360° of Vendor Management - Elliott Davis · This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation

360° of Vendor Management

Jay Brietz, CPA and CIAShareholder

© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC

This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.

Disclaimer

© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC 2

• Overview of Vendor Management• Vendor Management Steps• SOC Report Reviews

Agenda


Who are third party vendors:• FDIC’s definition is the most simple – “All entities that

have entered into a business relationship with a financial institution.”• OCC’s definition provides more examples of third parties

that provide – “…outsourced products and services, independent consultants, networking arrangements, merchant payment processing services…” so forth.• The FRB and CFPB also have their own definitions.

Overview of Vendor Management


• Outsourcing dates back to the 1800’s• 1970’s and 1980’s

- Advancement of IT environments- Move from payroll outsourcing to IT outsourcing

• 1990’s and 2000’s - Y2K scare and the boom of IT consulting- Speed of change (broadband, storage, internet, and

security)- Education and training



• Think back to your bank in the 1980’s (maybe even in the 1990’s):

- Core processing system was home grown (probably on a computer the size of a tank)

- Payroll was one of the first processes outsourced- Most other functions were performed in-house



• Common processes at banks that are outsourced today:- Core processing system and related bank products- Payroll processing- Investments safekeeping and recordkeeping- Benefit plan processing- Others



THOUGHT OF THE DAY:

You can outsource the process…but you still need to manage risks associated with the process.



• Vendor Management is an important aspect of the bank’s overall risk management program• According to the FDIC:

“An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling risks arising from such relationships, to the same extent as if the activity were handled within the institution.” (FIL 44-2008, “Guidance on Managing Third Party Risk”)



What are typical risks associated with the use of third parties?



Strategic Risks

Credit Risks

Transactional Risks

Compliance Risks

Operational Risks

Reputational Risks


Identifying Risk Responses

11

Management’s response to risk

AvoidanceExiting the activities giving rise to the risk

AcceptanceNo action is taken to affect risk

likelihood or impact

ReductionAction taken to reduce the risk

likelihood or impact or both

SharingReducing the likelihood or impact by transferring or

sharing a portion of the risk



Use of third parties means you have “Accepted” the risk!

12

Management’s response to risk

AvoidanceExiting the activities giving rise to the risk

AcceptanceNo action is taken to affect risk

likelihood or impact

ReductionAction taken to reduce the risk

likelihood or impact or both

SharingReducing the likelihood or impact by transferring or

sharing a portion of the risk


THOUGHT OF THE DAY:




• Effective vendor management programs typically contain four key steps:

- Risk Assessment- Due Diligence- Contracting- Monitoring

Vendor Management Steps


Risk Assessment

Due Diligence Contracting Monitoring

• Some key considerations in assessing vendor risk (always thinking WCGW – what could go wrong):

- Longevity of the relationship and/or service/product- Materiality of the contract to the Bank’s financials- Significance of the process/services outsourced- How easily can service/product be moved or brought in-house- Where is critical/sensitive information housed and how quickly can it

be recovered- Will third party have access to and/or transmit sensitive data- What are reputational risks if the services are not performed correctly- Compliance risks associated to outsourced services- Experience of internal personnel managing the relationship

Vendor Management Steps – Risk Assessment


Classifying Risks:

Vendor Management Steps – Risk Assessment


High

Moderate

Low

Critical Vendors - cannot be easily replaced if services are interrupted or terminated, which in turn may cause significant operational and/or financial impact

Other High Risk Vendors - has unsupervised access to sensitive data, critical applications, technology infrastructure or related control systems, then they should be deemed as high risk.

Moderate and Low Risk Vendors – risks do not meet the criteria of a high risk category, and due diligence is typically performed less frequently.

