient processes andaggregated information

enable firms to store andreuse data across multiple

requests

Repetition

Multiple requests forinformation from third

parties creates duplicativeprocesses

for both firms andthird parties

Control

Permissioning systemsenable firms to maintain

control and gaintransparency

over who has viewed theirdata

Security

Third parties want toensure their data issecure and currentlylack visibility into who

has access to theirinformation

Key Challenges to Third Parties

Planned Benefits

Third-Party Risk Management FrameworksConsortium functionality


TPR FRAMEWORKS

Industry IncidentManagement

Industry-wide event monitoring – third parties can raise alerts Standard questions developed, exchange of standard information through the portal from the

third party, and visible to all those permissioned

KY3P Data Hub Summary risk ratings and financial ratios sourced from D&B and S&P Repository for third-party audit reports and supporting documentation

Due-DiligenceQuestionnaire

Standard set of industry questions by risk domain agreed across the three design banks forthe third parties to complete, with a quality assurance feedback loop

Daily News andScreening andMonitoring

Proactive notification of negative news and relevant events (e.g. mergers/divestitures) Screening for relevant sanctions against third parties

Request-For-ServiceMarketplace

Ability to source custom third-party risk services such as verification/validation, onsite reviewassessments, audit reviews, etc. from ecosystem participants

OtherFunctionality As identified by the Product Committee comprising HSBC and the other design banks

Planned functionality


SOC Hot Topics

AICPA Clarity Project

GRANT THORNTON

• Under the direction of the Auditing Standards Board, members of the"Clarification Project" undertook the initiative to revise and restructurethe Statements on Standards for Attestation Engagements (SSAEs).

• The effort was intended to restructure the guidance to more easilyallow practitioners to adhere to relevant guidance for theirengagements by performing the following:– Removing unnecessary redundancy across the standards– Removing contradictory guidance existent within the standards– Aligning U.S. standards with International standards


AICPA CLARITY PROJECT

Clarity ProjectAICPA Clarity Project



• The result of the AICPA's Clarity Project was to centralize orconsolidate guidance applicable to attestation engagements into thefollowing chapters:‒ Chapter 1 – Concepts Common to All Attestation Engagements‒ Chapter 2 – Examination Engagements‒ Chapter 3 – Review Engagements‒ Chapter 4 – Agreed Upon Procedures Engagements‒ Chapter 5 – Prospective Financial Information‒ Chapter 6 – Reporting on Pro Forma Financial Information‒ Chapter 7 – Compliance Attestation‒ Chapter 8 – Reporting on an Examination of Controls at a Service Organization Relevant

to User Entities' Internal Control over Financial Reporting




• Under the new structure, practitioners need to adhere to guidancewithin at least two of the Attestation Chapters and incrementalperformance guidance within chapters 5-8‒ For example, a service auditor will need to adhere to chapters 1, 2, and 8 in

order to issue a SOC 1 report‒ For a SOC 2 report, a service auditor will need to adhere to chapters 1 and 2




• The "Responsible Party" is responsible for the following:‒ The subject matter;‒ Its assertion about the subject matter;‒ Measuring, evaluating, and, when applicable, presenting subject matter that is

free from material misstatement, whether due to fraud or error; and‒ Providing a practitioner with the following: Access to all information of which the responsible party is aware that is relevant to

the measurement, evaluation, or disclosure of the subject matter Access to additional information that the practitioner may request from the

responsible party for the purpose of the engagement Unrestricted access to persons within the appropriate party(ies) from whom the

practitioner determines it is necessary to obtain evidence




• The "Practitioner" is responsible for the following:‒ Having the appropriate competence and capabilities to perform the engagement‒ Complying with relevant ethical requirements‒ Maintaining professional skepticism and‒ Exercising professional judgment through the planning and performance of the

engagement




• Changes to the standards that may affect a Service Organizationinclude the following:‒ Introduction of the term Complementary Subservice Organization‒ Monitoring the Effectiveness of Controls at Subservice Organizations‒ Addition of a new planning requirement‒ Rendering an opinion when the responsible party is not the engaging party and

refuses to provide an assertion


INTRODUCTION OF THE TERM COMPLEMENTARY SUBSERVICE ORGANIZATION:

• A complementary subservice organization is a subserviceorganization that performs a function on behalf of the serviceorganization or responsible party that is critical to the achievement ofa control objective

