Well not exactly. Many of us are all too familiar with the e-mail and phone chase of your vendor population to obtain their third party control audits. Most know control audits by their various designations: SSAE16 or SOC 1, SOC 2, be they Type I or Type II. Confused yet?
What seems to have grown in scrutiny with control audits is not the receipt, review and acceptance of your third (and fourth party) control audits by an independenndering an unqualified opinion, but that deep inside these documents there is actually information that you are charged to validate within your own institution's control environment. You typically find the Complementary User Entity Controls as a separate section in the Table of Contents page of any professionally completed control audit report.
Complementary User Entity Controls are those things that your institution must perform from your side of a vendor relationship. As an example, if a vendor is posting transactions that you submit, the Complementary User Entity Control will likely require that you balance and validate the batch of transactions prior to submission. That makes perfect sense, right?
The catch is that someone physically needs to match and validate that your controls match those prescribed by your vendor. And you will be asked at some point by an auditor or examiner in the future, if not already, for this internal control validation. The person performing the validation needs exceptional internal control documentation or must possess intimate working knowledge of your organizational structure, process and policies. The verification of controls likely leads them on a hunt for signatures across the organization: accounting, operations, items processing, IT, etc.
This is an area where solution providers such as VendorInsight® can provide assistance in organizing the required validation efforts and certifications; whether it is specific reports, or tracking outstanding control item exceptions. While many may still want to copy and sign the top of the page from the SSAE16; John Smith, SVP, We Do This!, this approach will likely not meet expectations, if ever, for much longer. VendorInsight® is designed to improve in this critical area of Vendor Risk Management. If you’d like to schedule a consultation with a member of our team, follow the link below and we’ll be in touch soon!