INSIGHT

SOC/IT assurance services in fintech: A new era of accountability

Matthew Pong, Marguerite Williams, James Lichau • October 21, 2024

Services: Risk Advisory, Assurance, Penetration Testing, Cybersecurity Assessment

---

The fintech industry is facing a paradigm shift in accountability and oversight. Recent changes have placed increased responsibility on board members for IT controls within their organizations. This development underscores the growing recognition of cybersecurity as a core business issue rather than just an IT concern. 

Furthermore, the Securities and Exchange Commission (SEC) recently implemented new reporting requirements regarding subservice organization failures. This means that if a third-party vendor experiences a data breach, the primary organization may be held responsible. The change highlights the critical need for comprehensive vendor management and due diligence. The Commission also now mandates enhanced standardized disclosures of cybersecurity incidents and risk management strategies. It adopted rules on July 26, 2023, that registrants must provide detailed information about their approach to managing cybersecurity risks, including how they oversee their vendors’ security practices. 

At the same time, the recent CrowdStrike incident serves as a reminder of the far-reaching consequences of security failures in fintech. This event, which impacted major airlines, banks and healthcare providers, underscores the critical importance of robust security measures and the potential fallout when those measures fail. It also exposes the complexities of managing subservice organizations in today’s interconnected business world.  

As a subservice provider to numerous companies, CrowdStrike’s issues cascaded through its clients’ operations, causing widespread disruptions. This ripple effect emphasizes the need for thorough vendor management and a comprehensive understanding of an organization’s entire technology supply chain. 

In response to these changes and events, many organizations are reevaluating their change management processes – a key component of SOC examinations. Implementing stringent controls around system updates and changes that can help prevent similar issues in the future. 

Given the increasing importance of SOC reports in addressing these challenges, it’s crucial to understand their types and purposes. Let’s explore the different SOC reports and how they can help fintech companies manage these complex regulatory and security demands. 

Understanding SOC reports

There are three types of SOC reports. Each type serves a specific purpose: 

• SOC 1: Focused on internal controls over financial reporting, SOC 1 reports are crucial for fintech companies that process financial transactions on behalf of their clients.
   
• SOC 2: Based on the AICPA’s Trust Services Criteria, SOC 2 reports cover security, availability, confidentiality, processing integrity and privacy. Most organizations start with security as the base and add other criteria as needed.
   
• SOC for cybersecurity: An emerging trend, these reports provide a comprehensive view of an organization’s cybersecurity risk management program. 

The SOC examination process

A structured SOC examination process typically involves the following steps: 

1. Readiness assessment: An initial evaluation to identify gaps and prepare for a SOC examination. 
2. Type 1 Report: Assesses the design and implementation of controls at a specific point in time. 
3. Type 2 Report: Evaluates the operating effectiveness of controls over a period of time, usually 6-12 months. 

The importance of quality in SOC reports

Not all SOC reports are created equal. The quality and detail of a SOC report can significantly impact its usefulness to user entities and their auditors. A high-quality report provides clear, specific control descriptions and thorough testing procedures, giving stakeholders confidence in the service organization’s processes. 

The reputation of the service auditor also plays a crucial role. When reviewing SOC reports, many organizations consider the auditor’s reputation part of their assessment.  

Why BPM?

BPM offers a unique combination of industry experience and a commitment to quality that sets us apart. Working with BPM means fintech companies get a partner with a strong reputation for delivering comprehensive, high-quality SOC reports. We pride ourselves on delivering detailed, clear and actionable reports that stand up to scrutiny from user entities and their auditors. We are also highly experienced. Our team understands the nuances of the fintech industry, allowing us to provide insights tailored to your specific needs. We offer a comprehensive approach, from readiness assessments to final reporting, to help you secure your systems and build trust with your stakeholders. 

As the fintech industry continues to evolve, the importance of robust SOC reports will only increase. These reports are not just compliance checkboxes – they are vital tools for building trust, managing risk and helping ensure the long-term success of your fintech enterprise. 

With new regulations placing greater responsibility on boards and executives for IT controls and vendor management, now is the time to assess your SOC needs. Whether you’re looking to obtain your first SOC report or seeking to improve the quality and comprehensiveness of your existing assurance processes, BPM is here to help. To find out more, contact us.