Getting back to the original question, other than CORE, you would get the SOC 1 Type II Report and GAP/Bridge Letter for a third-party that processes financial transactions ONLY when your bank books the transactions verbatim without any internal KEY controls that validate the results produced by that third-party. For us, these tend to be the nature of the third parties where we need to rely on their SOC 1:
CORE
Accounting systems (lease accounting, tax accounting, GL recons, etc.)
If you have derivatives and such, the valuation, portfolio reviews, transaction management, etc., systems
HRIS
Systems for regulatory compliance (AML/BSA, check fraud, etc.)
Electronic commerce (electronic deposit capture, on-line banking, mobility aps, etc.)
Automated decisioning engines
Gene Fox
VP, Third-Party Risk Management Officer
-------------------------------------------
Original Message:
Sent: 1/19/2024 2:30:00 PM
From: Charles Karstadt
Subject: RE: SOC 1
Good practice would be to require all necessary reports, e.g. SOC 1 or 2, PCI-DSS, ISO, etc. be provided by a vendor as part of the due diligence process. Then when you do your annual third-party review you should be asking for current versions.
If you aren't sure if you need something like a SOC 1 type 2, it is better to ask for it. As a former auditor, I said having too much documentation is better than not enough.
Original Message:
Sent: 01-19-2024 07:37 AM
From: Alina Conway
Subject: SOC 1
Some common examples of suppliers that impact organizations' financial reporting are those that process financial transactions that the organization reports in their financial statements. Some examples include payroll processing, benefits providers, customer payment processors, and ERP software providers. I'm sure there are many more examples that others in the banking industry can provide.
Original Message:
Sent: 01-18-2024 05:50 PM
From: Anonymous Member
Subject: SOC 1
This message was posted by a user wishing to remain anonymous
Hello,
I have been told that if a vendor directly affects the Institution's financial reporting, then I should request a SOC 1 type 2 report.
But the question is what vendors directly affect the financial reporting of my bank? This is the confusing part for me.
Thanks in advance for all your help.