Is it time for your company’s next SOC 2 examination?

If your company is like Strunk, then a SOC 2 exam is an annual topic of conversation and the certification from your CPA firm is something you proudly provide your clients. At Strunk we have built a full-featured solution to help not only manage the policies your organization follows but to tie those policies back to the AICPA’s criteria and to your company’s own internal control procedures.

A SOC 2 audit can be time consuming, frustrating and burdensome. Strunk’s Policy Manager and Controls Manager modules can put much needed structure around this process. We keep on top of changes to the AICPA criteria so that you don’t have to. If changes need to be made to your existing policies as a result of any of these updates, you can easily address those within our software, and all modifications and approvals will be captured in our logs. The application will remind specific users within your organization when control activities need to be tested and the solution even supports breaking up this activity throughout the year so that your team is not focused on such a large task all at once.

The implementation with Strunk is extremely straightforward. Your company will submit your current policies for upload and creation within our system. If you are missing policies in any area we will provide you with a template document for you to customize but you will not need to start from scratch! We will work with your team to map these documents to the AICPA criteria in our solution.

Most companies are using Excel to track control activities. We ask that you simply provide this list of test procedures and we will set them up within the solution as well. Our Policy Map will provide a linked relationship from criteria to policies to controls. Once all of your company specific information has been uploaded and created we will host a training webinar for your team. It’s that simple.

Let Strunk help simplify and organize this process for you so that you can focus on what you do best – serving your clients.

Testing Employee Policy Knowledge

How often do you check to see if your employees know what polices or procedures your financial institution has in place? Security and ethics policies should be read from time to time and compliance to those policies should be tracked.

Strunk’s Skills Manager program is one module of our overall Risk Management solution. It gives you the ability to set up templates for course study, take tests to ensure knowledge of a policy or procedure and track the results of the tests to provide a pass/fail result.

Skills Manager is a unique tool that can be used by the human resources department for company-wide deployment or by individual departments of your organization. Power Point slides can be imported and set up to discuss product knowledge and then each employee can be assigned a test to see if they were knowledgeable of certain policies and procedures.

The tracking of the results within Skills Manager is important for audits and certifications. Through Strunk’s Policy Manager solution, reader logs can be tracked to ensure that your employees are reading pertinent policies. Then through Skills Manager you can test to see if your employees understand those policies.

Strunk’s solution to risk management includes Risk Assessor, Policy Manager, Controls Manager, Vendor Manager, Issues Manager and Skills Manager along with our Overdraft Privilege Manager program. Contact us to learn more.

Ensure Contract Completeness with Strunk’s Contract Review

Having a well written contract with your vendor is a critical aspect in your vendor manager life cycle.  The contract is important as it sets forth the terms and conditions of the relationship with the vendor.  Vendor contracts are legal agreements that clearly set forth the provisions and conditions of the work or services that the vendor provides.  Because the contract is the foundation for the relationship with the vendor, a complete contract review should be done before the agreement is signed.

Strunk has created a Contract Review feature in our Vendor Manager solution to help ensure your contract does not have any gaps and that each provision is understood with clear expectations.  Contract Review will assist in clearly identifying what each party’s role is and who is responsible for each area.  This will prevent any issue between the financial institution and the vendor.  Regulations require that contracts contain key provisions such as confidentiality, service level agreements, and mutual rights and responsibilities.  A thorough review of your vendor contract should be done both prior to signing a new contract and while reviewing existing contracts for renewals.  Strunk’s Vendor Contract Review will help clients address significant risk controls and regulatory compliance within each of their vendors activities.

Are your User Accounts up-to-date?

Part of effectively using Strunk’s cloud-based Governance, Risk Management and Compliance software is regularly reviewing, maintaining, and updating your user records and access. Our software provides your administrators with tools to make this process easier, rather than updating user records one by one. However, admins always have the option to view and change an individual user’s record and access rights.

A list of all users can be exported as a PDF for reporting purposes. In addition to the basic user information, it also includes each user’s roles and last login. To simplify adding new users and deactivating former employees, an automatic User file import can be set up. Once configured, a file containing all current users will be uploaded and processed on a scheduled basis. This allows you to add and deactivate users in a timely manner.

For other maintenance of existing users, admins can export the current user list to an Excel file. Any necessary updates can be made directly in the file and an admin will import the updated file to make the appropriate changes in the software.

Please contact Strunk Support at support@strunkaccess.com with any questions or for training on these helpful features. It is easier than ever before to keep your information up to date.

