Auditing Third Party Service Providers and Cloud Environments

Third Party Service Provider Reports, also known as SSAE 18 SOC Reports, are required to be reviewed as part of Attestation Engagements, however they can also provide value when utilizing third party service providers or when considering cloud storage environments. Organizations can gleam great value by applying the appropriate level of due diligence during the procurement process. During this course we discuss the role of the Procurement Department, critical components of the SSAE SOC report and the importance of ensuring security, confidentiality, and availability.

We walk through review processes to ensure Corresponding End User Control Considerations are in place, analysis to be performed to ensure SSAE18 reports include adequate control coverage, appropriate test procedures and appropriate conclusions. Lastly, we explore Procurement’s role in today’s cloud computing environment. We discuss valuable uses for the SSAE report and security questionnaires, beyond checking the requirement box.

Course Key Concepts: Procurement, Security Questionnaires, SSAE 18, SOC, SOC 1, SOC 2, SOC 3, Third Party Service Provider, IT General Controls, Service Provider Reports, Cloud Security.