Technology Service Providers and the new SOC reports


Technology Service Providers and the new SOC reports

What do all of the 2012 changes to the IT Examination Handbooks have in common?  They are all, directly or indirectly, related to vendor management.  I had previously identified vendor management as a leading candidate for increased regulatory scrutiny in 2012, and boy was it.  (Not all of my 2012 predictions fared as well, I’ll take a closer look at the rest of them in a future post.)

So there is definitely more regulatory focus on vendors, and it’s a pretty safe bet that this will continue into 2013.  It usually takes about 6-12 months before new guidance is fully digested into the examination process, so expect additional scrutiny of your vendor management process during your 2013 examination cycle.  Since guidance is notoriously non-prescriptive we don’t know exactly what to expect, but we can be certain that third-party reviews will be more important than ever.  Third-party audit reports, such as the SAS 70 in previous years, and now the new SOC reports (particularly the SOC 1 & SOC 2), provide the best assurance that your vendors are in fact treating your data with the same degree of care that regulators expect from you.  As the FFIEC stated in their recent release on Cloud Computing:

“A financial institution’s use of third parties to achieve its strategic plan does not diminish the responsibility of the board of directors and  management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws and regulations.”

Undoubtedly third-party audit reports will still be the best way for you to ensure that your vendors are compliant, but there seems to be considerable confusion about exactly which of the 3 new SOC reports are the “right” ones for you.  In fact, in a recent webinar we hosted with a leading accounting firm, one of the firm’s partners stated that “there are a few instances where you might receive a SOC 1 report where a SOC 2 might be more appropriate”.  And this is exactly what we are seeing, technology service providers are having a SOC 1 report prepared when what the financial institution really wants and needs is a SOC 2.

Why is it important for you to understand this?  Because the SOC 1 (also known as the SSAE 16) reporting standard specifically states that it be used only for assessing controls over financial reporting.  It is their auditor telling your auditor that the information they are feeding into your financial statements is reliable.  On the other hand the SOC 2 reporting standard is a statement from their auditor directly to you, and addresses the following criteria:

  1. Security – The service provider’s systems is protected against unauthorized access.
  2. Availability – The service provider’s system is available for operation as contractually committed or agreed.
  3. Processing Integrity – The provider’s system is accurate, complete, and trustworthy.
  4. Confidentiality – Information designated as confidential is protected as contractually committed or agreed.
  5. Privacy – Personal information (if collected by the provider) is used, retained, disclosed, and destroyed in accordance with the providers’ privacy policy.

If these sound familiar, they should.  The FFIEC Information Security Booklet lists the following security objectives that all financial institutions should strive to accomplish:

  1. Privacy &
  2. Security (elements of GLBA)
  3. Availability
  4. Integrity of data or systems
  5. Confidentiality of data or systems
  6. Accountability
  7. Assurance

As you can see, there is considerable overlap between what the FFIEC expects of you, and what the SOC 2 report tells you about your service provider.  So why are we seeing so many service providers prepare SOC 1 reports when the SOC 2 is called for?  I think there are two reasons; first, because they are functionally equivalent, the SOC 1 is an easier transition if they are coming from the SAS 70.  I can tell you from our transition experience that the SOC 2 reporting standard is not just different, it is substantially broader and deeper than the SAS 70.  So some vendors may simply be taking the path of least resistance.

But the primary reason is that if the vendor provides a service to you that directly impacts your financial statements (like the calculation of interest) they must produce a SOC 1.  But, if they additionally provide services unrelated to your financial statements, should they also produce a SOC 2?  In almost every case, the answer is “yes”, because for all of the above reasons, the SOC 1 simply will not address all of your concerns.

The next couple of years will be transitional ones for most technology service providers as they adjust to the new auditing standards, and for you as you begin to digest the new reports.  But will the examiners be willing to give you a transition period?  In other words, should you wait for your examiner to find fault with your vendor management program to start updating it?  I’m not sure that taking a wait-and-see attitude is prudent in this case.  The regulatory expectations are out there now, the reporting standards are out there, and the risk is real…you need to be pro-active in your response.

(NOTE:  This will be covered more completely in a future post, but the CFPB has also recently issued guidance on vendor management…and they are staffing up with new examiners.  Are there three scarier words to a financial institution than “entry-level examiners”?!)

Tom Hinkel
As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

9 comments

  1. Say that a SOC1 contains scopes in all of the confidentiality, availability, privacy controls that you want? Why wouldn’t one accept it? It is still an independent audit, no? It is similar to a SAS70, which was good enough for us a few years ago.

    Also, what about vendors providing a SOC3?

    Or an AUP audit based on BITS?

    Or a consulting report based on BITS?

    My point is that there needs to be flexibility among the users of reports. Different reports will provide different levels of assurance for different risks. Some will have better coverage than others. But we don’t live in a perfect world, and bank management will need to make risk-based decisions about technology service provider outsourcing.

    1. Thanks for the questions! When the phase-out of the SAS 70 was first announced in 2010, an article in the Journal of Accountancy said this:

      In the past, many CPAs used SAS no. 70 to report on controls at a service organization that are unrelated to user entities’ internal control over financial reporting, for example, controls over the privacy of customers’ information. However, SAS no. 70 is not applicable to examinations of controls over subject matter other than financial reporting, and neither is SSAE no. 16.

