Banking Technology Connections: August 14, 2012
August 14, 2012
During a number of recent reviews, we have seen vendor management programs still asking for the old SAS70 reports. Is your program updated? Here are some considerations if it is not:
SAS No. 70 is no longer available and has been effectively replaced by three reporting standards called Service Organization Controls (SOC) Reports.
SOC 1 (also known as SSAE No. 16) is applicable to internal controls over financial reporting. If you are using a product or service by the service organization that has an impact on your financial statements, SOC 1 is the appropriate report to obtain.
SOC 2 is applicable to internal controls over security, availability, processing integrity, confidentiality, and privacy (these areas are known as the Trust Services Principles and Criteria). If you are using a product or service from the service organization that does not impact your financial statements, but you still rely on the service organization for the security, availability, and process integrity of systems or the confidentiality and privacy of data, SOC 2 is the appropriate report to obtain. All five Trust Services Principles and Criteria do not need to be covered in the SOC 2 report, only those that are relevant to the product and service provided. SOC 1 and 2 provide details on internal controls at the service organization.
SOC 3 (also known as SysTrust and WebTrust) is applicable to the same Trust Services Principles and Criteria as SOC 2, however it is an abbreviated report that can be provided publicly via the service organization's website.
SOC 2 is still at its infancy and while some adoption has taken place, we still have work to do. We continue to see service organizations inappropriately issuing a SOC 1 when a SOC 2 is relevant to the product or service being provided. Why do we believe that is? Is the industry simply not providing enough education? Perhaps we are on course, but we just need to give it some more time.
One Tuesday each month we will feature comments from our professionals on topical issues. This month's contributor is Victoria A. Graves, CISA, CRISC, a Senior Manager in the IT Assurance Services group. Please feel free to contact her with any questions at firstname.lastname@example.org.
Interesting Articles of the Week
Sad but good story to learn from: Apple and Amazon Hacks: How to Minimize Your Risk.
67,000 phones likely to be lost or stolen during London Olympics.
How Bank Customers Are Changing the Game for Banks.
Independent Study Finds that Financial Institutions are Losing Clients as a Result of a Single Fraud Attack.
David's bridal not liking social media right now. Poor response from corporate generates even more negativity...
IRS missing billions in ID theft--"Deposited 590 different refunds into 1 bank acct".
Do you have an article that you would like to share with the group? Let us know and we will add it to the list! Did you miss a newsletter? Check out past newsletters here.
8/23/12 (Nashville, TN)
FMS: Managing Technology in Financial Institutions
9/7/12 (Bretton Woods, NH)
NH/VT Bankers Association: Annual Conference
9/7/12 (Marlborough, MA)
MA Bankers Association: 2012 Risk Managers Forum
9/9/12 (Verona, NY)
IBANYS: Annual Convention
9/12/12 (Atlantic City, NJ)
NJ Bankers Association: Senior Manager Conference
9/13/12 (East Greenwich, RI)
ISACA RI: Software (In) Security – The Problem
9/13/12 (Newport, RI)
Maine Bankers Association: Annual Conference
9/18/12 (Wisconsin Dells, WI)
Wisconsin Bankers Association: Technology Conference
10/17/12 (Marlborough, MA)
Massachusetts Bankers Association: IT Audit Training 2012
11/2/12 (Atlantic City, NJ)
NJ Bankers Association: BankHorizons
Do you have an event that you would like to share with the group? Let us know and we will add it to the list!
Questions? Interested in learning more about Wolf's IT Assurance and Security services?
Please contact Matthew J. Putvinski, CPA, CISA, CISSP, Member of the Firm and Director of IT Assurance and Security services, at (617) 428-5479 or email@example.com.
If you would like to subscribe to this newsletter and receive it via email please contact Sam Sexer at firstname.lastname@example.org.