SOC Compliance and Service Providers

0
572
Home
> Risk > SOC Compliance and Service Providers

SOC Compliance and Service Providers

I always read advice and guidance from Protiviti, especially when Jim DeLoach is involved in it. The firm is a prolific source and they often have good advice – but not always.

A couple of weeks ago, they published Preparing for Annual SOX Compliance Amid COVID-19:  Outsourced Processes and Use of Third-Party Providers Remain Relevant to ICFR.

First, let me reset your expectations. Their article and this post have next to nothing to do with COVID-19. They are using that as a hook; the only point they make relative to COVID is that the SOC-1 reports might be delayed.

Protiviti has been pushing this article on social media, so I am going to share my thoughts before people start down the wrong path.

They outline and discuss these steps:

  1. Inventory your providers
  2. Obtain SOC reports
  3. Map controls from the SOC report to management’s processes
  4. Evaluate deficiencies identified in the SOC report and assess potential impact to your business
  5. Obtain bridge letters
  6. Determine impacts from the pandemic
  7. Take appropriate actions

Now why is this the wrong path?

It is not top-down and risk-based. It is fundamentally bottom-up.

Here’s a better series of steps:

  1. When you perform your SOX scoping, identify where you are…

Подробнее…