As companies continue to outsource activities to third-party services, managing risks has continually evolved — most significantly in the area of data protection. With increasing scrutiny over cybersecurity, many organizations are focusing on system and organization control (SOC) 2 reports that address controls relevant to data security, availability, processing integrity, confidentiality, and privacy. Along with the increased demand for these services, software vendors have started offering solutions — referred to as governance, risk management, and compliance (GRC) tools — to help organizations become “SOC 2-ready.”
The benefits of implementing a SOC 2 GRC tool
Some of the benefits of implementing a SOC 2 GRC tool as part of your compliance efforts include:
- A “starting point” if your organization doesn’t have policies and procedures documented, including templates for documentation.
- A document repository for storing documentation to support a future audit.
- Electronic distribution of questionnaires throughout the organization to automate the risk assessment.
- Automatically pulling information directly from other security and IT systems that will be necessary for future audits.
- Integration directly into security monitoring tools to gather data for continuous controls monitor and audits.
Evaluating SOC 2 GRC tool vendors
When evaluating SOC 2 GRC tool vendors, there are various important factors to consider. As with any software purchase, your organization should thoroughly evaluate potential solutions in terms of cost to implement and maintain, vendor reputation, whether the software will be hosted or purchased off the shelf, and whether there’s someone internal that will be able to administer and maintain the tool, among other things.
But one critical and frequently overlooked consideration is the impact the tool will have on your auditor’s ability to effectively and efficiently conduct SOC 2 examinations.
Audit considerations for SOC 2 GRC tools
From an audit perspective, there are several critical questions that your organizations should ask.
- If the SOC 2 GRC tool is hosted by a third-party vendor and stores sensitive information, will the tool be considered “in scope” for the sake of the SOC 2 examination, and will customers want assurances that the data is kept secure and confidential?
- Will the tool vendor have access to a significant amount of sensitive information, such as personal identifiable information (PII), proprietary information, and confidential company information? If so, would a breach at the tool provider expose the service organization to the negative impacts of an unauthorized disclosure or potentially give cybercriminals additional information to make their attacks more effective?
- If the tool is being used as a repository or is gathering information from other systems, would that information be considered “information provided by the entity” that the service auditor is required to evaluate for completeness and accuracy?
- Does the tool take a “one-size-fits-all” approach, or will it be tailorable to the unique risks that your organization faces?
- Is a CPA firm partnering with the software vendor and hosting the tool? If so, would the vendor and CPA firm be classified as a subservice organization that would need to be either “included” in the examination or “carved-out?” Are there other factors to consider around the CPA firm’s independence in performing the SOC examination?
- Are the controls built into these tools sufficient to meet the necessary criteria?
- Will the organization’s management have a good enough understanding of the tool and the potential impacts to support their assertion?
In conclusion
While the benefits of implementing a SOC 2 GRC tool are clear, there are considerations and underlying factors that must be considered before choosing a solution and granting a vendor access to important information. It’s critical that management, the service auditors, and the users are in the loop during the evaluation process and understand the risks involved in using these tools to supplement SOC 2 efforts. Need more information? Give us a call.
