Pub. 12 2017-2018 Issue 3

NEBRASKA BANKERS ASSOCIATION 19 Leticia Saiid is a Security+ certified tandem software support specialist for CoNetrix. Among its security and technology services, CoNetrix offers the tandem information security software suite including popular programs such as Risk Assessments and Vendor Management. Visit the CoNetrix website at www.CoNetrix.com or email info@ CoNetrix.com to learn more about its vendor management products and services. Services Covered SOC reports are valuable for moni- toring a service organization's stability and security. However, it is important to consider the service you receive from the vendor and ensure the service you use, or plan to use, is included in the reported audit engagement. The Independent Service Auditors Report section should identify all assessed services. Complementary User Entity Controls Complementary user entity controls are controls the service provider as- sumes you, as the client, will implement to complete the security. See the Scope section to determine if there are any complementary user entity controls. If complementary user entity controls exist, proceed to the section titled Descrip- tion of Controls (or similar) for a list. Document the list in your review and ensure your bank has implemented the assumed controls. Subservice Organizations Subservice organizations are any organizations the vendor relies on to provide services to their clients. See the Scope section to determine if any sub- service organizations or service providers are identified. If subservice organizations exist, proceed to the section titled Man- agement’s Assertion (or similar) for a list of subservice organizations. Report Limitations Limitations include anything that could limit the ability of the auditor to document or test a control, such as an area that could not be tested at the time. See the Limitations section to deter- mine if there were any limitations present during the examination. Auditor’s Opinion The auditor's opinion should assert that the service organization's controls are (1) described fairly, (2) designed effec- tively, and for Type 2 reports (3) operat- ing effectively over a specified period of time. This wording is standardized in all SOC reports. See the Opinion section to review the auditor’s judgment. If any significant exceptions exist, document the exceptions in your review. Control Weaknesses Type 2 SOC reports include a section called Test Results (or similar) to iden- tify any exceptions. The auditor’s opinion should identify any significant issues. The test results, however, identify all issues, even if they were not considered significant enough for the auditor to high- light. See the Results column of the Test Results section for exceptions. Each noted exception should be considered a weakness for the control. Document these seven concepts on each SOC report review to help ensure your relationship with a vendor is or would be a beneficial relationship for your bank. By recognizing and evaluating a vendor’s weaknesses in this way, you can help ensure any relationship between your bank and the vendor is as strong and secure as possible.  800-288-5489 www.ccbcm.com Fully registered Dealer Bank • Not FDIC Insured • No Bank Guarantee • May Lose Value { 1985 Since FROM ONE COMMUNITY BANK TO ANOTHER. We have delivered fixed income strategies and support to banks of all sizes since 1985. Operating in over 30 states, the Capital Markets Group is always ready to meet the needs of our fellowcommunity bankers.We keep investing simple so that banks can focus on what really matters— lending to the communities who support us. • Portfolio Strategy, Sales and Service • Bond and Securities Underwriting/Trading • BancPath® and FlexLoan® via Asset Management Group We speak the same language.