Due Diligence and Ongoing Monitoring

 View Only
  • 1.  SOC I

    Posted 04-05-2021 04:19 PM
    Does anyone have thoughts about TPRM evaluating SOC I reports (either type).  Currently we evaluate SOC II reports, but it's been suggested by our internal audit team that we should also perform an annual review of SOC I reports reports as well.


  • 2.  RE: SOC I

    Posted 04-05-2021 05:37 PM

    I think it depends on what you're looking for.

     

    If the idea of reviewing the SOC report is to check for protection of NPI, then reviewing multiple SOC reports is adding work for not much gain.

     

    If you are doing the review to check process and data flow more than data protection, then reviewing the SOC 1 makes sense.

     

    That all assumes that your vendors have multiple reports done, of course. I don't tend to see many who have the entire stable of SOC reports done, as the cost can be pretty impressive for something that doesn't have an ROI, strictly speaking.

     

    Thanks,

          Dave

     

    David Howe

    Chief Information Officer

     

     

     






  • 3.  RE: SOC I

    Posted 04-05-2021 05:37 PM

    Hi there,

     

    At this time we do both SOC1 and SOC 2 reviews annually for our vendors.  However, we usually only do one or the other depending on what type of service the vendor is performing. So, for SOC1 reviews we target our 'financial' vendors, and for SOC 2 we review for our Technology Service Provider vendors.

    Occasionally, we will do both SOC1 and SOC 2 for our critical vendors.

     

    Hope that helps

     

    Monique

    Please consider the environment before printing this email.
    Confidentiality Notice: The information contained in this e-mail and any attachments are privileged, confidential and protected from disclosure. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or duplication of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete it from any drives or storage media and destroy any printouts of the e-mail and attachment. We reserve the right to monitor, review and retain the content of all email communications sent or received. In no event shall we be responsible for the loss or misuse of information including confidential information which is sent to us or our affiliates by email.
    Please Note: Emails sent to this address may be read by a designated Esquire Bank employee.





  • 4.  RE: SOC I

    This message was posted by a user wishing to remain anonymous
    Posted 04-05-2021 05:37 PM
    This message was posted by a user wishing to remain anonymous

    Without knowing the context of your business, or the types of vendors you have, perhaps this AICPA summary of the different types (and purposes) of SOC reports will be helpful to you:

    https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement.html



  • 5.  RE: SOC I

    Posted 04-07-2021 07:32 AM

    We use the following questions in our risk review to determine which reports are needed, if any:

     

    Does the third party process/store/manage/view/modify/transmit/destroy the bank's NPPI or bank sensitive data?

    If yes, the next question is:

     

    Will the third party process or store NPPI or other sensitive bank data at their own location offsite?

    If yes, we require a SOC 2 report

     

    Will the third party process financial transactions on behalf of our company?

    If yes, we require a SOC 1 report

     

     

    If both questions are true, we require both reports, and there are few instances where they are not available at that point.

     

     

    If you are not the intended recipient of this email do not read, retain, copy, distribute, or disclose the content of this email. If you have received this email in error, please advise us by reply email @FNBAlaska.com and destroy the original message and all copies.