Vendor Risk: 11 Compliance Requirements for External Audits
A company should have the right to audit evidence of controls to verify compliance with its security requirements, applicable controls, and other contractual agreements. Vendors should preserve and produce, upon request, copies of data relevant to the services provided to customers. Audit rights should include the following specific requirements:
1. All data demonstrating compliance to customer’s security requirements, contractual obligations, and regulatory or legislative requirements must be retained for at least 12 months or in accordance with applicable laws and regulations.
2. When applicable, an SSAE 16 – type II report (otherwise known as a Service Organization’s Controls (SOC 1) report type II), or an ISAE No. 3402 audit report is required for SOX systems as specified in contractual agreements.
3. Vendors who handle customer trade secret information should be able to provide a Service Organization’s Controls SOC 2 or SOC 3 report.
4. Other equivalent independent audit reports may be acceptable to customers for non-SOX systems as long as they:
- Include the evaluation of all customer control requirements as outlined in customer’s requirements and contractual agreements;
- Verify both the design and the effectiveness of the controls; and
- Are performed by an independent professional audit firm.
5. When applicable, vendors processing, storing or transmitting payment cardholder data on behalf of customer should have a current compliant Payment Card Industry (PCI) Attestation of Compliance (AOC) or Report on Compliance (ROC) performed by a PCI Qualified Security Assessor.
6. Vendor should notify customer of any significant changes to the systems or processes supporting customer information prior to the change unless a delay would present a risk to maintaining the service provided.
7. Vendor should provide customer, or a mutually agreed upon an independent firm, permission to perform a security assessment to ensure compliance with the Vendor information security requirements and other contractual agreements. This will be performed:
- Not more than once per calendar year unless a security incident occurs;
- On a date and time mutually agreeable to the parties;
- In accordance with the agreed contract.
8. Customer should have the right to audit vendor systems which collect, manage, access, transmit or store customer information to verify compliance with security requirements and other contractual agreements. Where the vendor is unable to demonstrate compliance to security requirements or where a significant risk is present or where a security incident occurs, a vulnerability assessment or penetration test may be performed:
- On a date and time mutually agreeable to Vendor and Company;
- That does not infringe on the confidentiality of other customers; and
- The results of which will not be shared with any other parties aside from the vendor.
9. Vendor should provide a written assertion of compliance to information security requirements and contractual agreements annually.
10. Vendor should provide an agreeable corrective action plan with remediation date to address the root cause of the identified significant risk.
11. Vendor should remediate any identified risks in a timely manner agreeable to both parties based on the severity of the risk.