Bassam Alousi, Director-Technology, White Clarke Group
Due to the global finance market regulations, Banks and Financial Institutions are forced to comply with several regulatory requirements. In the past, these regulatory requirements were specific to the Banking and Financing Organizations.
In the past few years, many financial institutions have been outsourcing several functions to external service provider (ASP-Application Service Provider, SaaS-Software as a Service, or Cloud Service Provider). These financial functions are not limited to: accounting (receivable, payable), financing (loan origination and contract management), document management, IT (network, storage, backup, hosting, co-location) and payroll. Due to the delegation and outsourcing of these financial functions, the financial institutions not only depend on the quality and accuracy of these financial transactions, they depend on the service provider to securely process and store the confidential and sensitive information (such as customer personal information). Lately, the service providers are being requested to go through increased compliance requirements to demonstrate a controlled environment for the outsourced functions. Three years ago, the Consumer Financial Protection Bureau (CFPB) announced that it expects supervised banks and non-banks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law which is designed to protect the interest of consumers and avoid consumer harm.
A major part of theses regulatory requirements can be satisfied by SSAE 16 SOC 1 which is produced by an independent audit firm. SSAE 16 is playing an important role for the external service provider by providing the credibility, trust and compliance standard with the banks or financial institutions. In simple words SOC 1 audit tells the bank of the service provider is doing what they promised. In technical terms, the SOC 1 reports includes a review and audit to the following major areas:
1. Control Environment: This is foundation of other areas of internal control; it sets the tone of the organization and influences the control consciousness of its personnel. The component of the control environment factors include Integrity and Ethical Values, management’s commitment to competence, organizational structure (assignment of authority and responsibility), and oversight and directions from management.
2. Security: The protection of information systems and data
a. Physical & Environmental Security: to protect the information system from physical or environmental threats.
b. Logical Access (Information Security): to provide reasonable assurance that system information is protected from unauthorized use, modification, addition or deletion.
c. Data Security: this is to ensure that the data maintains its integrity and security as it is being processed, transmitted (between systems), and stored.
3. Risk Assessment: This includes identifying the risks that threaten achievement of control objective, estimating the significance of identified risks, assessing the likelihood of their occurrence, and deciding about actions to address these risks.
4. System (Computer) Operations: To address the identified risks and to deliver functions that the system is required to provide, a set of control activities need to be placed into operation to ensure that the actions carried out properly and efficiently. This includes:
a. Data Backups: this is to provide reasonable assurance that application and data backup processes are in place and being monitored.
b. System Availability: this is to provide reasonable assurance that system are maintained in a manner that helps ensure the required system availability.
c. Job Processing: this is to provide a reasonable assurance that any batch jobs are scheduled and monitored to ensure successful completion or processing problems are resolved.
5. Change Control: this is to provide reasonable assurance that changes to the production system or application are authorized, tested, approved, properly implemented and documented.
There are two type of SOC 1 Report:
• Type 1 Report is a report on policies and procedures placed in operation as of a specified point in time. SOC 1 Type 1 reports evaluate the design effectiveness of a service provider’s controls and then confirms that the controls have been placed in operation as of a specific date (point in time).
• Type 2 Report is a report on policies and procedures placed in operation and tests of operating effectiveness for a period of time. SOC 1 Type 2 reports include the examination and confirmation steps involved in a Type 1 examination plus include an evaluation of the operating effectiveness of the controls for a period of at least six consecutive calendar months.
The scope of the SOC 1 audit is determined by the service provider. Making sure to scope the audit properly would clearly demonstrate the service provider quality of service and ensure that sufficient information is provided to the service provider’s clients.
The SOC 1 Audit Process can go through five major phases:
1. Discovery and Compliance Awareness: in this phase the service provider needs to prepare their internal team for the audit process by providing the relevant compliance information and requirements to team members.
2. Scoping & planning: each service provider have different types of services that they offer to financial institutes. The scope of the audit varies based on the services being offered.
3. Planning: as any project the SOC 1 Audit Process detailed planning need to be performed in the early stages of the project to make sure that all resources required in the scope are available and all required skills for this project do exist.
4. Type 1 Assessment & Action Plan: here you involve a certified third party vendor to perform the Point In Time Assessment to provide the SOC 1 Type 1 Report. The next part of this phase is to review and implement the recommended improvement to your Processes.
5. Type 2 Assessment: once the process improvement have been applied then you are ready for the final audit.
Demand for SSAE 16 SOC Reports should increase in the coming years because of the higher growth in outsourcing financial functions. Service providers need to pro-actively perform the SSAE Audit and get a clean SOC 1 Type 2 report to increase their chances of getting business from Banks and Financial Institutions.