By Bassam Alousi, Director-Technology, White Clarke Group
Due to the global finance market regulations, Banks and Financial Institutions are forced to comply with several regulatory requirements. In the past, these regulatory requirements were specific to the Banking and Financing Organizations.
In the past few years, many financial institutions have been outsourcing several functions to external service provider (ASP-Application Service Provider, SaaS-Software as a Service, or Cloud Service Provider). These financial functions are not limited to: accounting (receivable, payable), financing (loan origination and contract management), document management, IT (network, storage, backup, hosting, co-location) and payroll. Due to the delegation and outsourcing of these financial functions, the financial institutions not only depend on the quality and accuracy of these financial transactions, they depend on the service provider to securely process and store the confidential and sensitive information (such as customer personal information). Lately, the service providers are being requested to go through increased compliance requirements to demonstrate a controlled environment for the outsourced functions. Three years ago, the Consumer Financial Protection Bureau (CFPB) announced that it expects supervised banks and non-banks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law which is designed to protect the interest of consumers and avoid consumer harm.
A major part of theses regulatory requirements can be satisfied by SSAE 16 SOC 1 which is produced by an independent audit firm. SSAE 16 is playing an important role for the external service provider by providing the credibility, trust and compliance standard with the banks or financial institutions. In simple words SOC 1 audit tells the bank of the service provider is doing what they promised. In technical terms, the SOC 1 reports includes a review and audit to the following major areas:
1. Control Environment: This is foundation of other areas of internal control; it sets the tone of the organization and influences the control consciousness of its personnel. The component of the control environment factors include Integrity and Ethical Values, management’s commitment to competence, organizational structure (assignment of authority and responsibility), and oversight and directions from management.