Recent changes to the Federal Deposit Insurance Corporation Improvement Act (FDICIA) thresholds have exempted hundreds of community banks from required attestations on internal controls over financial reporting (ICFR). But don’t celebrate yet! Barring any exemptions for Emerging Growth Company status, if your financial institution is a public company with a public float exceeding $75 million and revenues exceeding $100 million, you will be subject to the more rigorous demands of the Sarbanes-Oxley Act (SOX). In the current high-interest rate environment, we’re seeing banks as low as $2 billion in assets exceed these thresholds.

While both frameworks aim to strengthen internal controls and financial reporting, SOX introduces a significantly higher level of scrutiny, documentation, and executive accountability. For audit leaders, this transition presents an opportunity to enhance the control environment while demonstrating value to the board and external stakeholders.

Filer Status and Key Deadlines

Under SOX Section 404(a), all public companies must have management assess and report on ICFR. Section 404(b) adds the external auditor attestation for accelerated and large accelerated filers. A company is considered an accelerated filer when its public float is between $75 million and $700 million and its annual revenues surpass $100 million.

See the full SEC guidance for:

• Definition and eligibility of a Smaller Reporting Company (SRC)
• The public float test
• How annual revenue is determined

Refer to the chart below for filing status and deadlines.

Note: For banks and similar financial institutions, total revenues include all gross income from traditional banking activities—such as interest on loans and investments, dividends, loan origination fees, trust and investment service fees, commissions, brokerage fees, mortgage servicing income, and other banking-related fees.

What to Expect During the Transition

Banks approaching SOX compliance are encouraged to begin preparations well before the requirements become mandatory. Taking early action can help avoid reportable deficiencies during the first year of compliance and ease the adjustment to more demanding regulations.

Preparing for SOX compliance introduces a more intensive audit and control environment. Institutions can expect several changes, including:

• External audit opinions on control effectiveness
• Implementation of required new controls
• Expanded documentation (risk control matrices, flowcharts, narratives)
• Deeper understanding of data flows and in-scope systems
• Increased emphasis on data reliability, completeness, and accuracy
• Enhanced testing of control design and operating effectiveness
• Additional independent testing to confirm remediation of control weaknesses

The Importance of Strong Internal Controls

In addition to compliance, strong internal controls reduce risk and protect a company’s reputation. They serve as a frontline measure for accuracy, reliability, and security across business processes. With thoughtful design and consistent application, these controls can limit the likelihood of mistakes or irregularities that might otherwise lead to financial setbacks or regulatory issues.

A mature control environment reflects a company’s dedication to transparency and responsible operations. This commitment can strengthen relationships with investors, customers, and employees by reinforcing confidence in how the organization is managed. Conversely, when controls break down, the consequences can negatively affect investor trust and competitive standing. By building a resilient framework, organizations position themselves for long-term credibility and sustainable growth.

We Can Help

While FDICIA compliance may have established the basis for sound internal controls at your institution, SOX compliance requires coordination across finance, operations, IT, and governance teams.

At Elliott Davis, we have extensive experience assisting banks nationwide in preparing for FDICIA and SOX compliance. Our Financial Services ICFR program includes four pillars:

If your internal audit team is preparing for SOX, or simply wants to advance its ICFR program, contact Elliott Davis today to schedule a readiness consultation.

‍

‍

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.

High-volume loan portfolios operate in environments where speed, automation, and scale define the business model, but they also introduce control risks that can materially impact financial reporting, audit readiness, and investor confidence. Specialty finance companies, especially installment lenders in the subprime and near-prime segments, process thousands of small balance transactions across highly automated, multi-system environments.

For executives balancing growth targets, operational costs, risk appetite, and regulatory expectations, the strength of the internal control framework often determines whether the organization can scale safely and withstand scrutiny from auditors, rating agencies, private credit investors, and regulators.

Why High-Volume Lending Requires a Different Control Mindset

In specialty finance, risk is driven by transaction volume. When tens or hundreds of thousands of small-balance loans move through automated decisioning, pricing/booking engines, and third-party servicers, even minor recurring errors can quickly become material.

Most lenders operate across multiple independent systems for origination, servicing, the general ledger, data warehouses, and current expected credit losses (CECL)/fair value models. These disconnected environments demand strong controls around:

• Data accuracy and reliability, lineage, and system logic
• Consistent, cross-platform change management
• Reliable exception detection and timely remediation
• Servicer oversight, including System and Organization Control (SOC) reports, complementary user-entity controls (CUECs), service-level agreements, and performance metrics

Since data moves between these platforms, a single break in logic, mapping, or data quality can quickly affect revenue recognition, loss forecasting, valuations, and disclosures. The risk compounds when outsourced servicers, collectors, or underwriting providers introduce data issues, making structured oversight and data-quality monitoring essential.

