Besides calling for a SOC2 report in connection with security, the great thing about the originator of this RFP (whoever they are) is that they included this language:
The Contractor’s SOC 2 Audit Plan shall identify the independent entity that will perform the Contractor’s SOC 2 Audit, or a description of the means by which the Contractor will select its SOC 2 independent auditor. The OUR COMPANY Contract Manager will have 10 days to review and comment on the SOC 2 Audit Plan, and shall identify any concerns with the scope of the audit, the independence or capability of the SOC 2 auditor, or the described plan to obtain an independent SOC 2 auditor.
In other words, the contract manager is empowered to veto the auditor that the service organization selects! This is great news for ethical auditors and very bad news for unethical auditors.
This started me thinking. On what grounds would a contract manager veto a selected auditor? How about using the same basis that ethical auditors use to screen the clients that they accept? One of my CPA firm partners introduced me to the concept of prospective client background investigations. Please see the following (sanitized)verbiage from an actual form they require all prospective clients to fill out:
Due Diligence Background Investigation Disclosure Form
We may, with your consent, obtain a background investigation report related to a prospective or current business relationship you may have with us. This may include procurement of a consumer report or an investigative consumer report (defined as a report that includes information as to your character, general reputation, personal characteristics, or mode of living).
By signing below, you grant permission to us or any of our affiliated or subsequent companies to obtain such report or reports at any time. You also grant permission to all parties to release information regarding your previous or current military service, employment, education, or criminal matters, including information which may be deemed negative.
Detailed background reports are available for $29.95 on People Smart. I would encourage anyone accepting third party risk assurance from their service providers to do a quick Google search to find out who the executives of the audit firm are, and make an objective decision about whether to accept their risk assurance or not.