What to Expect From an SSPA Independent Audit – Clark Nuber PS

Disclaimer: These articles have been sourced from internet, Estrategya doesn’t own or in any way belives any opinion as projected in these articles.

____
We serve privately held and family businesses, angel and venture-backed companies, public companies, foundations, not-for-profit and public sector organizations, and high net worth individuals and their families.
___
As a Top 100 accounting firm with nearly 200 people, Clark Nuber offers a broad range of specialized expertise targeted to people like you.

Posted on Apr 25, 2022 <!– | Print this page –> in SSPA Compliance
By Pete Miller, CPA
For Microsoft suppliers handling sensitive and/or confidential information, compliance with the Supplier Security and Privacy Assurance (SSPA) program is a complicated and varied annual exercise. As we previously discussed in an article on the annual compliance cycle, one of the steps in the program is an audit – known as an independent assessment in the SSPA program guide.
This article will focus on that assessment and shed some light on the moving parts and ingredients that make a successful audit (i.e., an audit that is accepted by Microsoft in a timely manner). We will discuss each of the three distinct phases of the audit: pre-testing, testing, and issuance.
The primary intent of the pre-testing phase is to identify and resolve issues early, before small problems can become big ones. Since this is a foundational stage, with many critical steps, it is vitally important that care and consideration be taken with each of them. More than the other two phases, if the pre-testing phase is not handled with care it can result in the assessment heading off-course or dragging on unnecessarily.
To increase the likelihood of a successful audit and a smooth acceptance from the Microsoft SSPA team, the following steps should take place during pre-testing:
The DPR completed by a supplier is the first step in building the independent assessment report. And the review of the supplier’s accepted DPR responses is a critical part in the audit process since it will later be scrutinized by the Microsoft SSPA team.
During the acceptance process, SSPA agents will review the scope of requirements tested in the independent assessment and reconcile it with the DPR responses. Microsoft expects these two data points to (a) be the same, or (b) have explanations provided for any differences. If a difference is not explained, the audit report may need to be revised. The revision process is not overly complicated, but it is an added step in the process that can and should be avoided to expedite the process and avoid a “red” status.
A supplier may have completed the DPR step in the process before they involve an assessor. In those cases, it is important that the supplier share a copy of the DPR with the assessor, so they are sure to be on the same page. In other cases, the DPR may not have been submitted to Microsoft and the assessor will have an opportunity to provide guidance and answer questions. In either case, it is helpful for suppliers to have submitted the DPR and have it approved/accepted by Microsoft before the assessor completes the assessment.
It is important for the assessor and the supplier to both have an accurate copy of the submitted and approved DPR, otherwise it may cause questions and delays in the acceptance process.
A critical review of the DPR responses by the assessor is essential to creating an efficient audit plan and expediting the acceptance process of the audit report by Microsoft. The SSPA program is complex, confusing, and intersects uniquely with each supplier. For these reasons, the responses suppliers offer to certain requirements are not always correct.
The assessor will want to look over the DPR responses to make sure they agree. In this scoping process, it is important to note that the Microsoft SSPA team tasked with reviewing and approving DPRs is primarily focused on looking for responses that are inappropriately marked as “Does Not Apply.” They are concerned with a requirement not being audited when it should be.
This also means that the Microsoft SSPA team is not critically looking in the other direction – a “Compliant” answer that is incorrect. That is where the assessor can provide some advice and guidance. Remember, when a supplier responds with “Compliant,” they are also indicating that the requirement is applicable to their work for Microsoft. The purpose of the assessor’s analysis for incorrect “Compliant” responses is critical, as the following example demonstrates:
This demonstrates the importance of the assessor and the supplier being on the same page when it comes to scoping and applicability. If the supplier and assessor agree that a “Compliant” response was submitted in error, then this can be flagged in the audit report as being different from the DPR response and explained by the assessor for Microsoft to consider.