Solve your SOC 2 Anxiety

Getting a SOC 2 report and examination is only part of the battle, keeping up with your stated obligations and consistent re-examination means your company has to live a SOC 2 life.  Throughout the year testing, reviewing, and revising controls can take up a substantial portion of time and attention.  Utilizing Excel spreadsheets, PDFs, and Word docs can lead to a nightmare for version control and compatibility issues.  Utilizing proven techniques to manage your SOC 2 can and will cut down on your time utilization and stress surrounding your consistent re-examination.
The average SOC 2 examination can take around a month of document negotiations with your auditors, followed by a week in house exam.  Utilizing a strong system that contains all of your pertinent information empowers your auditors with easy access to vital information while having a minimal impact on your daily routine.  This information flow, allows your auditors to see your control framework, and testing schedules, as well as the results and evidence for those tests, giving the auditors nearly a perfect picture of your company’s readiness.
While the perfect SOC 2 examination can be hard to attain, it shouldn’t be difficult to maintain. Strunk’s GRC is one of the few tools that help to walk your company from new SOC 2 to expert, our tools are able to help inform your process and reduce the time and effort you pay toward yearly SOC 2 obligations.  Our platform has a full set of template SOC 2 policies and controls, as well as one of the most thoughtfully crafted framework management systems on the market.

Power your team through continuing education with Strunk’s Skills Manager

If you are a Risk Assessor or Policy Manager user today, you may not be aware that Skills Manager is packaged with your solution. In order for your organization policies to be effective, your employees need to know the material. Skills Manager also lets you determine if your employees remember key aspects of those policies by periodically testing employee knowledge.

Through its Courses feature Skills Manager provides simple online training experiences to help your employees brush up on key policy details. For this online training you are able to create a library of training slides, either from text or exported from PowerPoint. You then will combine slides to develop courses and assign courses to your employees. It’s that simple! Users will then take courses via our online portal, with the ability to stop and pick up where they left off as needed prior to the due date.

Once Courses are complete you can then use the Exams module to test employee knowledge. Like Courses, you will create a library of exam questions that you can then assign to exams and then exams to users. Subsequently you will set parameters for frequency with which users must take exams and set parameters for a passing score or merit score. Your employees can show their knowledge of the material within each Course.

Strunk CEO Dan Roderick says “We launched Skills Manager V2 earlier this month and it’s easier to use than ever! It’s a great way to test employee policy knowledge and document results – particularly on those policies where periodic employee acknowledgement is required.”

Skills Manager also contains a user searchable document library for storing relevant reference materials that can be used as needed throughout the year.

The importance of a thorough risk management process

Managing risk is a fundamental process for any business and is crucial to achieve ongoing success for any company. Strunk’s Risk Manager solution provides a systematic process to ensure that you organization 1) knows your risks, 2) has policies to mitigate key risks, 3) is able to verify that policies are followed, and 4) can easily prove to others – management, board, examiners – that you follow this structured process. Risks may hinder or even prevent your business from achieving its goals, cause operational disruption, financial loss, or escalating cost. By performing a risk assessment, you can mitigate key risk indicators by taking them into account early on and developing action plans to reduce and effectively manage risk.

Risk management should not be confined to just one department in the organization or be the sole responsibility of a certain group of employees – it should be an integral part of everyone’s job. Strunk’s Risk Manager software will allow you to involve as many individuals in your organization as you like in the risk management process, keep all of the key components of your risk management process in one place, and gain a better understanding of the nature of the risks facing your organization. Many Risk Manager clients only use one or two modules but are not making full use of the entire solution. By using all of the modules in Risk Manager it will help you establish a more cohesive and stronger risk management environment. The new Version 2 of Risk Assessor is available and can help streamline your risk assessment process even further and save time. If you are a client that currently has Version 1, Strunk can help transfer results from Version 1 into Version 2 for no additional cost. Also, if you have staff members that have not yet been trained on any of the Risk Manager modules because they are new or their job responsibilities have changed, Strunk will do additional web based training for no additional charge.

Tracking Issues and Incidents at Financial Institutions

During the course of the daily operations of a bank, “issues” or “incidents” arise and tracking them should not be difficult or cumbersome. Managing the resolution of the problem should be tracked and Strunk’s Risk and Issues Manager solutions may be just what you need.

“Issues” that need addressed could come from an outside audit, a regulatory exam, a risk assessment or from vendors you do business with. Identifying an issue may be easy but putting a tracking solution in place that assigns ownership, provides a time stamp, departmentalizes the problem, prioritizes and assigns a corrective action plan can be more difficult. Many financial institutions use Excel spreadsheets and they may be hard to keep track of. Keeping a log of the issues is imperative for senior management and your audit team.

“Incidents” can occur in a variety of ways and they could include a system breach, attempted hacking of your website, or a debit or credit card could be compromised. Similar to issues, incidents should be resolved in an organized and timely manner and they should be tracked for audit and regulatory review.

