Reviewing the SSAE-16 is the tip of the iceberg in vendor management
It’s time to take your vendor relationship to the next level. If you thought that simply reviewing the SSAE-16 report (the replacement for AICPA’s SAS-70) and the annual report of those vendors who provide outsourced solutions to your financial institution was all you needed to manage your vendor and complete a risk assessment, you’re wrong!
Why? Outsourcing vendors can be complex organizations with many business units. It can be very difficult to review all of the applicable SSAE-16 reports of the applicable business units your organization might use. (SSAE-16 is “Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization”) An example would be if your organization uses a vendor for core banking application processing, hosting the Internet Bank, driving your ATMs, and/or producing your debit cards. These solutions could be located in three different data centers and with three different business units of the vendor or more.
Next, managing your technology risk with outsourcing vendors doesn’t just stop at reviewing a couple of reports. More importantly, your vendor may have an unqualified opinion from the audit firm who conducted the SSAE-16 review, but it may very well have an unsatisfactory data processing exam from the regulator.
In addition, reviewing the vendor’s annual report may only hint that there is trouble brewing. You would have follow the 10Q filings for every quarter, attend the investor conference calls (if they are publically traded), ask questions if you’re allowed to, and you may still find yourself in an uninformed position.
Furthermore, you may review the correct reports, but the control objectives reviewed as a function of the report, may not reveal any problems and most certainly do not go to the same level of that an FFIEC Data Center exam does.
You need to go to the next level in vendor management and continued relationship due diligence. The recommendation for those institutions that have contracted for outsourced applications is to contact your lead regulator and ask for a copy of the most recent data center exam report. This request should be in writing and come from a C-level executive from your organization.
From our point of view, outsourced vendors are not immune to system security failures, breakdown in procedures, weak management structures and complacency. Some or all of these may or may not be found in the SSAE-16 or annual reports.
Asking for, and receiving a copy of the data center exam of your outsourcing vendors on an annual basis from your lead regulator should be a mandatory step in your risk management and vendor management program. Stay informed… get the report!