Financial Services - Is there a SOC 1 in your future?

May 2, 2017 Nick Bruce

Why would a financial services company need a SOC 1?

In an ever-changing market, organizations providing financial services have expanded service offerings to increase their bottom line.  These services traditionally would have been performed in-house by segregated departments within the financial services company.  Providing such services as lock box, direct cash receipts and P-Card procurement typically have direct impact on customers internal control over financial reporting (ICFR). In an already regulated environment, such services impacting a customer’s ICFR would warrant a need for a SOC 1 and could potentially also satisfy some of the regulatory requirements.  Illustrative controls objective areas for business operations related to handling transactional activity, as defined by the AICPA, could include:

Controls provide reasonable assurance that transactions are:

  • authorized and received only from authorized sources 
  • validated in a complete, accurate, and timely manner
  • entered, processed, recorded, and reported in a complete manner
  • entered, processed, recorded, and reported in an accurate manner
  • entered, processed, recorded, and reported in a timely manner
  • recorded and reported in the proper accounts

In addition to business processes or operations areas, some financial services companies develop and host applications for customers to handle transactional activity related to the services being provided.  In such instances, the scope of the SOC 1 report would expand to include general information technology controls that support such infrastructure and/or applications.  Illustrative control objective areas for such controls, as defined by the AICPA, could include:

Information Security

Controls provide reasonable assurance that

  • logical access to programs, data, and computer resources is restricted to authorized and appropriate users, and such users are restricted to performing authorized and appropriate actions.
  • physical access to computer and other resources is restricted to authorized and appropriate personnel.

Change Management

Controls provide reasonable assurance that

  • changes to application programs and related data management systems are authorized, tested, documented, approved, and implemented to result in the complete, accurate, and timely processing and reporting of transactions and balances.
  • network infrastructure is configured as authorized to (1) support the effective functioning of application controls to result in valid, complete, accurate, and timely processing and reporting of transactions and balances and (2) protect data from unauthorized changes.

Computer Operations

Controls provide reasonable assurance that

  • application and system processing are authorized and executed in a complete, accurate, and timely manner, and deviations, problems, and errors are identified, tracked, recorded, and resolved in a complete, accurate, and timely manner.
  • data transmissions between the service organization and its user entities and other outside entities are from authorized sources and are complete, accurate, secure, and timely.
  • data is backed up regularly and is available for restoration in the event of processing errors or unexpected processing interruptions.

Ensuring that client needs, alongside rigorous regulatory requirements, are being met can be challenging in a complex environment and can cause employee hardship and audit fatigue.  Looking towards specialists can help you map out a control framework to help relieve the burden of ensuring requirements are achieved while meeting the needs of your clients.  A well-structured control framework and quality audit will reveal a high quality level of service provided to your clients that helps demonstrate the security and availability of services.

Previous Flipbook
SOC Reports Comparison Chart
SOC Reports Comparison Chart

Next Video
SOC 1 Overview
SOC 1 Overview

To compete in today's marketplace, your customers must have trust and confidence in your environment.