Once the scoping has been set, the next step is to determine if the supplier is actually compliant with each applicable requirement, and if they have documentation or other evidence that can be provided to the assessor to support their compliance.
It is certainly possible that a supplier could have implemented a process – such as a practice of periodically purging data from a database in response to requirement #13 – but not have a documentation trail or automated process to provide to the auditors. If a gap like this is identified, the assessor can work with the supplier to provide guidance or a starting point to fill in the gap.
Evidence will need to be gathered to support your compliance with each applicable requirement. This sounds simple, but as mentioned earlier, the SSPA program is complex, confusing, and intersects with each supplier in unique ways. Interpreting the evidence needs for each requirement is a role the assessor should play. This should be a collaborative process and an open conversation between supplier and assessor.
If the pre-testing phase was done well, the testing part of the audit process should be straight forward. The assessor will review the materials the supplier provided and complete the necessary documentation to support their conclusions. Materials that are required tend to fall into two categories:
Clarifying questions or additional requests are common, but they don’t represent a finding. Even if a previously unidentified gap is found at this stage, it can still be cured without raising any flags or creating a finding in the report.
Once all questions have been answered and any remaining evidence is provided, the assessor will be able to issue the final report. It is the supplier’s responsibility to submit the audit through the Microsoft compliance portal.
Once the audit is submitted, Microsoft will review it for approval. This is the step in the process where they compare the audit report with the self-attestation completed by the supplier and look to reconcile any differences. Once they are satisfied, they will approve the report and reset the compliance process until the next year.
There are many ways that a supplier can impact the success and expediency of the audit process. We have highlighted some of those above, and offer the following as advice:
If you think something doesn’t apply to the work you are doing for Microsoft, submit a “Does Not Apply” response and provide a thoughtful explanation. This will help set the scope accurately and make for a smoother acceptance process. Also, if you have engaged an assessor and have not yet submitted your DPR responses, involve them and seek their guidance prior to submitting.
When the audit task is launched, Microsoft starts a 90-day clock. The audit is more likely to be successful, and generate less stress, if the supplier engages with an assessor on day 1 rather than day 71.
You have been asked to complete the audit, and it may be the first time you have had to do this. The assessor you are working with does many more of these each year. If you have questions, open a dialogue and get your questions answered.
Just as it is important for you to ask questions of your assessor, it is equally important for you to be responsive and/or seek clarification from your assessor when they have questions of their own.
SSPA veteran suppliers that have been doing this for years will understand the process and be able to self-manage when it comes to milestones and cadence. Suppliers that are navigating this for the first time will need extra support. Take the time to setup interval touch points. These planned discussions create mutual accountability and also provide a forum for getting questions answered. Plan for discussions where:
You may or may not need to have formal discussions each time but having that on the calendar is a big help.
Audits can be intimidating and stressful, especially when continued/uninterrupted business from a large customer is hanging in the balance. A thoughtful investment of time in planning and preparation will pay dividends in the form of a less stressful and smoother acceptance process.
If you have questions about the audit process, or if you need an audit, send me an email and I’d be happy to connect.
© Clark Nuber PS, 2022. All Rights Reserved.
This article or blog contains general information only and should not be construed as accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action, you should engage a qualified professional advisor.
Dustin VandeHoef
Marketing Manager
Clark Nuber
Phone: 425-454-4919
Contact Dustin
10900 NE 4th St, Suite 1400
Bellevue, WA 98004
Phone 425-454-4919
Toll Free 800-504-8747
Fax 425-454-4620
Client Access
Employee Access
Contact Us
Careers
Privacy Policy

Who We Serve
What We Do
News & Resources
Blog
About

Get Directions
Sign Up for Our Newsletter!
© 2022 Clark Nuber PS All Rights Reserved

source

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

Leave a Comment

Your email address will not be published.

JOIN THE CLUB!

It’s easy: all we need is your email & your eternal love. But we’ll settle for your email.