Audit and 3rd-Party Risk Management
Regulatory compliance requirements have been an influencer of business processes and related controls for decades. Good business processes with relevant controls ground many business functions including the office of finance. Proof of those controls help to streamline the audit process and produce great audit outcomes.
Over the past several years, the topic of 3rd-Party risk management has become a focal point of both private and public businesses. Popular trends like business process outsourcing (BPO) and cloud-based solutions have reduced risk in some areas while increasing them in others. Some companies may not have the scale to have proper segregation of duties or strong control structures. However, these BPO and cloud-based solutions have the scale to ensure proper controls. But with improvement in controls and risk in one area, other areas may see an increase in risk as businesses have become more reliant on 3rd-Parties and data and related controls are being processed external to the company. This is especially true when the data and processes are related to the office of finance. These risks have caught the attention of auditors and regulators alike. One potential challenge is when the compliance standards of both companies and service providers do not have a clean overlap.
At Trintech, we have spent years working with our customers across a variety of industries to ensure that the compliance gap is eliminated.
SaaS Software Compliance Programs
SaaS software companies’ externally facing compliance programs are generally based in controls and processes that are defined by SSAE/18, ISO 27001, industry-specific requirements (e.g. HIPPAA) and data privacy (GDPR, CCPA, etc.).
Office of Finance Compliance Programs
An organization’s office of finance’s controls are driven by the Financial Accounting Standards Board (FASB), Accounting Standards Codification (ASC), Committee of Sponsoring Organizations of the Treadway Commission (COSO), Sarbanes-Oxley (SOX), the Foreign Corrupt Practices Act (FCPA), and a variety of international or industry-related compliance requirements. More importantly, their practices are going to be influenced by the views and interpretations of their audit firm.
A Literal Pair of Socks <Saaks>
When asked to approve a cloud-based software solution for the office of finance, a leader in the department of accounting of a publicly-traded company states, “I need to get comfortable with their support for our SOX (Sarbanes-Oxley Act) controls requirements.”
When they inquire with the prospective cloud-based vendor, the response they get is, “Sure, we can provide you our SOC (System and Organizational Controls) attestations.” Though pronounced the same, those two <saaks> are not the same thing.
The gaps between the regulatory requirements of a customer and the perceived requirements of a vendor are nothing new. For example, if you were to ask the employees of an online peer to peer payment system or online banking software, “Are you a SaaS software company or a financial institution?” the answer would likely be “a SaaS software company”.
Likewise, the SaaS software company would view controls through a SSAE/18 compliance lens. The financial institution’s lens is almost always through that of an FFIEC lens. And the FFIEC views these platforms as an extension of the financial institution. There will be overlap; there will also be gaps.
Bridging the Gap
Trintech’s business is based on providing systems of accounting controls and intelligence to customers ranging from privately-held, lower middle-market companies all the way through to publicly traded, global enterprises. We have spent years working side-by-side with customers to ensure great audit outcomes. Ways in which we’ve bridged the gap include:
- Continually evolving our solutions and product roadmap to include the compliance needs of the office of finance
- Basing our SaaS data privacy standards on the strictest international standards (e.g. Norwegian privacy) and then auditing against international standards (e.g. GDPR)
- Extending SSAE/18 (SOC) controls and audit validations to include cyber and data control additions to Sarbanes-Oxley (SOX) audits
- Re-validating SSAE/18 audits on a rolling 6-month cycle to meet auditor limits on the maximum number of bridge letters accepted
- Continuing to monitor US and International laws and case laws to ensure our programs and practice meet the needs of our international customer base
- Working closely with customer third-party risk management programs to give them the confidence in our company and our solutions
As a SaaS software company, there are two views one could have with regards to the topic of compliance. One view is to view compliance as an achievement or a milestone. The second view — and the one that Trintech takes — is to consider it an ongoing responsibility that is driven by customers, regulators, and a desire for excellence.