What do all of the 2012 changes to the IT Examination Handbooks have in common? They are all, directly or indirectly, related to vendor management. I had previously identified vendor management as a leading candidate for increased regulatory scrutiny in 2012, and boy was it. (Not all of my 2012 predictions fared as well, I’ll take a closer look at the rest of them in a future post.)
So there is definitely more regulatory focus on vendors, and it’s a pretty safe bet that this will continue into 2013. It usually takes about 6-12 months before new guidance is fully digested into the examination process, so expect additional scrutiny of your vendor management process during your 2013 examination cycle. Since guidance is notoriously non-prescriptive we don’t know exactly what to expect, but we can be certain that third-party reviews will be more important than ever. Third-party audit reports, such as the SAS 70 in previous years, and now the new SOC reports (particularly the SOC 1 & SOC 2), provide the best assurance that your vendors are in fact treating your data with the same degree of care that regulators expect from you. As the FFIEC stated in their recent release on Cloud Computing:
“A financial institution’s use of third parties to achieve its strategic plan does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws and regulations.”
Undoubtedly third-party audit reports will still be the best way for you to ensure that your vendors are compliant, but there seems to be considerable confusion about exactly which of the 3 new SOC reports are the “right” ones for you. In fact, in a recent webinar we hosted with a leading accounting firm, one of the firm’s partners stated that “there are a few instances where you might receive a SOC 1 report where a SOC 2 might be more appropriate”. And this is exactly what we are seeing, technology service providers are having a SOC 1 report prepared when what the financial institution really wants and needs is a SOC 2.
Why is it important for you to understand this? Because the SOC 1 (also known as the SSAE 16) reporting standard specifically states that it be used only for assessing controls over financial reporting. It is their auditor telling your auditor that the information they are feeding into your financial statements is reliable. On the other hand the SOC 2 reporting standard is a statement from their auditor directly to you, and addresses the following criteria:
- Security – The service provider’s systems is protected against unauthorized access.
- Availability – The service provider’s system is available for operation as contractually committed or agreed.
- Processing Integrity – The provider’s system is accurate, complete, and trustworthy.
- Confidentiality – Information designated as confidential is protected as contractually committed or agreed.
If these sound familiar, they should. The FFIEC Information Security Booklet lists the following security objectives that all financial institutions should strive to accomplish:
- Privacy &
- Security (elements of GLBA)
- Integrity of data or systems
- Confidentiality of data or systems
As you can see, there is considerable overlap between what the FFIEC expects of you, and what the SOC 2 report tells you about your service provider. So why are we seeing so many service providers prepare SOC 1 reports when the SOC 2 is called for? I think there are two reasons; first, because they are functionally equivalent, the SOC 1 is an easier transition if they are coming from the SAS 70. I can tell you from our transition experience that the SOC 2 reporting standard is not just different, it is substantially broader and deeper than the SAS 70. So some vendors may simply be taking the path of least resistance.
But the primary reason is that if the vendor provides a service to you that directly impacts your financial statements (like the calculation of interest) they must produce a SOC 1. But, if they additionally provide services unrelated to your financial statements, should they also produce a SOC 2? In almost every case, the answer is “yes”, because for all of the above reasons, the SOC 1 simply will not address all of your concerns.
The next couple of years will be transitional ones for most technology service providers as they adjust to the new auditing standards, and for you as you begin to digest the new reports. But will the examiners be willing to give you a transition period? In other words, should you wait for your examiner to find fault with your vendor management program to start updating it? I’m not sure that taking a wait-and-see attitude is prudent in this case. The regulatory expectations are out there now, the reporting standards are out there, and the risk is real…you need to be pro-active in your response.
(NOTE: This will be covered more completely in a future post, but the CFPB has also recently issued guidance on vendor management…and they are staffing up with new examiners. Are there three scarier words to a financial institution than “entry-level examiners”?!)