You Got SOC Questions? We Got SOC Answers!
Did you miss our recent webinar, "How to Leverage SOC and SSAE 18 Reports Throughout Every Department of Your Financial Institution"? You can listen to the recording HERE. We received some excellent questions posed by our webinar attendees and thought we’d share them with you:
1. Do financial institutions need to also have SSAE reports for their commercial clients? I've seen in the past clients asking the bank for their SSAE report.
Reports should be required to address the risks inherent in a relationship. So, if a relationship poses risks to the organization and the scope of review addresses the controls in place to address (mitigate) those risks then the collection and review of a SOC report would be valuable.
2. Does the SSAE 18 replace SSAE 16?
Yes, the AICPA updated the standards (SSAE) for audits commencing after May 1, 2017. (Seehttps://www.aicpa.org/content/dam/aicpa/research/standards/auditattest/downloadabledocuments/ssae-no-18.pdf)
3. What is the best way to know if something has been carved out and if it is relevant?
Back to the importance of the identification of risk inherent in the relationship with the TSP/third party/vendor. If the relationship poses risks from data security, resiliency and reporting perspective then the scope should include addressing the design and effectiveness of controls in place to address those risks.
4. You talked about report "types" but what is the difference between SOC 1 and SOC 2?
The SOC 1 refers to a scope of controls for the service provider’s processes and controls.
The SOC 2 refers to a scope of controls for the services provider’s processes and controls, which are tested over time.
5. We provide the board with a summary that a SOC was provided, the type of opinion issued, any exceptions reported and the management response to those and that the user entity controls were reviewed by the relationship manager. Is this enough or should we provide more information?
Consider providing the relevance of this information (SOC report content) to other aspects to include and where applicable:
- Increase in Vendor Risk
- (potential) impact to the organization’s strategic goals/objectives
- Increase in residual risk (where appropriate) i.e., Information Security Risk Assessment, Business Continuity Risk Assessment
- Changes in the organization's maturity level from a Cyber Security perspective
6. What should I do if a SOC report has an unqualified opinion?
Actually, this is not a “bad thing.” An unqualified opinion is a common term used by auditors. This simply means that following standards, the auditor determined no material issue. A qualified opinion is when an auditor determined that there is a material issue identified when following auditing standards.
7. Our head of lending doesn’t see SOC reviews as “their job,” how can I counteract that?
Try approaching individuals bringing up the value of content within SOC reports related to what is important to them. For instance, the head of lending does care about their Loan Operating System (LOS) working appropriately and limiting expenses that are not related to revenue generating aspects. Bringing attention to the benefit/value of content within a SOC report from an aspect that the individual cares about and does consider part of their job may result in more positive results.
8. What advice would you give in relation to SOC review and application of SOC content for our Safety and Soundness Examination coming up?
Ensure there are no discrepancies in information regarding controls in place at your critical vendors. For example, within your Information Security Risk Assessment you are more than likely listing the fact that controls in place at the third party mitigate your risk because of their effectiveness and appropriate design. However, if there is contradicting information within your SOC report related to the third party control effectiveness and/or design, that may look to your examiner that you do not apply appropriate management/oversight across both vendor Management and Information Security. Additionally, related to business continuity, Vendor resiliency is required to be identified and supported. Ensure SOC content related to resiliency supports the rating and if there is information that warrants an update, make those updates.
9. What if there is not a SOC report?
If a Critical or High-Risk Vendor does not have a SOC report, additional “operational policy due diligence” can be combined to create a Due Diligence Risk Report Executive Summary to address Operational Risk.
Operational due diligence typically includes policies related to Organizational Governance and Risk Oversight, Personnel Security and Ethics, Information Security, Vendor Management, Data and Facility Logical and Physical Access Controls, Network and Cybersecurity Controls, Data Privacy and Protection Standards, as well as Incident Response and Notification.