Exams or Audits

 View Only

  • 1.  SOC 1

    This message was posted by a user wishing to remain anonymous
    Posted 01-18-2024 08:55 PM
    This message was posted by a user wishing to remain anonymous

    Hello,

    I have been told that if a vendor directly affects the Institution's financial reporting, then I should request a SOC 1 type 2 report.

    But the question is what vendors directly affect the financial reporting of my bank?  This is the confusing part for me. 

    Thanks in advance for all your help.



  • 2.  RE: SOC 1

    Posted 01-19-2024 01:37 PM

    Thanks for your inquiry. Think of it this way. If the vendor's service impacts the financial operations, then you probably need a SOC 1 audit. 

    For example, the following businesses may need to be SOC 1 compliant:

    • Payroll processing software
    • Billing management platforms
    • Trust companies
    • Financial reporting software

    These examples should provide deeper insight to connect the requirements and types of providers. 


    Original Message


  • 3.  RE: SOC 1

    Posted 01-19-2024 01:42 PM

    Some common examples of suppliers that impact organizations' financial reporting are those that process financial transactions that the organization reports in their financial statements.  Some examples include payroll processing, benefits providers, customer payment processors, and ERP software providers.   I'm sure there are many more examples that others in the banking industry can provide. 


    Original Message


  • 4.  RE: SOC 1

    Posted 01-19-2024 02:30 PM

    Good practice would be to require all necessary reports, e.g. SOC 1 or 2, PCI-DSS, ISO, etc. be provided by a vendor as part of the due diligence process. Then when you do your annual third-party review you should be asking for current versions.

    If you aren't sure if you need something like a SOC 1 type 2, it is better to ask for it. As a former auditor, I said having too much documentation is better than not enough.


    Original Message


  • 5.  RE: SOC 1

    Posted 01-22-2024 11:41 AM

    Getting back to the original question, other than CORE, you would get the SOC 1 Type II Report and GAP/Bridge Letter for a third-party that processes financial transactions ONLY when your bank books the transactions verbatim without any internal KEY controls that validate the results produced by that third-party. For us, these tend to be the nature of the third parties where we need to rely on their SOC 1:

     

    CORE

    Accounting systems (lease accounting, tax accounting, GL recons, etc.)

    If you have derivatives and such, the valuation, portfolio reviews, transaction management, etc., systems

    HRIS

    Systems for regulatory compliance (AML/BSA, check fraud, etc.)

    Electronic commerce (electronic deposit capture, on-line banking, mobility aps, etc.)

    Automated decisioning engines

    image003.png@01D94DD5.FC8EF3A0

     

    Gene Fox

    VP, Third-Party Risk Management Officer

    -------------------------------------------




    Original Message