Compliance-Not Only For Banks

Security: The protection of information systems and data

a. Physical & Environmental Security: to protect the information system from physical or environmental threats.

b. Logical Access (Information Security): to provide reasonable assurance that system information is protected from unauthorized use, modification, addition or deletion.

c. Data Security: this is to ensure that the data maintains its integrity and security as it is being processed, transmitted (between systems), and stored.

3. Risk Assessment: This includes identifying the risks that threaten achievement of control objective, estimating the significance of identified risks, assessing the likelihood of their occurrence, and deciding about actions to address these risks.

4. System (Computer) Operations: To address the identified risks and to deliver functions that the system is required to provide, a set of control activities need to be placed into operation to ensure that the actions carried out properly and efficiently. This includes:

a. Data Backups: this is to provide reasonable assurance that application and data backup processes are in place and being monitored.

b. System Availability: this is to provide reasonable assurance that system are maintained in a manner that helps ensure the required system availability.

c. Job Processing: this is to provide a reasonable assurance that any batch jobs are scheduled and monitored to ensure successful completion or processing problems are resolved.

5. Change Control: this is to provide reasonable assurance that changes to the production system or application are authorized, tested, approved, properly implemented and documented.

There are two type of SOC 1 Report:

• Type 1 Report is a report on policies and procedures placed in operation as of a specified point in time. SOC 1 Type 1 reports evaluate the design effectiveness of a service provider’s controls and then confirms that the controls have been placed in operation as of a specific date (point in time).

• Type 2 Report is a report on policies and procedures placed in operation and tests of operating effectiveness for a period of time. SOC 1 Type 2 reports include the examination and confirmation steps involved in a Type 1 examination plus include an evaluation of the operating effectiveness of the controls for a period of at least six consecutive calendar months.

The scope of the SOC 1 audit is determined by the service provider. Making sure to scope the audit properly would clearly demonstrate the service provider quality of service and ensure that sufficient information is provided to the service provider’s clients.

The SOC 1 Audit Process can go through five major phases:

1. Discovery and Compliance Awareness: in this phase the service provider needs to prepare their internal team for the audit process by providing the relevant compliance information and requirements to team members.

2. Scoping & planning: each service provider have different types of services that they offer to financial institutes. The scope of the audit varies based on the services being offered.

3. Planning: as any project the SOC 1 Audit Process detailed planning need to be performed in the early stages of the project to make sure that all resources required in the scope are available and all required skills for this project do exist.

4. Type 1 Assessment & Action Plan: here you involve a certified third party vendor to perform the Point In Time Assessment to provide the SOC 1 Type 1 Report. The next part of this phase is to review and implement the recommended improvement to your Processes.

5. Type 2 Assessment: once the process improvement have been applied then you are ready for the final audit.

Demand for SSAE 16 SOC Reports should increase in the coming years because of the higher growth in outsourcing financial functions. Service providers need to pro-actively perform the SSAE Audit and get a clean SOC 1 Type 2 report to increase their chances of getting business from Banks and Financial Institutions.