• The new standard will now require complementary subserviceorganization controls assumed in the design of the serviceorganization's controls to be listed within the report in additional tocomplementary user entity controls

• Not all subservice organizations will be noted as complementary




MONITORING THE EFFECTIVENESS OF CONTROLS AT SUBSERVICE ORGANIZATIONS:



• The new standard requires that service organizations implement processes thatmonitor the controls at subservice organizations and provides the following controlsuggestions:

– Review and reconcile output reports– Hold periodic discussions with the subservice organization– Make regular site visits to the subservice organization– Test controls at the subservice organization by members of the service organization's internal

audit function– Monitor external communications, such as customer complaints relevant to the services by

the subservice organization– Review Type I or Type II reports on the subservice organization's system


ADDITION OF A NEW PLANNING REQUIREMENT:



• The new standard requires the service auditor to read the reports ofthe internal audit function and regulatory examinations that relate tothe services provided to user entities and the scope of theengagement as part of understanding the service organization'senvironment

• The results should be taken into consideration as part of the riskassessment and in determining the nature, timing, and extent of thetests


RENDERING AN OPINION WHEN THE RESPONSIBLE PARTY IS NOT THE ENGAGING PARTY AND REFUSES TOPROVIDE AN ASSERTION:



• In the past, the standards required the practitioner to resign from theengagement and decline to provide a report

• Under the new guidance, the practitioner is able to issue a report, butthe report must include a statement regarding the written assertion

• This action allows for the issuance of a report when the EngagingParty may want third-party assurance over a subject matter with whichthe responsible party is uncomfortable



SOC Hot TopicsAICPA's Consideration of Cybersecurity

GRANT THORNTON

Center for Audit Quality and AICPA Cybersecurity


AICPA CYBERSECURITY

• The Center for Audit Quality and the AICPA undertook an effort last fallto provide additional guidance to practitioners regarding the amount ofassurance that needed to be sought for both audit and attestationengagements.

• A couple of key conclusions that came out of those meetings includedthe following:‒ The risk of a cyber attack is not yet a financial reporting risk for a financial

statement audit; however, the effects of a cyber attack may be relevant basedupon the contingent liability

‒ The responsibilities of an auditor do not yet include the requirement to concludeon the effectiveness of cybersecurity controls as part of ICFR


Center for Audit Quality and AICPA Cybersecurity


AICPA CYBERSECURITY

• The AICPA formed a working group, under the direction of the Assurance ServicesExecutive Committee, to develop a cybersecurity attestation engagement

• The purpose of this working group was to explore the possibility of defining criteriaagainst which an entity could be assessed

• In January 2016, the working group released the first draft of its position paper to theASEC:‒ The position paper outlined requirements for practitioners with respect to

competence and capabilities as well as experience with the subject matter‒ The position paper outlined criteria that would be required for a practitioner to

undertake the engagement‒ Comments were provided to the working group to revise the position paper to

address key concerns of ASEC



SOC Hot Topics

HITRUST and SOC 2

GRANT THORNTON

Health Information Trust Alliance (HITRUST)


HITRUST AND SOC 2

BASIC FACTS:

• Organization formed in 2008 and headquartered in Frisco, TX• Developed the HITRUST Common Security Framework (CSF), which brings

together the following standards into a single framework specific to the healthcare industry‒ ISO 27001, 27002, and 27799‒ NIST 800-53 and 800-66‒ Health Insurance Portability and Accountability Act (HIPAA)‒ CoBIT‒ PCI Data Security Standard (PCI DSS)‒ FTC Red Flags‒ Considers federal and state regulations

HITRUST

Common Security Framework (CSF) – Overview


HITRUST AND SOC 2

• The CSF provides certifiable compliance, common understanding, andacceptance:‒ An accreditation and certification process to drive transparency and adoption of

baseline information security controls‒ Follows a risk-based approach to allow security controls to be prioritized

• Emerging opportunities for leveraging the HITRUST CSF atHealthcare Organizations:‒ Monitoring Business Associate compliance - Anthem, Health Care Services

Corp., Highmark, Humana and UnitedHealth Group will require approximately7,500 Business Associates to obtain HITRUST Certification within 24 months(announced June 2015)

‒ The Office of Civil Rights (OCR) refers to the HITRUST CSF as resource to usewhen defining risk analysis and assessment programs

