Exams or Audits

Hello,

I have been told that if a vendor directly affects the Institution's financial reporting, then I should request a SOC 1 type 2 report.

But the question is what vendors directly affect the financial reporting of my bank?  This is the confusing part for me. 

Thanks in advance for all your help.

Thanks for your inquiry. Think of it this way. If the vendor's service impacts the financial operations, then you probably need a SOC 1 audit. 

For example, the following businesses may need to be SOC 1 compliant:

• Payroll processing software
• Billing management platforms
• Trust companies
• Financial reporting software

These examples should provide deeper insight to connect the requirements and types of providers. 

Some common examples of suppliers that impact organizations' financial reporting are those that process financial transactions that the organization reports in their financial statements.  Some examples include payroll processing, benefits providers, customer payment processors, and ERP software providers.   I'm sure there are many more examples that others in the banking industry can provide. 

Good practice would be to require all necessary reports, e.g. SOC 1 or 2, PCI-DSS, ISO, etc. be provided by a vendor as part of the due diligence process. Then when you do your annual third-party review you should be asking for current versions.

If you aren't sure if you need something like a SOC 1 type 2, it is better to ask for it. As a former auditor, I said having too much documentation is better than not enough.