SOC Report Complementary User Entity Control Attestations
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
As part of our Third-Party Risk assessments we do a full SOC2 Type2 Report review. As part of that review we are required (by our upper management) to obtain attestations from vendor contract owners that any Complementary User Entity Controls (CUECs) listed in the SOC are in place.
I see control attestations are in place in the SNow TPRM module, but when I create an attestation from that it disappears into the void and the only place I can find it is in the Service Provider's details. It does not appear in the TPRM module/review/engagement at all. And, since 1) CUECs are not *really* "controls" they are more legal disclaimers that are tied to controls, and 2) they can change in every SOC report a vendor releases (i.e. the CUECs listed this year are not the same as listed last year) this is unacceptable and unworkable. It's a complete show-stopper to using the TPRM module like we need to use it.
Meanwhile, I tried to set up the CUEC attestation as an Issue, or as a Task, and those can only be "Submit(ted) To Third-Party". (Which again is not good, I should be able to assign a task or issue to *anybody* in-house or third-party that needs to respond to any task or issue my team finds).
Is there any kind of workaround for any of this? We are essentially just using the TPRM module as a storehouse for attached Excel and Word documents where we actually do all the work of TPRM. Literally, the only useful features we have found is the tiering questionnaires and for sending SIG assessments.
Which brings up another issue. Since we are required to review the SOC reports, I am working to set up a "tiering questionnaire" as a SOC Review questionnaire since there seems to be no other option to send an assessment or questionnaire to an in-house employee. Am I missing something? Is there a way to create an assessment or questionnaire and then send that to another employee, or myself, to review a document (and then turn that into a PDF to hand over to the vendor contract owner for their files)?
