Financial Services - Is there a SOC 1 in your future?

Nick Bruce

Why would a financial services company need a SOC 1?

In an ever-changing market, organizations providing financial services have expanded service offerings to increase their bottom line. These services traditionally would have been performed in-house by segregated departments within the financial services company. Providing such services as lock box, direct cash receipts and P-Card procurement typically have direct impact on customers internal control over financial reporting (ICFR). In an already regulated environment, such services impacting a customer’s ICFR would warrant a need for a SOC 1 and could potentially also satisfy some of the regulatory requirements. Illustrative controls objective areas for business operations related to handling transactional activity, as defined by the AICPA, could include:

Controls provide reasonable assurance that transactions are:

authorized and received only from authorized sources
validated in a complete, accurate, and timely manner
entered, processed, recorded, and reported in a complete manner
entered, processed, recorded, and reported in an accurate manner
entered, processed, recorded, and reported in a timely manner
recorded and reported in the proper accounts

In addition to business processes or operations areas, some financial services companies develop and host applications for customers to handle transactional activity related to the services being provided. In such instances, the scope of the SOC 1 report would expand to include general information technology controls that support such infrastructure and/or applications. Illustrative control objective areas for such controls, as defined by the AICPA, could include:

Information Security

Controls provide reasonable assurance that

logical access to programs, data, and computer resources is restricted to authorized and appropriate users, and such users are restricted to performing authorized and appropriate actions.
physical access to computer and other resources is restricted to authorized and appropriate personnel.

Change Management

Controls provide reasonable assurance that

changes to application programs and related data management systems are authorized, tested, documented, approved, and implemented to result in the complete, accurate, and timely processing and reporting of transactions and balances.
network infrastructure is configured as authorized to (1) support the effective functioning of application controls to result in valid, complete, accurate, and timely processing and reporting of transactions and balances and (2) protect data from unauthorized changes.

Computer Operations

Controls provide reasonable assurance that

application and system processing are authorized and executed in a complete, accurate, and timely manner, and deviations, problems, and errors are identified, tracked, recorded, and resolved in a complete, accurate, and timely manner.
data transmissions between the service organization and its user entities and other outside entities are from authorized sources and are complete, accurate, secure, and timely.
data is backed up regularly and is available for restoration in the event of processing errors or unexpected processing interruptions.

Ensuring that client needs, alongside rigorous regulatory requirements, are being met can be challenging in a complex environment and can cause employee hardship and audit fatigue. Looking towards specialists can help you map out a control framework to help relieve the burden of ensuring requirements are achieved while meeting the needs of your clients. A well-structured control framework and quality audit will reveal a high quality level of service provided to your clients that helps demonstrate the security and availability of services.

About the Author

Nick Bruce is a Senior Associate with Schellman & Company, LLC based in Atlanta, GA. Prior to joining Schellman in 2015, Nick worked as a Senior Associate. among the "Big 4" specializing in SOX ITGC evaluation for financial statement audit and SSEA 18 compliance in the technology, insurance and not for profit industries. As a part of the SOC Services group, Nick helps clients solve problems and explore new areas for improvement based on the organization’s adoption of new processes and technology. Nick has served clients in both the internal and external audit capacities. During this time, Nick has obtained a CISA professional license and has obtained hands-on experience working with major platforms and databases including Windows, Unix, Oracle DB, SQL Server, DB2, and SAP.
More Content by Nick Bruce

Previous Flipbook

SOC Reports Comparison Chart

Next Video

SOC 1 Overview

To compete in today's marketplace, your customers must have trust and confidence in your environment.

Financial Services - Is there a SOC 1 in your future?

Information Security

Change Management

Computer Operations

About the Author

Previous Flipbook

Next Video

Other content in this Stream

SOC 2 + HITRUST presents a useful combined approach, but is it right for you? We explain the advantages of this route as well as some considerations before you decide.

Getting ready to undergo a SOC 2 examination? Read about 4 common setbacks to avoid ahead of your audit so that you can better set yourself up for success.

Seeking to better sell your blockchain offering? Learn how obtaining a SOC report can help build trust with markets, further legitimize this technology, and open new doors for your service.

Designing your SOC 1 control objectives is a critical part of your assessment. We provide starting points, criteria, and examples to help you simplify this important process.

If you’re someone who is considering a SOC 2 audit, learn about the Trust Services Categories and how to choose yours.

Debating implementing manual or automated controls, but not sure which is right? We delve into the pros and cons of each, as well as how to design an internal control no matter what type it is.

Wondering what a SOC audit costs? To help you set price expectations, we lay out our rough price ranges, along with 3 variables that will factor into your final number.

Wondering how much time it takes to get a SOC report? If there's time to get one before your deadlines? Learn about the typical timelines for the different SOC reports & what to expect throughout.

Not sure if you need the privacy category in your SOC 2? Put that confusion to rest as we detail the advantages and drawbacks of such, along with some alternatives that may suit your needs better.

"SOC reports" are a staple in compliance, but there are so many different kinds. Learn about each of these specialized standards and their related reports to understand which may serve you best.

Should you get a SOC 2 examination or a SOC 3? Can you just get a SOC 3? Let us explain the differences between these options to help you choose which is best for you, because it might even be both.

Curious if your completed SOC 1 examination can help with a possible SOC 2? We overview how to connect your work in these two audits & how to choose the right path for you regarding your SOC reports.

On the fence about investing in a SOC 2 report? Learn about the benefits to your organization beyond just satisfying your customer requirements.

Trying to decide between a Type 1 or a Type 2 SOC report? Learn the differences and benefits to understand what suits your organization best.

Considering a SOC report but not sure which to choose? In this article, we define both SOC 1 and SOC 2 in terms of what they evaluate to help you understand which report is best for your organization.

Not sure how to determine whether your vendor is a subservice organization? We provide all the details you need to tell the difference ahead of your next SOC examination.