While a large number of service organizations are performing SOC 2 Type 1 and SOC 2 Type 2 audits, there’s still a huge amount of financial entities that must perform annual SOC 1 SSAE 18 reports. Why? Because these organizations have a clear nexus with the ICFR concept – internal controls related to financial reporting – and a SOC 2 report CANNOT effectively report on such controls.
Introduction to SOC 1 SSAE 18 for Banking/Financial Services
The original SAS 70 auditing standard – along with SSAE 16 – had a primary function of reporting on financial related controls. While that intent became strained and misused over the years, the SOC 1 SSAE 18 standard is alive and well for reporting on the ICFR concept. Why SOC 1 SSAE 18 and not SOC 2?
Simple, if you’re in the banking and financial services sector, then reporting on ICFR can only effectively be undertaken by testing control objectives related to specific financial transaction that YOU as an organization undertake. As such, if you perform functions that can impact the financial reporting of your clients, then SOC 1 SSAE 18 is the go-to audit.
Here’s an example.
As a service provider, you offer payroll services, which means you’re performing processes and transactions related to any number of financial matters (i.e., payroll taxes, accrued payroll, accrued vacation deferrals, etc.). These are figures that directly impact a client’s financial statements, thus SOC 1 SSAE 18 is the must-have assessment.
Another example would be an actual bank, who possibly provides trust and actuarial services to major corporation. Just stop and think of the enormity – and sensitivity – of financial calculations being made and the impact on a businesses’ financials – yet another example of where the ICFR element is clearly seen.
How to Plan for Your SOC 1 SSAE 18 Assessment
First, Determine Scope: It’s critical to assess, and ultimately understand, the actual boundaries of your SOC 1 SSAE 18 assessment. With that said, you’ll need to ask yourself the following questions:
- What are our reporting requirements for clients, regulators, prospects, etc.
- What business processes are in scope? Is it the entire service offering of your company, or a specific offering?
- What personnel physical locations, and other relevant third-party providers are in scope?
These are just a few of the questions you need to be asking in beginning to properly plan for your SOC 1 SSAE 18 audit. If you’re new to the world of SOC auditing, then a scoping & readiness assessment might be an excellent platform to begin your SOC 1 SSAE 18 assessment. Such audits performed for the banking and financial services sector can be complicated in that you need to properly address the ICFR element and the related control objectives for the audit.
Second, understand that Remediation is Often Necessary: Does any organization really have a control environment that functions flawlessly 24/7, with no room for improvement? Not really, and because of this, it’s therefore fundamentally important to remediate gaps and deficiencies found during your scoping exercises. Whether you perform your own scoping & readiness assessment – or hire NDNB to perform an official SOC 1 SSAE 18 scoping & readiness assessment – you need to determine where the gaps are, how to correct them, and then actually correct them!
Control weaknesses for SOC 1 SSAE 18 generally exhibit themselves in the following areas: (1). Weaknesses in security controls. (2). Weaknesses in documentation. (3). Weaknesses in operational controls. As for security controls, common gaps may include improperly provisioned information systems, weak authentication parameters, etc. As for documentation weaknesses, this generally revolves around documented processes and procedures for many of today’s core information security domains – access control, change management, backup & recovery, etc. And as for weaknesses in operational controls, this pertains to missing security awareness training, no annual risk assessments performed, etc.
Lastly, because SOC 1 SSAE 18 assessments for banks and financial institutions ultimately require a deep-dive into one’s ICFR elements, it’s essential to ensure that such core controls are operating as designed. If not, auditors will be quick to identity – and document in the report – findings and/or exceptions.
Know that Security Tools May Need to be Acquired: Many of today’s security controls for purposes of regulatory compliance reporting will ultimately require organization to acquire security tools and solutions for compliance. Do you have file integrity monitoring in place, two-factor authentication, or possibly a vulnerability scanning solution?
Many of the core, baseline information security controls that are assesses for SOC 1 SSAE 18 compliance will no doubt be looking for validation of these security tools and solutions. In short, you need to put them in place, but before you do, confirm with your auditors on what the actual testing will be for your “Information Technology General Computing” controls – commonly known as ITGC controls.
Engage in Continuous Monitoring: SOC 1 SSAE 18 assessments for banks and financial institutions – and for any organization in the world of regulatory compliance – ultimately requires organizations to perform continuous monitoring. What’s continuous monitoring – it’s the ongoing efforts that service organizations need to be implementing for monitoring their control environment. It’s about assessing the validity and effectiveness of internal controls, making changes as necessary. In short, it’s about keeping a “pulse” on one’s control environment.
NDNB is North America’s Leading Provider of SOC Audits