Compliance for Banks and Financial Services Organizations

In today’s global financial market, banks and financial services organizations are experiencing broader competition while simultaneously facing a significant increase in regulatory requirements; these two factors are shrinking margins and squeezing profitability. To cope with these changes and remain competitive, banks and financial services organizations are outsourcing business processes that were, for many years, performed in-house. Bank processes that are outsourced range from recording or processing financial information by a service organization to a software development company building and hosting the software that is used by the bank. If your customers are banks or financial services organizations, your organization will be placed under the same increased banking regulatory requirements; these regulatory requirements might be satisfied by the stringent SOC 1® requirements. SOC 1® is playing an important role for service organizations by establishing credibility and trust with banks and financial services organizations.

Simply put by an attest client, “A SOC 1® examination tells our customers that we are doing what we promise.” Although this may not be the most technical answer, it is generally aligned with the purpose of a service auditor’s report.

The SOC 1® attestation for service organizations in the Banking and Financial Services industry should involve the following critical areas:

  1. Control Environment: the organizational level controls also known as “tone at the top” which consists of management’s oversight and internal operational level controls.
  2. Physical Security: the protection of information systems as it relates to third party data.
  3. Environmental Security: the protection of information systems and data from environmental threats.
  4. Data backups: the availability and protection of third parties’ data.
  5. System Availability: the availability of information systems to user organizations.
  6. Application Change Control: the processing and procedures used to ensure that systems function per user requirements.
  7. Information Security: the logical protection of data from unauthorized system access.
  8. Data Communication: the data maintains its integrity and security as it is transmitted between third parties and the service organization.

Service organizations can use Section 5 “Other Information Provided by the Service Organization” of the SOC 1® report to communicate their efforts to comply with various state laws and regulations as well as many regulatory requirements such as: Federal Trade Commission Standards for Safeguarding Customer Information, Gramm Leach Bliley Act, Sarbanes-Oxley Act, Securities and Exchange Commission and Fair Debt Collection Practice Act.

The scope of the SOC 1® attestation is determined by the service organization. Accordingly, a well scoped attestation can clearly demonstrate your organization’s quality of service and ensure that sufficient information is provided to your user organization to communicate your stringent controls over physical security, environmental security, authorized access and continuous availability of services.

SOC 1® Compliance Process

We tailor every attestation engagement to our client’s requirements. However, we have a fundamental four phase process that normally meets our clients’ needs and creates an efficient, unobtrusive attestation engagement that enables you to focus on your business while we focus on your compliance.

<h2 style="display:inline;">Scope</h2>(Phase 1): Not every SOC 1<sup>®</sup> audit has the same requirements. Each company can vary depending on the type of services they perform for their customers. We have years of experience working with just about every industry and work with our clients to ensure that we cover the appropriate scope to ensure your customers’ needs are satisfied. While the scoping phase of our attestation is normally covered during our initial quoting process, we offer a formal meeting with our clients to ensure we have a mutual understanding of the attestation goals.
<p> <h2 style="display:inline;">Plan</h2> (Phase 2): We offer two options for the planning phase of your attestation engagement:</p><!-- [et_pb_line_break_holder] --><ol><!-- [et_pb_line_break_holder] --> <li>We provide our in-house developed questionnaires and request list that are based on industry leading compliance frameworks such as CobiT, ISO 27000, PCI and HIPAA. Customers benefit from this approach by getting to work at their own pace with just a deadline in mind.</li><!-- [et_pb_line_break_holder] --> <li>The other option is an onsite visit to perform walkthroughs of the relevant service offerings. We then customize our attestation plan and deliver a detailed document request list to prepare our clients for phase three (fieldwork).</li><!-- [et_pb_line_break_holder] --> </ol>
<p><h2 style="display:inline;">Fieldwork</h2> (Phase 3): Our service auditors have a minimum of five years of experience with the Big 4 global CPA firms, large consulting firms and smaller boutique firms that specialize in SOC 1<sup>®</sup> attestations. Due to this, we are efficient and understand what is required for each attestation agreement.</p>
<p> <h2 style="display:inline">Report & Market</h2> (Phase 4): Your SOC 1<sup>®</sup> <i>service auditor's report</i> is essentially the product for which you pay. We provide well defined and quality written reports that focus on providing your customers with everything they need from a third-party assurance perspective. We take pride in delivering professional quality reports in a timely manner; we stand behind everything we issue. Publicizing or marketing your audit is the opportunity for your attestation to pay for itself. A major benefit from completing the SOC 1<sup>®</sup> attestation is the tangible return on investment that is created from having your company audited under the SSAE 18 standard for SOC 1<sup>®</sup>. We provide customized press release information and a SOC for service organizations logo to place on your web site, all included in our fixed fee pricing.</p>

Project Timeline: Four Phase Attestation

For More Information Speak to a Service Auditor at Roosa CPA, LLC (877) 410-8516

Back to Industries