Controls Assessment and Reporting for a Digital Asset Technology Firm

Key to our firm’s growth is our commitment to digital transformation. This powers the continuous development of our service delivery, enhancing how we support and communicate with clients. 

We strive to provide all of our services electronically, leveraging cloud technologies to deliver responsive, seamless solutions while streamlining our internal processes to maximise efficiency.

Some examples of how we have achieved this include:

We were engaged to perform SOC (Service Organization Control) 1 Type II and SOC 2 Type II examinations for a digital asset technology firm. This firm provides real time indexes for spot prices on various cryptocurrencies. 

The problem was that the customers of the client continued to request information about the controls at the client, or request on-site visits to inquire, observe and inspect controls and gather evidence to support their financial statement audits, customer information requests, and customer internal controls assessments. A significant time commitment was required for the client and their staff to respond to these requests either on-site at the client location(s) or via secure FTP sites.

The solution was to provide them with a SOC 1 Type II for their digital index platform for the customer’s financial statement auditors and a SOC 2 Type II for the security and availability principles that the client could send to their customers or prospects upon request. 

A SOC 1 examination is an independent assessment of the controls and processes implemented by our client that may impact the financial reporting of its customers. A SOC 2 is a type of audit that assesses the effectiveness of our client’s controls over security and availability of their index platform. Both SOC 1 and SOC 2 examinations are commonly conducted by an external auditor to provide assurance to the customers and their auditors regarding the effectiveness of the service organisation's controls.

For first time SOC clients, our approach is to work with the client to perform a SOC 1 and SOC 2 readiness assessment. The purpose of a readiness assessment is for us to assess the client’s current state of operations and determine its preparedness to establish and maintain an annual SOC. The assessment includes identifying the scope, controls already in place and those that should be in place, identifying the gaps and providing the client time to remediate those gaps prior to the start of the SOC exam period.  We are unable to put controls in place or remediate the gaps for the client, but we are able to identify those gaps and provide recommendations. It is the client’s responsibility to implement and maintain their own controls. 

In this case, once the gaps were remediated, the client was ready to move into the SOC examination phase. For the SOC 1 and SOC 2 examinations, we verified the scope of the SOC examinations, verified no changes to the control areas, presented an audit timeline, and set expectations from both us and the client. We worked with management to identify their controls to address each control objective through walk throughs, observations, and inspections of evidence. The controls are tested for suitability of design and operating effectiveness by us, and examination opinions were issued. 

The SOC 1 control areas included policies, new client set up, connectivity to the platform, index valuation, logical access, change management and backups of the data. The SOC 2 control areas included strategy and governance, organizational structure, processes and procedures, technology and tools, threat intelligence, monitoring and detection, response and recovery, and training and security awareness. Other security control areas included system access, change management, network security, data loss prevention, incident response, Wallet Management, Secure Key Management, Transaction Monitoring, Secure Infrastructure, API Security, Secure Authentication, Secure Data Protection, System Resilience and Business Continuity.

We recognised that in order to run our business more efficiently we needed faster access to data than is provided by standard practice management software. Working with a data analyst, and leveraging our existing data resources, we developed management KPI dashboards to provide real time information on:

• Work In Progress
• Fees
• Debtors
• Recovery
• Team Performance

 
These dashboards eliminate the need for reconciliations and complicated spreadsheets, giving our management team greater confidence that the data they rely on is accurate and up to date.