Outsourced Service Providers: What You Don’t Know Can Hurt You

While utilizing outsourced service providers (OSPs) is popular, companies must understand the wide range of risks associated with vendor relationships. A Service Organization Controls report per AICPA standards (SOC 1, 2 or 3) is a start, but far from sufficient to fully guard against cyber-security, competency, ethics, accountabilities, and other risks. Dependencies on key venders significantly change an organization’s risk profile, and therefore the necessary control response. Companies need to utilize a risk-based approach to consider additional screening, monitoring controls, and communication protocols with key OSPs. Learn a three-tiered approach, grounded in the COSO-2013 Framework, to better understand objectives, risks, and controls revolving around OSPs to protect shareholder value. 

Session Objectives:

• Identify and assess risks associated with vendor use pertaining to cybersecurity, confidential information, competency, ethics, accountabilities, and other areas.
• Apply COSO’s 2013 Framework with regards to its 17 principles and applicability to outsourced service providers.
• Understand the limitations of Service Organization Controls reports of the AICPA and residual risk exposures.
• Learn a practical risk-based approach in managing vendors by categorizing them into one of 3-tiers based on vendor importance and information shared.
• Identify efficient and effective ways to best monitor OSPs.
• Improve the vendor approval process with robust control considerations prior to entering into a business relationship.
• Reinforce roles of OSP oversight for managers, auditors, management accountants, board members.