Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

How SOC 1 Reports Can Benefit Financial Services Organizations

SOC Examinations

Why would a financial services company need a SOC 1?

In an ever-changing market, organizations providing financial services have expanded service offerings to increase their bottom line.  These services traditionally would have been performed in-house by segregated departments within the financial services company.  Providing such services as lock box, direct cash receipts and P-Card procurement typically have direct impact on customers internal control over financial reporting (ICFR). In an already regulated environment, such services impacting a customer’s ICFR would warrant a need for a SOC 1 and could potentially also satisfy some of the regulatory requirements.  Illustrative controls objective areas for business operations related to handling transactional activity, as defined by the AICPA, could include:

Controls provide reasonable assurance that transactions are:

  • authorized and received only from authorized sources 
  • validated in a complete, accurate, and timely manner
  • entered, processed, recorded, and reported in a complete manner
  • entered, processed, recorded, and reported in an accurate manner
  • entered, processed, recorded, and reported in a timely manner
  • recorded and reported in the proper accounts

In addition to business processes or operations areas, some financial services companies develop and host applications for customers to handle transactional activity related to the services being provided.  In such instances, the scope of the SOC 1 report would expand to include general information technology controls that support such infrastructure and/or applications.  Illustrative control objective areas for such controls, as defined by the AICPA, could include:

Information Security

Controls provide reasonable assurance that

  • logical access to programs, data, and computer resources is restricted to authorized and appropriate users, and such users are restricted to performing authorized and appropriate actions.
  • physical access to computer and other resources is restricted to authorized and appropriate personnel.

Change Management

Controls provide reasonable assurance that

  • changes to application programs and related data management systems are authorized, tested, documented, approved, and implemented to result in the complete, accurate, and timely processing and reporting of transactions and balances.
  • network infrastructure is configured as authorized to (1) support the effective functioning of application controls to result in valid, complete, accurate, and timely processing and reporting of transactions and balances and (2) protect data from unauthorized changes.

Computer Operations

Controls provide reasonable assurance that

  • application and system processing are authorized and executed in a complete, accurate, and timely manner, and deviations, problems, and errors are identified, tracked, recorded, and resolved in a complete, accurate, and timely manner.
  • data transmissions between the service organization and its user entities and other outside entities are from authorized sources and are complete, accurate, secure, and timely.
  • data is backed up regularly and is available for restoration in the event of processing errors or unexpected processing interruptions.

Ensuring that client needs, alongside rigorous regulatory requirements, are being met can be challenging in a complex environment and can cause employee hardship and audit fatigue.  Looking towards specialists can help you map out a control framework to help relieve the burden of ensuring requirements are achieved while meeting the needs of your clients.  A well-structured control framework and quality audit will reveal a high quality level of service provided to your clients that helps demonstrate the security and availability of services.

About NICK BRUCE

Nick Bruce is a Senior Associate in the SOC Services practice of Schellman. As a part of the SOC Services group, Nick helps clients solve problems and explore new areas for improvement based on the organization’s adoption of new processes and technology. His prior experience to Schellman includes nearly four years of “Big 4” experience at EY performing SSAE 16 SOC reports and ITGC evaluation for financial statement audit serving clients in the technology, insurance and not for profit industries.