In today’s business environment, most companies use some sort of outsourced service provider. You may only use a company to print statements; you may have your core application outsourced; or you may have all your servers in the cloud. Whether it is small services or big, you probably have data living somewhere outside your buildings.
We have a saying: ‘you can outsource the process but not the responsibility for it.’ You are responsible for what your service organizations and vendors are doing with the data they are working with. After all, your customers have not only entrusted you with their money but also a lot of very personal information. That information is theirs, not the bank’s so you must hold it with the level of responsibility that it deserves. When we hold a customer’s data we are responsible for it whether it is setting on a server in our data center, at a service organization, or in transit to somewhere else.
There are libraries of information about protecting networks and data but I want to look at a higher level of responsibility here. In this regulated world we live in, you already know about Vendor Management. I know you already have a policy, a risk assessment, and a process to review your vendors. But if it was not required, would you still keep these processes? I think that we all feel better about tasks if we see an importance to them.
For this discussion, let’s forget about regulatory requirements. Let’s say your bank decides to outsource the core application to Dave’s Banking Software (DBS). What do you know about DBS? How long has it been in business? How many other banks use their service? Your risk tolerance may allow you to be comfortable with an upstart company but like I said before, it isn’t your data. Do you think your customers would be comfortable with a new company with no reputation? Your responsibility is to understand what your customers expect and to select a service provider that your customers would be comfortable with. You also have to watch costs and efficiencies to be a successful business.
The next step of this due diligence process is to understand what their control environment is like. You could send in your team of internal auditors to DBS’s processing sites and data centers to review the control environment. But there is an easier way: the SOC report. These reports include a narrative description of the environment and a third-party opinion. You should read the report, not just the opinion letter, to get a full understanding of how transactions flow through their systems as well as their control processes for staff, IT, and operations. These reports will also lay out what the service provider is expecting you to do. That is an important part of the report and you should be looking at those.
Just remember, not all companies will have a SOC report. If they are not a processor, there is a good chance they don’t. If they are providing you a product or a professional service, their internal controls don’t necessarily impact your internal controls.
So between your investigation into the reputation of the company and the third-party report on the internal controls of the company, you are starting to understand what kind of company DBS is. But are they going to continue in business? If you don’t think they can remain a viable company due to ongoing losses or other financial issues then you should be concerned! You need to invest some time in understanding their financial condition. Will they have the resources to invest in future technology to keep you competitive?
Using an outsourced service provider is a little like a marriage. You are going to have a close relationship and if it doesn’t work out, it will not be pleasant or easy to end. Because of this importance, it is important to reevaluate the relationship and quality of service on a regular basis.
I know this was an elementary review of vendor due diligence but let’s return to my original question, is this process really important? Is it important to your customers? Would you perform these steps if they weren’t required? The due diligence process and the annual reevaluations are time consuming and tedious but vital in protecting the data your customers have entrusted you with.
LEARN MORE ABOUT OUR RISK ADVISORY SERVICES
Throughout his time at YHB Curtis has provided IT audit and consulting to clients, even while holding the position of the firm’s IT director for several years. Now, as head of the YHB Risk Advisory Services Team, Curtis focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services. Also, he frequently speaks and gives presentations on SOX compliance, internal controls, and data security.