Does anybody have a process in place to review the internal controls of the service organizations that are typically involved in a Contingent Workforce Management (CWM) program such as the VMS supplier (e.g., Beeline, Fieldglass) or MSP supplier (e.g., Kelly, Allegis)? These controls are typically documented in SOC1, SOC2, and SOC3 reports. We got those reports from our VMS supplier. Our MSP supplier does not have them (there is no legal requirement).
For those of you who use an MSP, does your MSP provide you with SOC1, SOC2, SOC3 reports? If so, what do you look for in these reports?