Items typically obtained and reviewed:• Audited financial statements• Insurance coverage and exclusions• Experience of principals and business reputation• External reports:

- SOC reports- Compliance and regulatory reports- Peer reviews

• Hiring policies and use of background checks

Vendor Management Steps – Due Diligence


Items typically obtained and reviewed (continued):• IT Security Policy, including:

- Protection of confidential information- Business continuity and disaster recovery plans- Data removal and destruction policies and procedures

• Strategic plans for upgrades and changes to hardware and/or software• Pending lawsuits

Vendor Management Steps – Due Diligence


Contracting considerations:• Ensure scope and key terms are clearly defined• Incorporate performance measures, such as SLAs and

project plans• Legal language, such as indemnification provisions and

limits of liability• Right to audit clause or requirements for SOC reports• Use of subcontractors (prior notice/approval)• Data privacy – confidentiality and security• Business continuity and disaster recovery plans

Vendor Management Steps – Contracting


Monitoring Considerations:•Who – person with the requisite knowledge and skills to

critically review all aspects of the relationship•What – established performance benchmarks such as

financial condition, performance against stated terms or project plans, reputation, and external reviews/SOC reports•When – frequency determined by risk classification• How – typical monitoring procedures include separate

evaluations and ongoing monitoring efforts

Vendor Management Steps – Monitoring


THOUGHT OF THE DAY:


Vendor Management Steps


SOC Report Reviews


• SOC reports are important part of the vendor management program, so it is important to know how to leverage these reports• In this final section, we will cover:

- An overview of SOC reports- Key aspects of these reports to leverage- Bank’s responsibilities related to SOC report reviews and

User Control Considerations (UCCs)

SOC Report Reviews


Why do companies get a SOC report?

User Organizations

User Organizations'

Auditors

Service Organizations

IndependentAccounting orAuditing Firm

(Service Auditor)

In an audit of a user organization's financial

statements, the user auditor obtains an understanding of the

entity's internal control sufficient to plan the audit as required by

AU-C Section 315, Understanding the Entity and its Environment

and Assessing the Risks of Material Misstatement.

Services

If a service organization provides transaction

processing or other data processing services to the user organization, the user auditor may be required to

gain an understanding of the controls at the service

organization.

The service organization will engage the

independent accounting firm to perform a SOC

examination and issue a report on the

organization's internal controls

Subservice Organizations

SOC Report Reviews

Let’s compare the three SOC reports

Who Why What

SOC 1 User entity managementand user auditors

Audit Controls relevant to user entities’ internal controls over financialReporting

SOC 2 User entity departments other than accounting

Governance Risk and Compliance programsOversightDue diligence

Controls relevant to security, availability, processing integrity,confidentiality, or privacy

SOC 3 Any users with need for confidence in service organization’s controls

Marketing“confidencewithout thedetail”

Seal and easy to read report on controls


SOC Report Reviews

Type 1 Type 2 Type 1 Type 2

• There are two “Types” of reports for both SOC 1 and SOC 2


SOC Report Reviews

• Difference between a Type 1 and Type 2

Type 1

Type 2

A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.


SOC Report Reviews

•What reports are required to be reviewed?- Key processes that are outsourced• Investment recordkeepers and pricing services• Payroll service providers• Core processing package

- Other processes that may need reviewing• Benefit plan and claims processors• Certain add-on modules from the core processor• Data centers


SOC Report Reviews


Processes or functions covered by this report

Audit period covered

Type I vs. Type II

User entity controls are a key part of the internal control system.

ScopeWe have examined Example Co., Inc.’s (“Example” or the “Company”) description of its Payroll Processing Services system and related controls for processing user entities’ transactions (the “Description”) throughout the period July 1, 2014 to June 30, 2015 (“Specified Period”) and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the Description. The Description indicates that certain control objectives specified in the Description can be achieved only if complementary user entity controls contemplated in the design of the Company’s controls are suitably designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls.

SOC Report Reviews


Scope (continued)The Company uses various subservice organizations for certain functions of its Payroll Processing Services system and related controls, as described in Section Three. The Company’s control objectives and related controls, which are listed in Section Four of this report, include only the control objectives and related controls of the Company and exclude the control objectives and related controls of the subservice organizations. Our examination did not extend to the controls of the subservice organizations.

This paragraph describes the subservice organizations that are carved-out or excluded from the scope of this report.

SOC Report Reviews


Scope (continued)The information presented in Section Five titled “Other Information Provided by the Service Organization” describes additional processes performed by the Company. It is presented by the management of the Company to provide additional information and is not a part of the Company’s Description. Information presented in Section Five has not been subjected to the procedures applied in the examination of the Description and the suitability of the design and operating effectiveness of controls to meet the related criteria stated in the Description and accordingly, we express no opinion on it.