Executives who treat these challenges as operational realities consistently see stronger results in revenue accuracy, loss forecasting, liquidity planning, and portfolio valuation.

Core Control Themes That Matter Most to Auditors (and Investors)

These are the control areas where specialty finance lenders most often see internal and external exam findings, internal controls over financial reporting (ICFR) deficiencies, and operational surprises.

1. Loan Boarding & Data Completeness

Boarding errors distort every downstream process, including interest income, CECL, fair value, collections, and disclosures.

Strong lenders:

• Reconcile boarded loans to executed contracts and funding reports
• Validate key terms (APR, term, payment schedule, collateral) before and after boarding
• Control and monitor manual overrides or post-boarding edits
• Use exception reporting and resolution processes

2. System Interfaces & Data Transfers

Interfaces are a top source of audit findings. Even minor breaks cause mismatches in balances, statuses, or aging.

Key controls:

• End-to-end automated interface validations
• Completeness and accuracy checks on data uploads and downloads
• Governed mappings and transformations
• Documented change controls for batch processing failures and error logs
• Information technology general controls (ITGC) change management controls related to automated processing

Executives should expect evidence that data moved completely and accurately, not merely that a job ran.

3. Interest Income, Fees & Effective Yield

Installment lenders often operate with complex pricing structures like origination fees, credit insurance, ancillary products, deferrals, promotions.

Auditors focus on:

• Proper fee classification (capitalized at origination vs. revenue)
• Accuracy of effective interest rate calculations
• Monitoring of system-generated interest accruals
• Proper controls over fee amortization and revenue recognition

Even minor configuration errors can affect yield, revenue, and capital adequacy calculations, requiring revenue restatements and updated model inputs.

4. Credit Risk & Valuation Model Governance (CECL / Fair Value)

Your CECL and fair value outputs are only as reliable as the underlying loan-level data.

Executives should verify:

• Clean data lineage from servicing systems into models
• Documented model validation, periodic back-testing, and sensitivity analyses
• Approval workflows for model changes, overrides, and parameter updates
• Independent review of overlays to avoid management bias

Recent accounting changes, including the expansion of the gross-up approach for purchased loans, have increased documentation and governance expectations for CECL and fair value models.

For more detail, see ASU 2025-08: What Specialty Finance Lenders Need to Know.

5. Cash Application & Collections

High-volume payments and alternative payment channels, such as lockbox services, online portals, and digital wallets, increase risk and require:

• Daily reconciliation of cash receipts to servicing and bank data
• Tight control of unapplied cash and suspense accounts
• Segregation of duties for handling, posting, and reconciliation
• Monitoring of reversals, chargebacks, and returned payments

6. Charge-Offs, Modifications & Recoveries

Weaknesses in these areas directly impact the Profit and Loss (P&L) statement and allowance.

Look for:

• Clearly defined, consistently applied charge-off rules
• Controlled modification processes with oversight for hardship programs
• Accurate tracking of post-charge-off recoveries
• Approval workflows for non-standard adjustments

These controls are under increased scrutiny given their direct impact on earnings quality and reserve adequacy.

Where Lenders Most Commonly See Internal Control Gaps

From recent specialty finance audits, common themes include:

• Overreliance on system-generated reports without validating parameters
• Poor documentation of manual adjustments
• Weak reconciliation discipline across loan sub-portfolios
• Limited review rigor and insufficient precision over CECL and fair value outputs
• Insufficient monitoring of servicer performance and data

Most gaps emerge when growth outpaces control maturity.

Key Takeaway for Executives

In high-volume lending environments, controls that scale with growth, automation, and system complexity can:

• Trace loan data end to end, from origination to servicing to the general ledger to CECL/fair value reporting
• Map interfaces and reconciliations with clear ownership, frequency, and escalation paths
• Strengthen model governance by formalizing assumption reviews, overlays, and validation routines
• Review SOC reports thoroughly to confirm all outsourced ICFR relevant processes are covered
• Align finance, operations, and IT so cross-functional controls remain scalable as volumes rise

We Can Help

Specialty finance companies that invest in data integrity, system governance, and third-party oversight consistently outperform peers and are better positioned for acquisitions, capital raises, or IPO preparation.

