SOC 2 Compliance: What is it and Why Should You Care?
It can take a village of service organizations to support a business. In other words, no matter how self-sufficient a company is, chances are it depends upon a myriad of other companies like payment processors, web hosting companies, eCommerce platforms, CRMs, and more.
Each point of contact can present a variety of risks. Some supporting organizations have access to sensitive information about your business and customers. Others provide the engine that makes your company run. What happens if a particular service provider goes down? Would your company grind to a painful halt? Would your customers find their credit card information in the wrong hands? How do you know the provider has a plan to minimize that risk?
System and Organization Control (SOC) compliance helps to answer these questions. When a company is SOC compliant, it means a third-party CPA has attested to the company having appropriate controls for important factors like security and availability. Companies that go through the SOC compliance process are showing a commitment to keep customer data secure and their services running. In this article, we’ll talk about what SOC compliance is and why it matters.
What is SOC Compliance?
The American Institute of CPAs (AICPA) developed the SOC reporting process to help companies accurately assess risks associated with using service organizations. Each SOC 2 report includes a detailed description of the service offering and the controls established to meet security and other reporting objectives. The Type 2 report also includes a full description of the auditor's testing methodology and any control deviations which might have been found during the reporting period. Customers may use this information to determine if there are any control gaps or deviations found by the auditors which may pose a risk to the customer's business.
There are several different types of SOC programs, including:
- SOC 1 for internal control over financial reporting
- SOC 2 for trust service principles
- SOC for cybersecurity
- SOC for supply chain
SOC 1 applies to companies that directly manage clients’ financials, including payroll processors, loan officers, and medical claims processors. SOC 2 applies to other types of service organizations like SaaS companies and B2B eCommerce vendors. We’ll focus on SOC 2 compliance today.
SOC 2 compliance requirements are built around trust principles. Businesses choose and build controls to uphold principles of security, availability, processing integrity, confidentiality, and privacy. Security is the only required criteria on a SOC 2 report. Some businesses may choose to add one or two other criteria, while others may include all five on their SOC 2 reports. It all depends on what the company does and what’s applicable in the situation. In some cases, a company may obtain both SOC 1 and SOC 2 compliance reports.
SOC 1 and SOC 2 compliance reports can be broken down even further into Type I or Type II. A Type I report describes the existing controls and whether they are designed well for the intended outcome. A Type II report includes testing and evaluation of how the controls have performed over a given period. In other words, a company will set up its controls, request a Type I report to validate the controls, and then receive Type II reports at six- to twelve-month intervals to test how the controls are working.
What Does it Take to Become SOC Compliant?
It can take a lot of work for a service organization to set up appropriate controls to become SOC compliant. First, the company needs to decide which of the five main principles it will control for. Then, it will develop a system of specific devices, tools, and protocols to achieve those controls.
For example, the company may install better cybersecurity tools, increase employee training around information security, set up backup power systems, and create plans for different types of failure events. The company may work with CPAs and specialized compliance firms to develop the right controls. During development, the company may also self-assess its controls with specialists periodically.
Once the controls reach a satisfactory level, the company will invite a CPA for a formal SOC 2 Type I audit to validate the control development. For example, if security control involved installing tighter cybersecurity software, the auditing firm will evaluate the deployment and configuration of those programs to ensure that all systems are effectively covered. After a Type I report, the company will monitor its controls for a period of time, usually one year, and then request a SOC 2 Type II audit to test how the controls worked in real life. Enterprise companies typically only work with service organizations that are SOC 2 Type II compliant.
Individual audits can cost tens of thousands of dollars. That doesn’t include all the hours spent and infrastructure built to accommodate a high level of control in each area. In the end, it’s worth it for the organization to gain third-party attestation as a trustworthy service partner.
Why Does SOC 2 Compliance Matter?
Even if your own security game is on point, each vendor that has access to your data or that could have a significant impact on the operation of your business needs to have a high level of security and implementation of that security. If not, it could cause problems, like exposing your data—or your customers’ data—to hackers.
Think about the service vendors your company uses. Do you trust that they are all secure and reliable? A company can be reliable without being SOC compliant, of course, but the SOC reporting system provides third-party attestation. Without it, you may have to perform your own audit of a new service organization to make sure it meets your requirements.
Even smaller companies can benefit from working with SOC 2 compliant service providers. Compliant providers can provide enterprise-level security, availability, processing integrity, confidentiality, and privacy. Those are all hugely important aspects of any business partnership. Don’t you want your data to be as secure as possible? And if you choose a SOC 2 compliant provider now, your business has room to grow. You don’t have to worry about growing out of that provider and having to seek a new one any time soon.
Is Your Data in the Right Hands?
SOC 2 trust principles like security, confidentiality, and availability will only grow in importance as the world continues to become more connected. Compliant service organizations have already done their work in these areas. TrueCommerce understands the importance of SOC compliance and utilizes SOC 2 compliant data centers, fully redundant systems, and disaster recovery procedures to enable 99.9% uptime for its customers.
To succeed in this economy, you’ve got to do business in every direction. And to connect your business with other companies, you need to know that your data and processes are safe. Reach out to us today to learn how you can make your company more secure and open new channels for growth at the same time.
Go Wherever Business Takes You with Unified Commerce from TrueCommerce
Increase sales, decrease costs, and get back time in your day with solutions that make your business more connected, more supported, and more ready for what's next.
About the Author: Aaron Spring is the Chief Information Security Officer for TrueCommerce. His 25-year career includes a wide range of experience as a systems administrator, developer, and IT leader. Aaron spent over 20 years helping to build TrueCommerce subsidiary Datalliance before stepping into his current role leading the TrueCommerce security program. He likes to spend his spare time with his family enjoying the beauty of and many attractions of his hometown city Cincinnati, OH.