For Microsoft suppliers handling sensitive and/or confidential information, compliance with the Supplier Security and Privacy Assurance (SSPA) program is a complicated and varied annual exercise. As we previously discussed in an article on the annual compliance cycle, one of the steps in the program is an audit – known as an independent assessment in the SSPA program guide.
This article will focus on that assessment and shed some light on the moving parts and ingredients that make a successful audit (i.e., an audit that is accepted by Microsoft in a timely manner). We will discuss each of the three distinct phases of the audit: pre-testing, testing, and issuance.
The primary intent of the pre-testing phase is to identify and resolve issues early, before small problems can become big ones. Since this is a foundational stage, with many critical steps, it is vitally important that care and consideration be taken with each of them. More than the other two phases, if the pre-testing phase is not handled with care it can result in the assessment heading off-course or dragging on unnecessarily.
To increase the likelihood of a successful audit and a smooth acceptance from the Microsoft SSPA team, the following steps should take place during pre-testing:
a. Review of the Supplier’s Data Protection Requirements (DPR) Self-attestation
The DPR completed by a supplier is the first step in building the independent assessment report. And the review of the supplier’s accepted DPR responses is a critical part in the audit process since it will later be scrutinized by the Microsoft SSPA team.
During the acceptance process, SSPA agents will review the scope of requirements tested in the independent assessment and reconcile it with the DPR responses. Microsoft expects these two data points to (a) be the same, or (b) have explanations provided for any differences. If a difference is not explained, the audit report may need to be revised. The revision process is not overly complicated, but it is an added step in the process that can and should be avoided to expedite the process and avoid a “red” status.
A supplier may have completed the DPR step in the process before they involve an assessor. In those cases, it is important that the supplier share a copy of the DPR with the assessor, so they are sure to be on the same page. In other cases, the DPR may not have been submitted to Microsoft and the assessor will have an opportunity to provide guidance and answer questions. In either case, it is helpful for suppliers to have submitted the DPR and have it approved/accepted by Microsoft before the assessor completes the assessment.
It is important for the assessor and the supplier to both have an accurate copy of the submitted and approved DPR, otherwise it may cause questions and delays in the acceptance process.
b. Agree on Scope and Applicability
A critical review of the DPR responses by the assessor is essential to creating an efficient audit plan and expediting the acceptance process of the audit report by Microsoft. The SSPA program is complex, confusing, and intersects uniquely with each supplier. For these reasons, the responses suppliers offer to certain requirements are not always correct.
The assessor will want to look over the DPR responses to make sure they agree. In this scoping process, it is important to note that the Microsoft SSPA team tasked with reviewing and approving DPRs is primarily focused on looking for responses that are inappropriately marked as “Does Not Apply.” They are concerned with a requirement not being audited when it should be.
This also means that the Microsoft SSPA team is not critically looking in the other direction – a “Compliant” answer that is incorrect. That is where the assessor can provide some advice and guidance. Remember, when a supplier responds with “Compliant,” they are also indicating that the requirement is applicable to their work for Microsoft. The purpose of the assessor’s analysis for incorrect “Compliant” responses is critical, as the following example demonstrates:
- Requirement #51 relates to processing credit card transactions on Microsoft’s behalf. In our experience, this requirement is rarely applicable as suppliers are not often asked to do this, yet it is marked as “Compliant” in some cases.
- If the auditor simply accepts the fact that this requirement is applicable and plans to provide an opinion that the supplier is compliant with this requirement, they need to perform audit procedures to support that opinion.
- That would involve asking the supplier to complete a Payment Card Industry compliance effort, which is quite an undertaking.
- If that requirement is not applicable, the supplier would certainly want to avoid that added level of effort.
This demonstrates the importance of the assessor and the supplier being on the same page when it comes to scoping and applicability. If the supplier and assessor agree that a “Compliant” response was submitted in error, then this can be flagged in the audit report as being different from the DPR response and explained by the assessor for Microsoft to consider.
c. Identify Gaps
Once the scoping has been set, the next step is to determine if the supplier is actually compliant with each applicable requirement, and if they have documentation or other evidence that can be provided to the assessor to support their compliance.
It is certainly possible that a supplier could have implemented a process – such as a practice of periodically purging data from a database in response to requirement #13 – but not have a documentation trail or automated process to provide to the auditors. If a gap like this is identified, the assessor can work with the supplier to provide guidance or a starting point to fill in the gap.
d. Gather Evidence
Evidence will need to be gathered to support your compliance with each applicable requirement. This sounds simple, but as mentioned earlier, the SSPA program is complex, confusing, and intersects with each supplier in unique ways. Interpreting the evidence needs for each requirement is a role the assessor should play. This should be a collaborative process and an open conversation between supplier and assessor.
If the pre-testing phase was done well, the testing part of the audit process should be straight forward. The assessor will review the materials the supplier provided and complete the necessary documentation to support their conclusions. Materials that are required tend to fall into two categories:
- Policies, checklists, and other tools that serve as guides for company personnel to operate compliantly, and
- Screen shots of software tools used to safeguard data (e.g., firewalls, security patches, anti-virus software, password settings, etc.)
Clarifying questions or additional requests are common, but they don’t represent a finding. Even if a previously unidentified gap is found at this stage, it can still be cured without raising any flags or creating a finding in the report.
Once all questions have been answered and any remaining evidence is provided, the assessor will be able to issue the final report. It is the supplier’s responsibility to submit the audit through the Microsoft compliance portal.
Once the audit is submitted, Microsoft will review it for approval. This is the step in the process where they compare the audit report with the self-attestation completed by the supplier and look to reconcile any differences. Once they are satisfied, they will approve the report and reset the compliance process until the next year.
How can a Supplier Make the SSPA Independent Audit Successful?
There are many ways that a supplier can impact the success and expediency of the audit process. We have highlighted some of those above, and offer the following as advice:
Be Thoughtful in Your Responses to the DPR
If you think something doesn’t apply to the work you are doing for Microsoft, submit a “Does Not Apply” response and provide a thoughtful explanation. This will help set the scope accurately and make for a smoother acceptance process. Also, if you have engaged an assessor and have not yet submitted your DPR responses, involve them and seek their guidance prior to submitting.
Initiate the Process Early On
When the audit task is launched, Microsoft starts a 90-day clock. The audit is more likely to be successful, and generate less stress, if the supplier engages with an assessor on day 1 rather than day 71.
You have been asked to complete the audit, and it may be the first time you have had to do this. The assessor you are working with does many more of these each year. If you have questions, open a dialogue and get your questions answered.
Just as it is important for you to ask questions of your assessor, it is equally important for you to be responsive and/or seek clarification from your assessor when they have questions of their own.
Interval Touch Points
SSPA veteran suppliers that have been doing this for years will understand the process and be able to self-manage when it comes to milestones and cadence. Suppliers that are navigating this for the first time will need extra support. Take the time to setup interval touch points. These planned discussions create mutual accountability and also provide a forum for getting questions answered. Plan for discussions where:
- Scoping will be discussed and decided,
- Gaps can be ironed out, and
- Questions about necessary evidence can be addressed.
You may or may not need to have formal discussions each time but having that on the calendar is a big help.
Audits can be intimidating and stressful, especially when continued/uninterrupted business from a large customer is hanging in the balance. A thoughtful investment of time in planning and preparation will pay dividends in the form of a less stressful and smoother acceptance process.
If you have questions about the audit process, or if you need an audit, send me an email and I’d be happy to connect.
© Clark Nuber PS, 2022. All Rights Reserved.