Text of Recommendation | 4. Control Weakness over Third-Party Oversight for XP2 Application Hosted by Fiserv (NCUA IT-20-04) We noted that in performing its risk assessment, management did not adequately evaluate the System and Organization Controls (SOC) 1 report over Fiserv’s XP2 application service provider environment. Specifically, management’s risk assessment did not:
a. Identify and evaluate the NCUA’s design and operating effectiveness of the Complementary User Entity Controls (CUECs) identified within the SOC 1 report.
b. Identify and evaluate the complementary subservice organization controls (CSOCs) identified within the SOC 1 report.
c. Obtain and perform an assessment of a bridge/gap letter to determine whether coverage was provided for the entire year.
NCUA’s documented procedures do not provided detailed guidance on how to perform an assessment of a third party service provider organization, specifically as it relates to the SOC 1 report, as required by Office of Management and Budget Circular Memorandum 16-17 (OMB M-16-17). As a result, the NCUA’s annual assessment of controls related to XP2 was incomplete as it did not consider all relevant aspects of the SOC 1 report during its evaluation.
|
---|---|
Recommendation Number | OIG-21-02/03/04/05 |
Recommendation Status | Open |
Significant Recommendation | No |
Recommendation Questioned Costs | $0 |
Recommendation Funds for Better Use | $0 |
Additional Details Link |
Submitting OIG | |
---|---|
Linked Report |