As we have all experienced, there has been a significant increase in the proliferation of cloud-based software applications in both our personal and business lives. From payroll processors to time and expense apps, cloud-based and other application options are widely available to help business consumers meet their needs.
The increase in available software options has led software companies to look for ways to differentiate themselves from their competition. An increasingly popular differentiator is to obtain a Systems and Organization Controls (SOC) report which addresses the internal control environment of the software companies to help ensure the application’s stability and security. Typically, the scope of these reports addresses general IT control procedures but does not include procedures to help ensure that the application is functioning as expected. In order to help confirm that an application is operating as expected, we have seen an increase in requests for us to perform Model Validation Reviews. As an independent third party, this review report can be a positive reaffirmation that the functionality of the application has been validated. These reviews are particularly popular for software companies serving the banking industry as banking regulators require banks to have an independent party verify the functionality and configuration of software applications used to identify fraud-related transactions.
Key steps in a Model Validation Review project include:
- Defining Scope – understanding how the application is utilized by customers and the functionality on which these customers rely. This step involves defining the scenarios under which the application operates and is critical to ensuring that the report will ultimately meet each customer’s requirements.
- System interface review – understanding how the application interfaces with the customer’s applications to receive or transmit information. This step involves reviewing automated and manual controls around the transfer of data and helps ensure that the information is transferred completely and accurately.
- Logic review – understanding how the logic in the application functions at a basic level to help ensure its consistency with the expected automated procedures
- Operational review – understanding how the application processes transactions to help ensure that the procedures performed are consistent with expectations. This step usually involves testing a sample of transactions through the application.
These review procedures are performed under the guidelines of the Standards for Consulting Services Standard No. 1 of the American Institute of Certified Public Accounts (AICPA).
Upon completion of this project, we issue a report to management that includes a detail of the review procedures performed (with the level of detail defined by management) and the results of those procedures. The report is written in a manner so that customers can fully understand how the procedures performed relate to the elements of the application that they see when operating it on a daily basis. The overall outcome is expected to provide these customers with a comfort level that the application is operating as intended as determined by an independent party.
If you believe that your company could benefit from a Model Validation Review, we’re happy to discuss our process with you and share insights that we’ve gained from projects completed to date. If you have any questions, please reach out to us at 512.610.7200.