As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become a key component of monitoring for potential security and compliance risks when outsourcing functions that use a third party’s data.
Suitable criteria exhibit all of the following characteristics:
- Relevance. Criteria are relevant to the subject matter.
- Objectivity. Criteria are free from bias.
- Measurability. Criteria permit reasonably consistent measurements, qualitative or quantitative, of subject matter.
- Completeness. Criteria are complete when subject matter prepared in accordance with them does not omit relevant factors that could reasonably be expected to affect decisions of the intended users made on the basis of that subject matter.
The relative importance of each characteristic to a particular engagement is a matter of professional judgment.
Criteria are the various factors that provide a frame of reference to be evaluated by a practitioner. Without having defined criteria, any conclusion is open to individual interpretation and misunderstanding.
The SSAE 18 audit standard is a framework for reporting on an examination of controls at a service organization relevant to user entities’ internal control over financial reporting.