Third Party Service Provider Reports, also known as SSAE 18 SOC Reports, are required to be reviewed as part of Attestation Engagements, however they can also provide value when utilizing third party service providers or when considering cloud storage environments. Organizations can gleam great value by applying the appropriate level of due diligence during the procurement process. During this course we discuss the role of the Procurement Department, critical components of the SSAE SOC report and the importance of ensuring security, confidentiality, and availability.

We walk through review processes to ensure Corresponding End User Control Considerations are in place, analysis to be performed to ensure SSAE18 reports include adequate control coverage, appropriate test procedures and appropriate conclusions. Lastly, we explore Procurement’s role in today’s cloud computing environment. We discuss valuable uses for the SSAE report and security questionnaires, beyond checking the requirement box.

Course Key Concepts: Procurement, Security Questionnaires, SSAE 18, SOC, SOC 1, SOC 2, SOC 3, Third Party Service Provider, IT General Controls, Service Provider Reports, Cloud Security.

Learning Objectives
  • Recognize initial questions to consider when auditing 3rd Party Service provides and/or cloud environments.
  • Discover and discuss the role of Procurement.
  • Identify critical questionnaire components.
  • Identify and understand the SSAE18 SOC Report.
Last updated/reviewed: March 27, 2024

Included In Certifications

This course is included in the following Certification Programs:

10 CoursesInformation Technology Auditor Certification

  1. Understanding Information Technology Governance and the Application of NIST
  2. Performing a Security Risk Assessment
  3. Auditing Data Security IT Computer Controls
  4. Auditing Third Party Service Providers and Cloud Environments
  5. Auditing Automated Business and Financial Transaction Processes
  6. Auditing Logical Security and Logical Access Controls
  7. Auditing Change Management
  8. Auditing the Network
  9. The Importance of Incident Response, Disaster Recovery and Business Continuity Planning
  10. Information Technology Audit Summary
16 Reviews (72 ratings)

Reviews

5
Member's Profile
By far the best explanation of SSAE/SOC reports that I've been exposed to! As an internal auditor, I truly appreciate the advice on auditing SOC reports and the review templates Wendi shared. She doesn't merely recite definitions in this course, but provides numerous real world examples that we can all relate to that really help with understanding the critical components of each report and how to review them. Thank you, Wendi! ;)

5
Member's Profile
Very comprehensive and imfo content The instructor explained all topics in the course in easy and friendly manner I highly recommend this course to everyone who seeks cybersecurity course or to fulfill isaca cpe for isca certifications. Many thanks to illumeo All your courses are excellent and comprehensive in all fields.

5
Member's Profile
I thought this was well-explained. I didn't know much about the subject matter before this, so I feel like I learned a lot from this course. Wendi explained things pretty thoroughly and provided explanations and examples throughout the presentation which really helped me in understanding what she was talking about.

5
Anonymous Author
this course is a good consolidation of TPRM procedures and where the risk lies. The mitigating procedures are important to understand and will assist in acquisition and yearly maintenance on vendors.

4
Anonymous Author
The material presented was useful and will definitely benefit me and my team. We are responsible for our own Co. SOC testing and reporting as well as review the SOC reports of our third parties.

4
Anonymous Author
This course provided good guidance on questions to consider for auditing 3rd parties and on the critical components of the SSAE 18 SOC Report.

5
Anonymous Author
I enjoyed learning more about procurement. I often see what a key role it plays, but am glad to know some more specifics about the topic.

5
Member's Profile
Great course for better understanding the SOC reports and how they apply to our organization. Hit the need perfectly - thanks Wendi!

4
Anonymous Author
This was a solid course for those of us who have never been exposed to this sort of terminology and information.

5
Anonymous Author
This was a new topic for me so I appreciated Wendi's ease of the subject. It was enjoyable and easy to follow.

5
Anonymous Author
great overview with practical examples. topics built upon each other. Types of SoC reports very helpful

4
Anonymous Author
Nice webinar on this topic. I appreciate the instructors examples used throughout the course.

5
Anonymous Author
This was a great course that was presented well. I would recommend it to others.

4
Anonymous Author
Good presentation of material, however, slides were a bit difficult to follow.

5
Anonymous Author
Great presenter with a lot of good details and helpful examples.

4
Anonymous Author
Very detailed information. Instructor was pleasant.

Prerequisites
Course Complexity: Foundational

No advanced preparation or prerequisites are required for this course.

Education Provider Information
Company: Illumeo, Inc., 75 East Santa Clara St., Suite 1215, San Jose, CA 95113
Contact: For more information regarding this course, including complaint and cancellation policies, please contact our offices at (408) 400- 3993 or send an e-mail to .
Instructor for this course
Course Syllabus
INTRODUCTION AND OVERVIEW
  Introduction to Auditing Third Party Service Providers and Cloud Environments3:00
  Initial Questions to Consider6:56
  The Role of Procurement10:48
  The Security Questionnaire11:10
  Type of Report7:28
  Critical Components of The SSAE 18 SOC Report16:04
  Review Test Procedures6:14
  The Review Template3:26
CONTINUOUS PLAY
  Auditing Third Party Service Providers and Cloud Environments1:05:06
SUPPORTING MATERIAL
  Slides: Auditing Third Party Service Providers and Cloud EnvironmentsPDF
  Auditing Third Party Service Providers and Cloud Environments Glossary/ IndexPDF
REVIEW AND TEST
  REVIEW QUESTIONSquiz
 FINAL EXAMexam