OCC 2017 FAQ 14 – Can a bank rely on a third party’s Service Organization Control (SOC) report, prepared in accordance with the American Institute of Certified Public Accountants Statement on Standards for Attestation Engagements No. 18 (SSAE 18)?

Compliance > Third Party Relationships / Vendor Mgmt.
Q:  Can a bank rely on a third party’s Service Organization Control (SOC) report, prepared in accordance with the American Institute of Certified Public Accountants Statement on Standards for Attestation Engagements No. 18 (SSAE 18)?
 
A:  In meeting its due diligence and ongoing monitoring responsibilities, a bank may review a third party’s SOC report prepared in accordance with SSAE 18 to evaluate the effectiveness of the third party’s risk management program, including policies, processes, and internal controls.4 If a third party uses subcontractors (also referred to as fourth parties), a bank may find the third party’s SSAE 18 report particularly useful, as SSAE 18 requires the auditor to determine and report on the effectiveness of controls the third party has implemented to monitor the controls of the subcontractor. In other words, the SSAE 18 report will address the question as to whether the third party has effective oversight of its subcontractors. A bank should consider whether an SSAE 18 report contains sufficient information and is sufficient in scope to assess the third party’s risk environment or whether additional audit or review is required for the bank to properly assess the third party’s control environment.
 
 
ADDITIONAL INFORMATION:
This information was obtained from the OCC’s Bulletin 2017-21 – Frequently asked Questions to Supplement OCC Bulletin 2013-29 - https://www.occ.gov/news-issuances/bulletins/index.html
 

Add Feedback