      The SAS 70 was only “good enough” in the past because it was misused. Now the question is, could a SOC 1 give you valuable information regarding the control environment surrounding non-financial reporting as well? Absolutely, IF the infrastructure that supports the financial elements of the organization are exactly the same as that which processes the non-financial elements, and the service provider can assert that fact (although I would still want a third-party to attest to it). The better question is, is there a more direct way to achieve that management assertion plus attestation? There is, and that is the SOC 2.

      Regarding the SOC 3, I don’t think we’ll see that report except in rare cases, or perhaps in combination with other reports so that the service provider can display the SOC logo for marketing purposes. The SOC 3 just doesn’t provide the level of detail that financial institutions require for service providers that store or process NPI.

      I am a fan of BITS, and I like the idea of an AUP assessment based on the BITS framework, the problem is that BITS is designed as a management assertion without third-party attestation, so you would still need confirmation that the service provider’s responses are accurate (i.e. that they are doing what they say they are doing, and the way they say they are doing it).

      All that said, I certainly agree that there needs to be flexibility, particularly during the transition period. I also agree that bank management must make risk-based decisions, and that the different SOC reports, in combination with reporting formats like the AUP, provide definite benefits. In the end though, it all comes down to what will the examiners will expect, and what reporting format will become the de-facto standard going forward, and I believe that will be the SOC 2.

  2. I have been asking one of our providers, Compass Bank for their SOC Report. They have sent me everything but that, they said they do not have one. What do I do about this?

    1. I received a reply from Compass today, here it is:

      BBVA Compass
      Statement on Standards for Attestation Engagements (SSAE 16)
      SSAE 16 replaces SAS 70 as the professional standard for service organizations to obtain an independent assessment
      about the effectiveness of internal controls that are relevant to their customer’s financial statement audits.
      According to guidance published by Deloitte and Touche, SSAE16 incorporates systems that include the following:
      • Automated and manual procedures for initiating, recording, processing, and reporting significant
      transactions from inception to inclusion in the financial statements. Electronic or manual accounting
      records supporting the initiation, recording, processing and reporting of transaction information and
      specific accounts in the entity’s financial statements.
      • How relevant information systems capture events and conditions significant to recording the results
      of operations and the preparation of financial statements.
      CompassConnect® operates as a “monitoring” application, funneling information from multiple areas in order to simplify
      account presentation to our Correspondent Customers. Also, CompassConnect allows Correspondent Customers to place
      orders that are then routed to the respective systems for processing. Activities through Compass Connect include foreign
      & domestic wire transfers, intra‐bank transfers, ACH, account activity monitoring, Coin and Currency Ordering, Large
      Dollar Return Notifications, and Check Adjustments from Federal Reserve.
      CompassConnect only handles and transfers information between the customer and the originating system. There is no
      relationship between Compass Connect and any reported financial statements. For example, if the customer wishes to
      wire money to the FED through Compass Bank, that information is entered into Compass Connect. Compass Connect
      then interfaces with our original Fundtech wire system to process that order. If the customer is receiving a wire through
      us, then that transaction is still processed by our wire department and relayed through Compass Connect to the customer.
      CompassConnect does not actually process the transaction; it merely acts as a transfer agent.
      Conclusion:
      Because CompassConnect only acts as a pass‐through tool for correspondent banks and does not directly influence
      financial statements, it does not qualify for SSAE 16 treatment, and is also not SOX critical.

      1. Hi Ashley, given this explanation of the service they provide, and the way they provide it, I agree with Compass that they are probably not a good candidate for the SSAE 16 (or SOC 1). However, because they do act as a conduit for information to and from you and other service providers, you should obtain assurances that their systems and controls are capable of maintaining a secure environment. Your concerns are; is my data secure in transmission, who has access to my data while in their possession, how are they assuring the integrity of my data, and do they have systems in place to mitigate downtime? The best report for that is the SOC 2.
        Hope this helps!

        1. Thanks for your reponse. I did ask for a SOC 2 Report and the response above is what they sent me.

          1. If they are either unwilling or unable to provide the information you need in the format you require, you’ll have to find assurances in other ways. For example, you’ll need to request and receive their DR plan along with testing results in order to verify their recovery capabilities. You’ll need to get a copy of their Information Security plan to see how they are protecting and restricting access to your data while in their control. You’ll also want to review their annual PEN test results, as well as any other non-financial auditor reports. Lacking any of these assurances, the Board will need to be advised of your increased on-going concerns.

  3. I’m beginning to advise a third party provider to banks, and thus the company is applicable to FFIEC (storing PII, etc). If we develop and have a SOC2 issued (security, confidentiality, privacy), can this be provided to banks requesting us to complete a risk assessment or SIG?

    Ideally we would like to avoid allowing on-site visits and filling out multiple SIG/Risk Assessments throughout the year. Any experience with this?

    1. Yes, the SOC 2 is designed to address many (if not most) of the concerns a financial company would have regarding its service providers. And although the SIG simply asserts that the controls are present, a SOC 2 Type II engagement will also speak to control effectiveness. Regarding the intended audience, unlike the older SAS 70 and current SOC 1, which are auditor-to-auditor communications, the SOC 2 is intended for all “specified parties” of the service organization. So a SOC 2 Type II, addressing all 5 trust criteria should allow you to avoid most, if not all, on-site visits.

Write a Comment