Skip To Content
Sponsored Content?
This content is made possible by our sponsor; it is not written by and does not necessarily reflect the views of Bloomberg LP's editorial staff. See our Advertising Guidelines to learn more.
Brought to you by KPMG

How Is Your Company Protecting Against Vendor Risk?

As corporate outsourcing grows, so does the need for due diligence in the supply chain

Floods, fires, droughts, wars, hacks, ransomware, corporate espionage, pandemics, data leaks: The risks to business continuity and reputation seem to be growing each day. Now take those risks and multiply them by all the businesses that your company relies on for its daily operations—dozens or even hundreds of suppliers. If something happens to them, what happens to you?

Businesses have long outsourced operations in hopes of gaining strategic efficiency, and outsourcing is now easier than ever. But as your vendor ecosystem grows, so do the risks, as the disruption suffered by one provider could have a cascading effect on the rest of your business. 

Even for the largest companies, with well-established procurement teams, regularly probing the inner workings of hundreds of vendors is a laborious task requiring considerable expertise and frequent access to proprietary information. In today’s complex supply chain environment, there’s a growing need for independent specialists to provide assurance that vendors have the proper controls in place. It’s a natural role for auditors, many of whom can now analyze virtually any business system through a System and Organization Control report, or SOC report for short.

“The business risks related to digitalization and outsourcing continue to increase,” says Heather Paquette, National Technology Assurance Leader at KPMG in the US. “A SOC report is one way to identify the risks as well as the controls in place. It provides a transparent understanding of which risks you’ve chosen to outsource, and it’s a generally accepted standard that outsourcing organizations use to meet the requirements of customers, stakeholders or regulators.”

Vetting made easy

SOC reports, based on standards developed by the American Institute of Certified Public Accountants (AICPA), broadly aim to help ensure that data and services are secure and accessible. While SOC 1 reports focus on controls that support financially relevant processes, SOC 2 and SOC 3 reports can cover virtually any aspect of business operations and processes. The reports clarify the division of responsibilities between vendors, customers and users, and help both sides identify and address outstanding risks. 

SOC reports offer a more efficient and more reliable alternative to the traditional approach of vendor surveys, which usually involves a company sending out detailed annual questionnaires, says Paquette. Some procurers may require a SOC report in their contracts with vendors, or a SOC report may be requested by regulators or customers.

Newer vendors often commission a SOC report to “swim upstream,” Paquette says. “Let’s say a tech company would like an S&P 500 company to use their service. To get to that customer base, you must provide assurance that your control environment is secure and reliable.”

The many reasons for SOC reports

The emergence of cybersecurity as a board-level concern has made a special kind of SOC report known as a SOC for Cybersecurity one of the most requested reports. Many hackers know that one of the most effective ways to infiltrate a company is through an IT service provider. In two major recent incidents, upstream customers of IT management companies downloaded malware-infected updates that left them vulnerable to ransomware attacks. 

The SOC for Cybersecurity is designed to be rigorous and provide a standardized framework for reporting on cyber risk management and the effectiveness of controls. “It begins a dialogue with service providers,” says Bernie Wieger, a Partner in the Technology Assurance Audit practice of KPMG in the US. “You can ask probing questions or ask them to expand on areas of concern, and it can become part of an annual routine to see if there have been any changes to their risk profile.” 

The need for SOC reports (and similar forms of technology auditing) is also growing in other areas, including:

Cryptocurrencies and Blockchain

More companies are putting crypto on their balance sheets and seeking assurance that their outsourced providers—especially crypto custody providers—are secure and reliable, notes Wieger. And companies joining the growing number of consortia building blockchain-based, auto-executing smart contracts are seeking assurance that the resulting transactions accurately reflect consortium agreements, Paquette says.

ESG

The US Securities and Exchange Commission is planning to require companies to report on their ESG performance, and auditors can help to ensure that this information is accurate and complete. One potential role for SOC reporting is to help account for companies’ Scope 3 or “e-liabilities” of purchased goods—say, the carbon emitted when a vendor produces a piece of procured equipment.

Supply Chain

Recent events like the pandemic, trade conflicts, and global hacks have highlighted the fragility of the modern global supply chain. The AICPA has outlined a SOC for Supply Chain report that is a risk reporting and management framework specifically for producers, manufacturers and distributors; it can cover areas such as cybersecurity, product performance specifications and conformity with regulations. A SOC for Supply Chain report fosters transparency and helps companies feel confident that their partners can meet their contractual obligations.

SOC2 +

Companies are also interested in understanding whether their controls meet and satisfy other industry frameworks. SOC 2 reports cover criteria such as security, availability, processing integrity, confidentiality, or privacy. As there may be overlaps between the frameworks with which a company must comply, SOC2+ reporting can complement frameworks such as HIPAA, ISO or NIST by providing one report to address each relevant framework.


More companies are using digital technologies to create or modify business processes, reshape business models or transform their culture, and outsourcing is key to achieving these goals. As companies outsource complex and vital processes such as mobile banking, customer relationship management and web-based or mobile payment processing, companies need a relatively easy and reliable way to gain independent assurance that their service providers and vendors are committed to rigorous security and internal control processes.

“Companies are asking: Who can I trust to evaluate these vendor relationships that’s truly independent?” says Wieger. “CPAs have been playing this role for a long time, and CPAs have the capability to continue doing so in the digital world.”

Next steps

Companies should be asking key questions to address operational and vendor risks. These include:

  • Do we have a comprehensive list of our key vendors?
  • How do we obtain assurance that a vendor has controls in place to meet these obligations?
  • Do we have a contingency plan if a vendor is not able to satisfy its obligations to our company?
The risk of an interruption in vendor-supported processes can be detrimental, so having a well-thought-out strategy to address vendor risk is paramount. A key cornerstone to that strategy is utilizing independent third-party verification of vendor risk mitigation. Verification options such as SOC reporting can provide much-needed assurance as part of a company’s comprehensive plan to ensure operational continuity.

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

LEARN MORE
Terms of ServiceTrademarksPrivacy Policy
CareersMade in NYCAdvertise
Ad Choices
Help©2024 Bloomberg L.P. All Rights Reserved.