HITRUST

Common Security Framework (CSF) – Overview


HITRUST AND SOC 2

• The HITRUST CSF consists of:‒ 14 Control Categories (high level topics based on ISO 27001 and ISO

27002)‒ For example: Access Control

‒ 46 Control Objectives (statement of desired results or purpose)‒ For example: To prevent unauthorized access and compromise or theft of

information and information assets

‒ 149 Implementation Requirements (prescriptive statements)‒ For example: Password management policies shall be developed, documented,

adopted and communicated to all users to address the need to…)

HITRUST

CSF – Scope


HITRUST AND SOC 2

• The HITRUST CSF addresses the following information security and privacy areas of focus,referred to as Control Categories:

HITRUST

Information SecurityManagement Program

Security Policy

Physical andEnvironmental

Security

Access Control

Organization ofInformation Security

Communications andOperations Management

Human ResourcesSecurity

Business ContinuityManagement

Information SystemsAcquisition, Development

and Maintenance

Risk Management

Compliance Information SecurityIncident Management

Privacy Practices

Asset Management

CSF – Control speculations and implementation requirement levels


HITRUST AND SOC 2

• The CSF is applicable to healthcare organizations of varying size and complexity‒ The CSF allows for flexibility in implementing controls to the degree that is appropriate for a given

environment‒ Within the control specifications across the control categories of the CSF, “implementation

requirement levels” relate the organization’s risk profile to the minimum level of controls needed

• Implementation Requirement Levels Explained‒ Level 1 – the minimum set of security requirements for all systems and organizations as determined

by the industry (e.g., HIPAA compliant)‒ Level 2 & 3 – required for systems and organizations with increased complexity/risk as determined by

organizational, regulatory and system factors

• Organizational factors include organization’s size and complexity of environment (e.g., volumeof business)

• Regulatory factors include the compliance requirements applicable to the organization basedon its business / industry or data in its systems (e.g., PCI, CMS, State requirements)

• System factors include attributes that would increase the likelihood or impact of a vulnerabilitybeing exploited (e.g., number of users, third-party connectivity, use of mobile devices)

HITRUST

Assessment Types


HITRUST AND SOC 2

• Self Assessment‒ Performed by the organization‒ Allows an organization to understand their current level of compliance with the

CSF‒ Can be quickly completed with low to medium level of effort‒ Can be used as a stepping stone to a validated assessment

• Validated Assessment‒ Performed by an authorized CSF assessor‒ Timely process with medium to high level of effort needed to complete the

assessment‒ Allows an organization to understand their current level of compliance with the

CSF‒ Results in either a Validated Report or Validated Report with Certification

HITRUST

Types of Reports


HITRUST AND SOC 2

HITRUST and SOC 2

• HITRUST CSF Certification‒ Certification through an assessment by a HITURST approved assessor‒ Issued by HITRUST

• SOC 2 Only‒ Adopted the HITRUST CSF framework but the service auditor does not express an opinion on

whether the controls at the service organization are suitably designed and operating effectively tomeet the HITRUST CSF

‒ Issued by CPA Firm• SOC 2 + HITRUST CSF

‒ Service auditor's report expresses an opinion on the fairness of presentation of description andsuitability of design and operating effectiveness of controls based on the Trust Services Principles andCriteria and the HITRUST CSF

‒ Issued by CPA Firm• SOC 2 + HITRUST CSF + CSF Certification

‒ Service auditor expresses a SOC 2 + HITRUST CSF opinion‒ Organization has achieved HITRUST CSF certification‒ Issued by a CPA Firm that is also a HITRUST approved assessor

Benefits of Combining HITRUST CSF Assurance and SOC 2


HITRUST AND SOC 2

• Leverage the HITRUST CSF controls in SOC 2 engagements

• Realize significant time efficiencies and cost savings by synergiesbetween the HITRUST CSF controls and the Trust ServicesPrinciples and Criteria

• Reduce the inefficiencies and costs associates with multiplereporting requirements

• Communication through a single deliverable

HITRUST and SOC 2


Questions?

GRANT THORNTON

Documents

SOC Hot Topics - Chapters Site · PDF fileSOC Hot Topics Third-Party Risk ... A master risk register, tied to the issues that the regulators are actively pursuing ... and on boarding