SOC 2 – Trust Services Criteria
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:
Oversight of the organization
Vendor management programs
Internal corporate governance and risk management processes
Similar to a SOC 1 report, there are two types of reports: A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports are restricted.
Information provided by aicpa.org.
What is SOC2 and why is it important?
The Service Organization Control (SOC) 2 Type II examination demonstrates that an independent accounting and auditing firm, in PrimeNet’s case: 360 Advanced, has reviewed and examined an organization’s activities and control objectives, and has tested such controls to ensure that they are operating accurately and effectively.
SOC 2 is based on Communications, Policies, Procedures and Monitoring. The specific Trust Service Principles outlined below must be met in order to achieve certification.
- Security: The system keeps controls in place to protect against unauthorized access (both physical access and electronic transmissions).
- Confidentiality: Information that is designated as “confidential” by a user is protected.
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity: System processing is complete, accurate, timely and authorized.
- Privacy: Personal information is collected, used, retained and disclosed only in accordance with the operation’s privacy notice and principles set by the American Institute of Certified Public Accountants (AICPA).
There are two types of SOC 2 reports: Type I and Type II.
The Type II report is issued to organizations that have audited controls in place and the effectiveness of the controls have been audited over a specified period of time. The Type I report is preliminary to the Type II report and is based on the ability to test and report on design. Type I reports are issued to organizations that have audited controls in place, but have not yet audited the effectiveness of the controls over a period of time.
Why is SOC 2 auditing important, and why does it matter?
Type II Certification consists of a thorough examination of an organization’s internal control policies and practices, by a third party firm, over a specified period of time. The period of time is typically six months to one year. This independent review ensures that the organization meets the stringent requirements set forth by the AICPA. When trusting applications with highly sensitive and confidential information, such as passwords, documents and secure images, obtaining high level certification is imperative.
How does SOC 2 impact applications?
Software and applications which are developed by a SOC 2 certified organization must be developed following closely audited processes and controls. This helps ensure that applications and code are developed, tested, reviewed and released following the the AICPA Trust Services Principles. The final result is an application that helps ensure the highest level of trust and security.
How does SOC 2 impact users?
When a company works with a third party who has been granted access to any type of system that the customer owns, this does create some level of internal control risk. The type of access granted to a third party vendor and the type of systems they have access to – ultimately determines the level of risk for the organization. Even the tiniest of data breaches can become a substantial issue for a large company if it has inadequate internal control policies and systems.
By working with a SOC 2 certified vendor, users can ensure that data is kept secure through the implementation of standardized controls as defined in the AICPA Trust Service Principles.
To obtain more information on PrimeNet’s SOC 2 audit report, please call 1-800-826-2869.