United States

Controlling risk in your financial institution’s IT environment

Outsourcing considerations


In today’s business environment, it is critical that financial institutions stay up-to-date with IT compliance as the requirements constantly evolve in response to new forms of business risk. To protect itself against cyber exposure, a bank’s IT environment must adapt and respond with the necessary controls. According to the AICPA, “Organizations are under increasing pressure to demonstrate that they are managing threats, and that they have effective processes and controls in place to detect, respond to, mitigate and recover from cybersecurity events.”1 Between the new items that need to be included in a business continuity plan, incident response plan, information security program, vendor management program, IT risk assessments, cybersecurity programs, board updates, and information security awareness trainings for staff throughout the year, keeping up is a resource-intensive task.

Middle market institutions sometimes struggle to free up workers for these increasingly demanding and burdensome activities. Whether an institution outsources compliance to a third-party provider or decides to take care of it internally, their compliance program must be robust. Ideally, banks should take a comprehensive, proactive and long-term approach to operational risk management that integrates the following considerations: people, IT, organizational culture, and regulations.2

In the last decade, the number of business functions being outsourced by companies has increased dramatically, and we can expect to see this trend continue. This rise in outsourcing and cloud computing creates serious liability concerns and exposes banks to new risk. On multiple occasions, consumer banks have faced serious reputational and financial problems due to a third party error.3 If the service provider’s system crashes, customers could be left unable to access ATMs or mobile apps, resulting in lasting reputational damage for the bank. An institution’s responsibility to protect information does not end once that information is passed on to its vendors. If a breach occurs at a service organization, the bank could still be held responsible.4  Thorough vendor due diligence can help mitigate many of the risks created by outsourcing. All of these reasons make having a vendor management program more critical now than ever.

The AICPA created service organizational controls (SOC) reports to help with this. The recent AICPA changes to SOC reporting and examinations, including SSAE 18 guidance, will help banks conduct thorough and effective vendor due diligence. SOC reports, especially SOC 2 Type II, are also going to be critical in helping institutions thoroughly assess the controls of their high risk IT service organization vendors. Rising outsourcing has clearly increased the demand for confidentiality and information privacy assurance, and we expect this trend to continue for the near future.

1) AICPA. https://www.aicpastore.com/ManagementAccounting/GovernanceandRisk/PRDOVR~PC-CFS2/PC-CFS2.jsp  
2) Forbes. https://www.forbes.com/sites/baininsights/2018/06/26/how-banks-can-prevent-catastrophes/#6b29051f74db  
3) Axa. https://axaxl.com/fast-fast-forward/articles/banks-the-benefits-and-risks-of-outsourcing  
4) AICPA. https://www.aicpastore.com/Content/media/PRODUCER_CONTENT/Newsletters/Articles_2012/CPA/Jun/Easy123.jsp