The Microsoft Wrinkle to Third-Party Risk Management

Third-party risk management – or the minimization of risks introduced by third-party organizations – is a critical component of all cybersecurity programs. CPAs are service providers, and many of your clients are service providers, so you may be familiar with requests to fulfill a third-party risk management program.

by Matthew Schiavone, CPA, CISSP, CISA Dec 20, 2022, 07:00 AM

pa-cpa-journal-the-microsoft-wrinkle-to-third-party-risk-management

Third-party risk management – or the minimization of risks introduced by third-party organizations – is a critical component of all cybersecurity programs. Every organization’s risk tolerance is different, and therefore every third-party risk management program is different. CPAs are service providers, and many of your clients are service providers, so you may be familiar with requests to fulfill a third-party risk management program. Perhaps you have been asked to provide an annual System and Organization Controls (SOC) 2 report, International Organization for Standardization (ISO) 27001 certification, or some other demonstration of security controls. One company – one very large global enterprise – has its own security protocol to which its vendors must adhere. Those who serve Microsoft Corp. in some fashion will soon find themselves required to comply with the tech giant’s Supplier Security and Privacy Assurance (SSPA) program.

Microsoft has three offices in Pennsylvania: Pittsburgh, Malvern, and King of Prussia. Each likely taps multiple vendors through the course of the year in addition to those Pennsylvania companies that work with other corporate sites. Microsoft’s SSPA requires all of its vendors that process any personal or confidential information to demonstrate compliance with the company’s data protection requirements (DPR) on an annual basis. The latest DPR (version 8.0) was released in June 2022 and identifies 50 requirements across 10 domains.

The Process

Microsoft’s SSPA begins with an accounting. Each vendor makes data processing profile selections that align with the goods and/or services it performs for Microsoft. These selections trigger corresponding requirements to provide compliance assurances to Microsoft. These standards are communicated through the Microsoft supplier DPR and include various requirements applicable to each supplier profile.

Upon onboarding, and annually thereafter, all vendors must submit a self-attestation of compliance to the DPR. During self-attestation, a vendor must provide a “Compliant,” “Not Compliant,” “Not Applicable,” “Legal Conflict,” or “Contractual Conflict” response to each DPR. Then, each self-attestation is submitted to Microsoft for approval.

For low-risk vendors, the annual SSPA exercise stops with Microsoft approval and acceptance of the self-attestation. For most vendors, though, Microsoft demands a higher level of assurance. Often this is achieved through an independent assessment performed by a qualified assessor. Qualified assessors must be affiliated with the AICPA or the International Federation of Accountants, or must possess certifications from other relevant privacy and security organizations, such as the International Association of Privacy Professionals or the Information Systems Audit and Control Association.

Independent assessors will take the self-attestation submitted to and approved by Microsoft and conduct an examination to validate the self-attestation. This provides assurance to Microsoft that it is accurate and compliance is achieved. So, even if a CPA firm is not directly a third-party vendor to Microsoft, this essential audit requirement could be a unique service opportunity for firms aware of this program.

In the first year, an assessor will test the design of the controls to ensure conformity with the DPR. Subsequent assessments will test the operating effectiveness of the controls. The test of operating effectiveness will involve more substantive control testing, thus a more rigorous audit. Once the testing has concluded, the assessor will issue an attestation report that is restricted to the supplier and Microsoft. Upon successful upload to the Microsoft portal and approval from procurement, the vendor’s status will remain green until it is time to submit the self-attestation and undergo review next year.

Alternatives

Microsoft does offer acceptable alternatives for the independent assessment to verify compliance to the DPR.

The ISO 27701 (privacy) and ISO 27001 (security) are relied on as providing close mapping to the DPR. If the scope of services are covered by an ISO certification, a separate SSPA independent assessment is not required.

Where a supplier is a health care provider in the United States or covered entity, Microsoft will accept a Health Information Trust Alliance (HITRUST) report for privacy and security coverage.

Leveraging Requirements

Your clients who are vendors to Microsoft more than likely have a customer base that extends beyond supplying Microsoft. As such, you should understand that the annual SSPA audit is unlikely to fulfill any vendor risk management requests beyond Microsoft – not to mention that the final report is confidential and restricted, so your client would be unable to share the results with others anyway.

If you find yourself in this situation, you may want to leverage more widely adopted frameworks to meet the Microsoft SSPA requirements as well as the requirements of others. These can include the ISO and HITRUST certifications previously mentioned. Some of the advantages in doing so include reduced audit fatigue, enhanced marketability and reputation, and a more cost-effective solution.

Microsoft does permit submission of an active ISO 27001/27701 certification in place of independent assessment. That means you can skip the Microsoft deliverable altogether if you have obtained these certifications, which are globally recognized and accepted. They show evidence of an effective security (27001) and privacy (27701) management system. Of course, the scope of these certifications must align to the systems and services provided to Microsoft.

As mentioned above, if a supplier is a health care provider or a covered entity, Microsoft will accept a HITRUST report for privacy and security coverage. However, successful HITRUST and ISO certification is no simple task, but they are potentially worth undertaking. Then again, if you have sufficient security and privacy processes in place, you may be able to achieve the same advantages through SOC 2.

The popular SOC 2 mechanism to communicate an organization’s security posture and ability to achieve service-level commitments is designed for service organizations, so it could be an attractive and beneficial instrument. Similar to ISO, the controls and processes used to achieve security and privacy can be included within the scope of the report. As a result, you can use one audit to satisfy both Microsoft’s and the client’s requests, provided the scope of the report also includes the services provided to Microsoft.

It is worth noting that Microsoft does not accept a SOC 2 report in lieu of its SSPA requirements. However, as an assessor you can satisfy Microsoft’s requirement through a separate deliverable that is derived from a SOC 2 audit. As such, you can still maintain a cost-effective solution that reduces audit fatigue and provides greater value to the organization.

Matthew Schiavone, CPA, CISSP, CISA, is managing director of risk assurance and advisory with Cherry Bekaert Advisory in Vienna, Va., and is a member of the Pennsylvania CPA Journal Editorial Board. He can be reached at matt.schiavone@cbh.com.