This paragraph describes other information presented by the Company not included in the scope of the opinion

SOC Report Reviews


Basis for QualificationThe Company states in it Description that it has controls in place to review the accuracy of fee schedule codes applied to new account setups or maintenance to existing accounts. However, as noted on page 117 of the description of tests of controls and results thereof, these controls were not operating effectively throughout the Specified Period. As a result, controls were not operating effectively to achieve the control objective, “Controls provide reasonable assurance that trust fees are accurately calculated and recorded” throughout the Specified Period.

This paragraph describes the reason for the Qualified Opinion is provided just before the opinion paragraph

SOC Report Reviews


OpinionIn our opinion, except for the matter in the preceding paragraph, in all material respects, based on the criteria described in the Company’s assertion in Section Two of this report:• The Description fairly presents the Payroll Processing Services system and related

controls that were designed and implemented throughout the Specified Period.• The controls related to the control objectives stated in the Description were

suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the Specified Period and user entities applied the complementary user entity controls contemplated in the design of the Company’s controls throughout the Specified Period.

• The controls tested, which, together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the Description were achieved, operated effectively throughout the Specified Period.

Opinion 1: Description was fairly stated.

SOC Report Reviews






Opinion 2: Controls were suitably designed.

SOC Report Reviews






Opinion 3: Controls were operating effectively.

SOC Report Reviews


This is an excerpt of the User Entity Controls (also referred to as User Control Considerations (UCCs))

Evaluating UCCs• Create a matrix of all UCCs that are applicable to your

Bank, including:- Service organization- User entity control (listed in the SOC report)- Applicable to the bank (Yes or No)- Control at the bank to address the UCC- Test procedure and results of testing

SOC Report Reviews


SOC Report Reviews


Designed Properly?

Remediation Needed?

Implemented & Operating

Effectively?Remediation

Needed?The user organization is responsible for notifying the service organization of changes in the authorized contacts list.

Jane Doe is the only individual at the Company who is currently on the authorized contacts list. Authorized Company personnel would notify the service organization immediately of any changes to be made to the list.

Yes/No Yes/No <1> N/A or Description of

required remediation

Yes/No <2> N/A or Description of


Yes/No

The user organization is responsible for ensuring that only authorized and properly trained personnel are allowed logical access to service organization’s systems, fax input worksheets and coversheets.

The Company has procedures in place for ensuring that only authorized and properly trained personnel are allowed logical access to the service organization’s systems, fax input worksheets and coversheets.

Yes/No Yes/No <1> N/A or Description of


Yes/No <2> N/A or Description of


Yes/No

<1>

<2>

Should retain documentation of what factors considered (i.e. specific control objectives addressed, relevant assertions, etc., as appropriate).

Should retain documentation of what procedures performed to evaluate implementation & operation effectiveness.

Example UCC Documentation and Testing Matrix

UCC Description Control Activity at Company

Design Implementation & OperationReliance on

UCC Appropriate?

Service Organization

XYZ Payroll Service

XYZ Payroll Service

Applicable to the Bank?

SOC Report Review and Vendor Management Summary• Key Aspects of the Opinion:

- Processes/functions covered by the report- Audit period covered and Type I versus Type II- Subservice providers carved out – you may need to request

their SOC report separately- Other information included but not covered by the opinion

(usually in Section Five of the report)- Any qualification(s) or emphasis of a matter

SOC Report Reviews


SOC Report Review and Vendor Management Summary (continued)• Other Key Aspects of the SOC Report:

- Complementary User Entity Controls/UCCs- Exceptions in the testing procedures and management’s

response to those exceptions- Bridge letters – not necessarily a key part of vendor

management but can be important when using the SOC report for Sarbanes-Oxley and financial reporting

SOC Report Reviews


THOUGHT OF THE DAY:


SOC Report Reviews


Questions?


Website: www.elliottdavis.com

Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.

Jay Brietz, CPA, CIAEmail: [email protected]: 704.808.5247Mobile: 704.996.4655


Documents

360° of Vendor Management - Elliott Davis · This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation