NDNB provides comprehensive SOC 1 SSAE 18 1 and SOC 2 audit reports and assessments for debt collection agencies requiring such services. In today’s world of regulatory compliance, any business working with highly sensitive consumer information, along with financial data, are being required to undertake SOC 1 SSAE 18 and/or SOC 2 assessments on an annual basis.
While some debt collection agencies are being required to conduct both SOC 1 and SOC 2 audits, others are choosing between the two (2) AICPA Service Organization Control (SOC) reporting standards, along with possibly certifying against the PCI DSS standards.
Audit Information Collection Agencies Need to Know
Regardless of the audit, from SOC 1 SSAE 18 to SOC 2, PCI DSS, or any other compliance mandates, they can be incredibly challenging, time-consuming, and operationally expensive, so take note of the following recommendation and expert advice from NDNB.
Properly assess scope. You’ll need to work with your auditors for ensuring both sides clearly understand the scope of a SOC 1 SSAE 18 and/or SOC 2 audit, which means identifying all relevant business processes, any financial reporting considerations for your clients (for a SOC 1 SSAE 18) and what relevant Trust Services Criteria (TSC) would be assessed (For a SOC 2). Fundamentally speaking, it means identifying, assessing, and understanding the entire debt collection business process being performed for clients, from beginning to end.
This would include how you onboard & provision a new client, to what specific debt collection services are being performed, along with other relevant activities. It’s about knowing your business inside and out and what relevant controls (i.e., policies, procedures, processes, and practices) are in place.
Update Policies and Procedures: What’s one of the biggest mandates for SOC 1 SSAE 18 and SOC 2 compliance for debt collection agencies – or any company seeking compliance attestation – how about policies and procedures! That’s right, information security and operational specific policy documentation is often very first on the list of deliverables that auditors request, and understandably so. Think about it, the policies establish the foundational framework for which one’s procedures, processes, and practices are carried out, it’s really that simple.
Implement and Follow Procedures: Policies are essential, but auditors also test for ensuring they’re being adhered to, no question about it. For example, a debt collection agency’s access control policy will describe who can have access, what type, and to what systems, thus auditors will test for such validation. The same can be said for all types of other policies and procedures, so keep that in mind.
Develop Customized ICFR Testing: More specifically, if you’ve opted for SOC 1 SSAE 18 compliance and you possess/work with data that has the ability to impact a client’s financials, then testing for a concept known as “Internal Controls over Financial Reporting” (ICFR) is critical.
Here’s a good example of how this works: Collection of debt fees – whatever the amount may be – can be recorded, then provided to clients for reporting on their own financials, thus ultimately affecting a company’s P&L and balance sheet.
Though this is a very simple scenario, the premise remains the same: If a service organization is conducting activities, processes, and functions that could impact a client’s financials, then consideration must be given into the types of tests to conduct for SOC 1 SSAE 18 compliance, particularly for the ICFR concept.
NDNB is North America’s Leading Provider of SOC Audits