https://www.sikich.com

Third-Party Service Providers – Managing Risk with Controls

Sikich

Jan 2 2025

6 min read

Organizations often integrate Third-Party Service Providers (TPSPs) into their operations that become an extension of the business’s processes – serving as a critical contributor to operational effectiveness and efficiency. Take ADP, for example – as an outsourced payroll provider, they offer organizations a streamlined approach to managing payroll. However, providing third parties with access to sensitive employee information can lessen the security defenses the organization has established in-house. And ADP, while a common and well known TPSP for payroll, is not the only service company organizations rely on for third-party support. The use of third parties has extended into various operations, such as IT infrastructure in the cloud, communication and file sharing, customer relationship management, ERP systems warehouse management, supply chain logistics, and more.

Sharing access and data as well as relying on third-party processes and controls can leave organizations exposed to cybersecurity risks if proper controls aren’t in place. Managing third-party risks is a multi-layered responsibility organization must address. Here’s how best to handle it:

Why Third-Party Risk Management Should be a Top Priority

Cybersecurity attacks and data breaches represent a huge global risk, leaving organizations highly vulnerable. A successful attack can quickly spread, exploiting weaknesses across an entire network. This makes managing third-party risks a critical priority within businesses. To reduce an organization’s risk exposure, it is essential to establish a robust Third-Party Risk Management (TPRM) framework that sets clear, agreed-upon standards for security, privacy, continuous monitoring, and breach or incident response protocols. Such a framework ensures that vulnerabilities are minimized.

In addition to cybersecurity risks, organizations face significant threats when they lack an effective internal control environment, which extends to their TPSPs. As TPSPs become part of the contracting organization’s operations, ensuring their internal controls are robust is an important step for businesses to take.

Third parties offer System and Organization Controls (SOC) reports, which are independent audit reports of controls within the service provided to their customers, to organizations they partner with that demonstrate their control environment is designed and operating effectively.

Comparing SOC 1 and SOC 2 Reports

Two types of SOC reports are available for organizations to manage risks associated with third-party engagements:

Criteria	SOC 1	SOC 2
For Whom	Essential for service organizations processing transactions that impact the customer’s financial statement reporting	Essential for all service organizations, including cloud service providers
Purpose	An SOC 1 audit reviews and reports on an organization’s internal controls relevant to its customer’s financial statements	An SOC 2 audit reviews and reports on an organization’s internal controls relevant to the five Trust Services Criteria (TSC) from the AICPA: security, availability, confidentiality, processing integrity, and privacy of customer data
Content Objective	Addresses risks that could impact the financial statements of the user entities	Covers a combination of the five TSCs based on organization’s requirements
End Users	Customer’s management and their external auditors	Customer’s management and prospects
Examples	Business offerings, such as billing management platforms, payroll processing software, financial reporting software and services relevant to financial impact processing of the organization	Businesses with host data centers, SaaS providers, cloud service providers, HR management services and recruitment platforms, to name a few
Types	Type 1: At a specific time; opinions on control design and implementation Type 2: Specific period; opinions on control design, implementation and operating effectiveness	Type 1: At a specific time; opinions on control design and implementation Type 2: Specific period; opinions on control design, implementation and operating effectiveness

How to Manage TPSP Risks with Controls

TPSP risks can be minimized through a successful approach to managing these relationships. This includes implementing governance through all phases of the partnership and evaluating risks and controls on an ongoing basis. Organizations can do so by following these steps:

Establish policies and procedures related to initiating and managing TPSP relationships.
Follow an annual process to determine which TPSPs are critical to the organization.
Create policies and procedures to evaluate TPSPs’ control environments by SOC report reviews or alternative methods (e.g., creating added controls or going onsite to evaluate controls).
- TPSPs that do not have an SOC report should be reviewed to ensure that controls are in place to mitigate potential risk exposure due to missing controls. Contracting organizations could execute the “right to audit” clause to evaluate the controls in processes applicable to the contracting arrangements.
Coordinate with external auditors to determine TPSPs important to the audit and assessment requirements/procedures.

Areas of Focus in Your SOC Report

While reviewing an SOC report, pay particular attention to the following key areas:

Service being evaluated
Report coverage period
Complimentary User Entity Controls (CUECs)
Audit opinion
Deficiencies identified

Service Being Evaluated

Ensuring you have the right SOC report with appropriate service is important, as TPSPs have numerous service offerings across their customer base. Meaning, they may issue several SOC reports. Contracting organizations should review the report to validate whether they are evaluating the right report.

Report Coverage Period

Reports can also be issued at various cycles (e.g., annually, semi-annually, quarterly, etc.) and may not always provide complete coverage for the period needed. For example, a report issued annually on September 30 would cover the first quarter of the prior year and three quarters of the current year. However, if your evaluation period is for the current year, you would require a review of the current report plus a bridge letter from the TPSP to cover your organization’s evaluation period.

Complimentary User Entity Controls (CUECs)

CUECs are controls that TPSPs expect contracting organizations to have in place to promote an effective overall control environment. Evaluating CUECs and ensuring controls exist at the contracting organization is a crucial step in maintaining an effective control environment.

Audit Opinion

A qualified audit opinion means that there are material deficiencies impacting the TPSP’s control environment, and they should be flagged immediately. This requires added steps be performed at the contracting organization to ensure their control environment is not materially impacted.

Deficiencies Identified

Finally, deficiencies may be identified related to specific controls within the SOC report – each deficiency should be evaluated by the contracting organization to determine its impact on the overall control environment. Additional control or substantive procedures may need to be implemented to preserve the integrity of the information and results provided due to the control failure.

How Sikich Can Help

If your organization is working with outside parties, our governance, risk and compliance team can implement appropriate procedures for reviewing TPSPs, including leveraging AI for efficiency. We can also evaluate existing procedures to ensure they are appropriately designed. To learn more about our services, such as AI use cases, please contact us.

About Our Authors

Veronika Fritz, CPA, is a principal with audit and management expertise. She has led the planning, development and successful execution of financial, application and operational audits, compliance reviews, system implementations, and business process evaluations. Her focus is an integrated approach, and her experience spans all areas of business to help management with their process and control environment.

Sargon Youmara, CPA, is a principal with a deep understanding of financial reporting, project management, business process improvement and risk management. A trusted advisor, he provides expertise leading Sarbanes-Oxley compliance initiatives, including the requirements of the Public Company Accounting Oversight Board (PCAOB), the Securities and Exchange Commission (SEC), and the Committee of Sponsoring Organizations (COSO).

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author

Sikich

Sikich is a global company specializing in technology-enabled professional services. With more than 1,900 employees, Sikich draws on a diverse portfolio of technology solutions to deliver transformative digital strategies and is comprised of one of the largest CPA firms in the United States. From corporations and not-for-profits to state and local governments and federal agencies, Sikich clients utilize a broad spectrum of services* and products to help them improve performance and achieve long-term, strategic goals. *Securities offered through Sikich Corporate Finance LLC, member FINRA/SIPC. Investment advisory services offered through Sikich Financial, an SEC Registered Investment Advisor. 