Strunk’s ERM program includes an “issues” and “incident” tracking solution that is easy to use. It gives you the ability to attach documents, assign priority and due dates, and track the status of the problem. Reports are generated for auditors and for external use. Email alerts are sent to the owner of the issue and they can be “time based” or “update based”. “Time based” is determined by the due date or past due date. Alerts based on an “update” sends an email to the owner when the status is changed to “complete”. Employees on a “notify list” can be alerted as well so that each person along the way knows what the status of the resolution of the issue is.

Providing simple easy-to-use solutions for risk and resolution management is what Strunk does.

Strunk is pleased to announce addition of FFIEC CAT Tool assessment component

Financial institutions are at risk for an increasing amount and sophistication of cybersecurity breaches and threats. For this reason, the Federal Financial Institutions Examination Council (FFIEC) created a Cybersecurity Assessment Tool to help institutions identify the risks they face and to be sure they are prepared in the event they are faced with one of these events.

Strunk is pleased to announce the addition of this FFIEC Cybersecurity Assessment Tool to its Risk Assessor module. The feature is comprised of both the Inherent Risk Assessment and Maturity Assessment sections. Maturity Assessments are organized into domains: Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience. Users must score their organizations on each question to determine their overall risk level. The Strunk approach to the assessment streamlines an otherwise cumbersome process so that financial institutions can much more easily complete these assessments and identify their maturity level.

Strunk CEO Dan Roderick says, “The FFIEC CAT is required for all financial institutions annually, so we are very happy to add this feature to Risk Manager at no additional charge to our clients.”

Clients have been using Risk Assessor to complete regulatory required internal risk assessments in days rather than weeks. The solution is preloaded with key risk indicators for BSA, ACH, Fair

Lending, Cybersecurity, Compliance, Asset Quality and much more. Call report data from your institution is automatically uploaded to the program quarterly to substantiate the risk. Concise board reports are easy to read and understand highlighting areas of high risk your bank faces.

Current Risk Assessor clients will receive the FFIEC CAT Tool for no change in their annual fee.  Please contact us if you are interested in viewing a demo of the tool.

No better time to implement a Cloud-Based GRC Solution

Over recent weeks, the ongoing spread of the COVID-19 coronavirus has forced companies around the country to make difficult decisions about how to protect their employees — as well as their communities as a whole.  In an effort to halt the spread of the virus, many organizations are instituting mandatory work-from-home (WFH) policies, engaging with new cloud service providers, and shifting resources toward supporting an expanding remote workforce.  The fast-moving, global reach of the coronavirus has illustrated that a forward-looking approach to risk management is more important than ever. Having a cloud-based tool that streamlines your compliance process should be in all companies’ future strategic discussions.

Strunk offers many great automated cloud-based solutions tools that streamlines compliance and risk management for our clients.  There are many benefits to these cloud-based solutions, especially in today’s environment where some many employees are working from home.  Our software is simple to implement, easy to access, very flexible and is reliable in terms of backing up data for your employees who are at different locations.  Implementing Strunk’s Risk Assessor, Policy Manager, Issue Manager and Vendor Manager software does not require extra hardware or software.  Implementing these tools can be done while business continues as usual which requires no downtime at all.  Strunk has created a new Version 2 of our Risk Assessor which is available to everyone.  Risk Assessor helps our clients complete risk assessments consistent with appropriate regulatory or standards body frameworks in days, instead of weeks.  Clients are able to upgrade for free from Version 1 to Version 2 and Strunk will help transfer results from your current Version 1 assessments.

Given the current coronavirus pandemic, the need for companies to centralize their policies and vendor management is more critical than ever.  Strunk’s Policy Manager software will organize hundreds of policy documents spread across different computer and file systems into a single editable database. With employees working remote, Policy Manager gives employee access to the companies polices for easy access and with the established review dates the system will remind employees to review the policy and make changes.  Centralizing your vendor manager process with Strunk’s Vendor Manager software will automate the process which reduces administrative burden and save time while giving employees who are working remote access to vendor due diligence, providing a practical framework for deciding which vendors to assess in depth, assessing the risks each vendor present, and the monitoring of each vendor performance.

Also, Strunk is offering additional free web training for our client’s employees.  There is no better time than now to get employees who are new or have changed job responsibilities trained on any of Strunk’s GRC software.

An independent certified public accountant has examined Strunk’s operations and found them to be in compliance with the AICPA’s Trust Service Principles. It was determined that Strunk meets the Security, Availability, Processing Integrity, Confidentiality, and Privacy criteria for SOC 2 established by the AICPA.