By now, many organizations have begun to receive control audit reports covering 2017 (SOC1/SSAE18 and SOC2). One element of note is the emergence of subservice organizations, or fourth parties, in reports generated after May 1, 2017.

It is interesting to see the reveal of underlying providers (fourth parties) within the updated reporting formats. While these new formats intentionally define what is being performed by contracted fourth parties, the disclosure of who is performing these efforts is often not as revealing as we expected or hoped. At times, there is a fog placed on the identities of fourth parties; phrases like "industry-recognized third party" or "subservice organization" are inserted in place of the names of the companies your vendors have outsourced responsibilities to.

In April 2016, the American Institute of Certified Public Accountants (AICPA) announced an updated standard. This Statement on Standards for Attestation Engagements 18 (SSAE 18) is set to supersede the widely known SSAE 16 report that has been a mainstay with vendor management organizations tracking vendor adherence to defined controls since 2010.

The new SSAE 18 will be effective for reports produced after May 1, 2017, but organizations can adopt it earlier.

The new standard will require companies to monitor service organizations’ subservice organizations—or in vendor management terms, fourth-party providers. Essentially, the SSAE 18 will expand on the existing SSAE 16 standard to include validation of effective vendor management, as practiced by your vendors for their contracted fourth-party providers. This includes fourth-party monitoring beyond the initial vetting and selection process, just as required of FIs.

In early 2016 VendorInsight® implemented features to track, capture, and monitor risks associated with fourth-party vendors.

While the new standard is required for reports after May 1, 2017, many of the reports generally available from vendors supporting the financial services industry tend to cover an audit period from the late third or early fourth quarter. As such, we would expect the vast majority of 2017 vendor reports to report on audits completed prior to the start of the new SSAE 18 standard.

When fully deployed in 2018, this new standard offers the promise of added visibility to key vendor fourth-parties that today may not be easily discerned. It will also shine a light onto the vendor management practice of your vendors who have historically kept this discipline out of sight and away from detailed review. We see this as an important next step for the evolution of industry best practices for vendor risk management, and we are already equipped and prepared for this expanded tracking within our solutions and service offerings. To learn more about the new standard, follow the links below to download our FREE SSAE 18 eBook or speak with a VendorInsight Team Member about how your organization can prepare for the new standard.