“Anyone who deals with large volumes of sensitive data in its business needs high-quality security, privacy, compliance controls and periodic attestations on their effectiveness.” Speaking is Martino Braico, Senior Manager of pension funds and insurance portfolios at the Italian company Previnet. Initially, Martino was somewhat reluctant to the proposal to start SOC reporting as he was concerned that the functioning of Previnet’s entire operational model would have been challenged by an external auditor. But the confidence given by BDO convinced him.
What is Previnet’s core business?
Martino Braico: “Over the years, we have been capable to reduce complexity in the management - call it administration from a to z - of pension funds and insurance companies operating in different jurisdictions and countries. We offer a raft of outsourcing services and technological solutions to do so. We are one of the few service providers supporting IORPs (Institutions for Occupational Retirement Provision) and cross-border pension schemes. Thanks to our in-house technology experts, we build targeted IT solutions for this purpose, which we also implement ourselves at our clients.”
How can you be compliant in so many countries at once, all with their specific requirements?
Martino: “We have built a network of local consultants in the ten EU countries where we are active today. Thanks to one unique technological framework and a highly branched local network in each country, we can offer our clients tailor-made services and solutions, fully in line with national rules and requirements (including tax management). Today, we are already firmly established in Italy and large parts of Europe, but our ambition is to expand to even more countries.”
That makes the story of requirements and regulations even more complex and time-consuming?
Martino: “True. That is one of the reasons why we started with SOC 1 and SOC 2 reporting for our company and services. SOC (Service Organisation Controls) reports are frameworks established by the AICPA (American Institute of Certified Public Accounts) for reporting on internal controls within an organisation. We were looking for an impartial/external evaluation (and possibly confirmation) of the strength of our business processes, the IT and security framework and our corporate governance.”
What is the importance of SOC reports?
Martino: “Those reports are essential for managing and monitoring the security of our administration processes and databases. We get auditors on the floor almost constantly in which we have to invest a lot of time and resources. That was until BDO suggested anticipating all those audits and validation tests. We were not keen on the idea, but BDO knows the pension and insurance business extremely well and their open communication has always been productive. So we went for it, successfully. Despite the great effort we have to make every year to obtain the attestations, the time savings are, in the end, significant. After all, the various auditors who still come over now don't have to redo all the checks we already did with BDO. That saves us much more time and resources than we invest in it ourselves.”
And there’s more?
Martino: “SOC 2 in particular was useful to formalise a lot of information that was clear to everyone at Previnet, but was not documented properly. Think of our values, code of conduct, objectives, policies, etc. that became very tangible that way.”
So the pension business never gets boring?
Martino: “Contrary to what many people think, it's not a boring environment. I have been working in the business for more than 25 years now and I still learn with every audit or client meeting. That keeps me motivated!”
Want more info on SOC reporting? Or about what you need to do to obtain these attestations?
Contact Christophe Daems, Partner Risk Advisory at BDO Belgium. He will be happy to help you.