SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

How SOC 1 Reports Can Benefit Financial Services Organizations

SOC Examinations

Why would a financial services company need a SOC 1?

In an ever-changing market, organizations providing financial services have expanded service offerings to increase their bottom line.  These services traditionally would have been performed in-house by segregated departments within the financial services company.  Providing such services as lock box, direct cash receipts and P-Card procurement typically have direct impact on customers internal control over financial reporting (ICFR). In an already regulated environment, such services impacting a customer’s ICFR would warrant a need for a SOC 1 and could potentially also satisfy some of the regulatory requirements.  Illustrative controls objective areas for business operations related to handling transactional activity, as defined by the AICPA, could include:

Controls provide reasonable assurance that transactions are:

  • authorized and received only from authorized sources 
  • validated in a complete, accurate, and timely manner
  • entered, processed, recorded, and reported in a complete manner
  • entered, processed, recorded, and reported in an accurate manner
  • entered, processed, recorded, and reported in a timely manner
  • recorded and reported in the proper accounts

In addition to business processes or operations areas, some financial services companies develop and host applications for customers to handle transactional activity related to the services being provided.  In such instances, the scope of the SOC 1 report would expand to include general information technology controls that support such infrastructure and/or applications.  Illustrative control objective areas for such controls, as defined by the AICPA, could include:

Information Security

Controls provide reasonable assurance that

  • logical access to programs, data, and computer resources is restricted to authorized and appropriate users, and such users are restricted to performing authorized and appropriate actions.
  • physical access to computer and other resources is restricted to authorized and appropriate personnel.

Change Management

Controls provide reasonable assurance that

  • changes to application programs and related data management systems are authorized, tested, documented, approved, and implemented to result in the complete, accurate, and timely processing and reporting of transactions and balances.
  • network infrastructure is configured as authorized to (1) support the effective functioning of application controls to result in valid, complete, accurate, and timely processing and reporting of transactions and balances and (2) protect data from unauthorized changes.

Computer Operations

Controls provide reasonable assurance that

  • application and system processing are authorized and executed in a complete, accurate, and timely manner, and deviations, problems, and errors are identified, tracked, recorded, and resolved in a complete, accurate, and timely manner.
  • data transmissions between the service organization and its user entities and other outside entities are from authorized sources and are complete, accurate, secure, and timely.
  • data is backed up regularly and is available for restoration in the event of processing errors or unexpected processing interruptions.

Ensuring that client needs, alongside rigorous regulatory requirements, are being met can be challenging in a complex environment and can cause employee hardship and audit fatigue.  Looking towards specialists can help you map out a control framework to help relieve the burden of ensuring requirements are achieved while meeting the needs of your clients.  A well-structured control framework and quality audit will reveal a high quality level of service provided to your clients that helps demonstrate the security and availability of services.

About NICK BRUCE

Nick Bruce is a Senior Associate in the SOC Services practice of Schellman. As a part of the SOC Services group, Nick helps clients solve problems and explore new areas for improvement based on the organization’s adoption of new processes and technology. His prior experience to Schellman includes nearly four years of “Big 4” experience at EY performing SSAE 16 SOC reports and ITGC evaluation for financial statement audit serving clients in the technology, insurance and not for profit industries.