Our Specialty Finance professionals have decades of experience and can help you stay compliant and enhance your control environment.

‍

‍

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.

Most banks, credit unions, alternative lenders, and fintechs rely on automated scanners as the starting point for web application testing. These tools flag known weaknesses at scale and give teams a baseline sense of health. However, surface-level scans are often mistaken for full penetration tests, giving institutions a level of confidence that doesn’t match their actual risk posture.

The problem is attackers don’t behave like scanners. They don’t follow rules, and they don't limit themselves to known issues. When financial institutions rely on automated scanning alone, they miss the nuanced, real-world exploitation paths that lead to fraud and unauthorized account access.

What is Penetration Testing?

Penetration testing is a simulated cyberattack performed by security professionals to identify weaknesses in an organization’s systems, networks, applications, and people. The goal is to understand how a real attacker might gain access, move through the environment, and exploit vulnerabilities so organizations can fix issues before they are used maliciously.

Why Automated Scanning Is Not Enough for Financial Institutions

Modern financial applications, whether public-facing portals, digital banking platforms, lending systems, or fintech onboarding flows, are built on layered, interconnected business logic. They handle the most sensitive actions customers rely on:

• Applying for or servicing loans
• Initiating transfers, wires, and card-not-present transactions
• Navigating approval chains in commercial or specialty lending
• Managing account permissions across households or business entities

Automated scanners can identify known patterns, but they cannot understand how a financial workflow is supposed to operate or how someone could twist that workflow into a path for fraud. They can also miss risks introduced through third-party integrations, where an external API or vendor module behaves differently than your internal process expects.

Automated tools cannot see that a teller should never act like a branch manager or recognize when two harmless issues combine into a serious vulnerability. They can’t determine whether a workflow allows someone to bypass required review or approval. This is where only a person through hands-on testing can follow the logic of a financial process and question what should (or shouldn’t) be possible.

A Real-World Example: When a Small Oversight Created a Big Risk

A financial services company was growing and working to keep pace with customer expectations. They engaged Elliott Davis to perform a web application penetration test on a new client portal. Automated scans showed nothing alarming, no critical findings or anything that suggested meaningful risk.

During manual testing, something felt off. The portal included a feature meant to protect customers by letting third-party administrators restrict account access to trusted IP addresses. On the surface, it worked as expected. A privileged user could select an account and apply restrictions, but the process still didn’t seem right.

When testing how the system handled those selections, our team realized the application trusted what it was told rather than verifying who had permission to act. With a small tweak in how the request was sent, an external user could self‑register an account and use it to modify access-control settings for accounts they were never meant to touch.

For a financial institution, this was a case of access control manipulation, a leading precursor to fraud events.

If exploited:

• An attacker could weaken protections on high-value customer accounts
• Fraud controls could be silently bypassed
• Unauthorized access could appear legitimate
• Activity could continue unnoticed because no alarms were triggered

Instead of breaking in, an attacker could simply use the system's own functionality in an unexpected manner. The only way to discover it was through hands-on testing.

The Higher Stakes for Financial Institutions

Financial platforms are unique because the real risk isn’t constrained to data exposure, it extends to money movement, account control, and trust. A weakness that might be a medium-risk finding in another industry could be a material fraud risk for a financial institution.

Think about the types of damage that result from logic flaws:

• Unauthorized transfers or withdrawals
• Fraudulent loan adjustments
• Manipulated approval chains
• Compromised business accounts
• Hours or days of customer service downtime
• Regulatory scrutiny and corrective action

These are the kinds of issues financial crime teams and operations teams fight every day.

Quick Test: Did You Receive a True Web Application Penetration Test?

Ask yourself:

• Were financial workflows (loan applications, transfer steps, wire initiation, card activity, business approvals) actually tested?
• Was role separation tested across the full platform?
• Did the report describe realistic fraud paths, connecting the dots between seemingly small issues?
• Were findings validated with clear, practical examples demonstrating attacker behavior?
• Were APIs, third-party integrations, and identity flows included?

If not, your assessment may have been largely automated.

We Can Help

Elliott Davis provides web application penetration testing that helps financial institutions uncover fraud risk, protect account integrity, and understand how attackers exploit real-world financial workflows. We combine automated tools with hands-on testing and deep industry experience to reveal weaknesses scanners alone miss. Our findings are then translated into clear, actionable guidance that helps your teams strengthen security and reduce risk.

If your last test felt like a stack of scanner output instead of a meaningful evaluation, contact us for an assessment that delivers real results to better protect tomorrow.

‍

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.