Why Being SOC-Certified Is The Most Important Thing You Can Do For Your Business
How can you trust anybody nowadays? Seriously.
In every facet of our lives, everything comes down to trust. And in business, for you and your clients, trust is everything.
As cloud computing has increased in recent years, so has the need to make sure your information is secure and isn’t just floating into the wrong hands. How do you know if people are doing what they say?
There is a way.
Remember Enron, the company that wasn’t the most honest in its accounting practices? Enron’s scandal and bankruptcy at the end of 2001 prompted a widespread outcry for greater corporate responsibility and ushered in the US Sarbanes-Oxley Act (known as SOX), a major reform of accounting and corporate governance practices. SOX was introduced to protect investors by improving the accuracy and reliability of corporate disclosures. It also created the Public Company Accounting Oversight Board to keep an eye on standards in public company auditing. However, this isn’t the first time there has been a federal push to keep businesses accountable. Let me introduce you to Service Organization Control reports (otherwise known as SOCs).
Think of SOCs as “trust audits” conducted by auditors from the American Institute of Certified Public Accountants (AICPA) to prove that vendors, large and small, are trustworthy. SmartSimple is SOC 2 certified and we wear it as a badge of honor. I’ll get more to why in a little bit.
SOC 1 reports are just the evolved form of the old “SAS 70” report, which is a report that service organizations could use to show they had adequate controls over their financial reporting. Since most big companies used software to track their finances, these SAS 70 reports often had a significant component dedicated to IT and system security controls.
Eventually, companies started using the SAS 70 as a way to prove they were safe and secure to work with. But the SAS 70 report wasn’t intended for that purpose, so the AICPA made a new report (when SAS 70 was re-branded as SOC 1), and this new report, called SOC 2, was intended to address information security specifically.
So in short, SOC reports have been around for a long time (SOC 1), but with the increased need for reporting on information and cyber security, SOC 2 has been introduced to meet that requirement.
How do you know if someone is trustworthy through an audit? Good question.
A SOC is a North American audit that’s assessed against a set of Trust Principles to ensure accountability across all departments in order to prove client trust. When it comes down to it, each company has its own control points that must satisfy the Trust Principles. In our case, it’s important to us and to our clients that we’re hiring qualified and trustworthy people. So we do a criminal and credit check as part of the hiring process. And we’ve developed an internal compliance framework within our proprietary Universal Tracking Application track system (UTA) so, on any given day, we can pull information that proves we’ve followed through on our background checks. This is one small but key way that we build our trust framework.
Your trust framework is there for your current and potential clients, and being SOC-certified clearly helps. Let’s face it, if an RFP asks if you are SOC-certified and you’re not, it’s game over.
So let’s say you want to get SOC-certified. Setting up a SOC audit is a complex process in and of itself. First things first, you work with the auditor to make sure you have the right control points.
Tip: When you have to employ SOC, you have to know your control points — so take advantage of the SOC-readiness part of the process to make sure you can do it in the first place.
Now, let’s break down the different types of SOC audits and how they’re broken down into Types.
SOC 1: Here’s where you provide information to the auditor of a user entity’s financial statements about controls at a service organization. Examples include: Payroll service providers, custodian services, fund administration, applications linked to financial controls.
SOC 2: Here’s where you set up systems of governance, risk and compliance programs; management oversight; due diligence. Examples include: Cloud computing, healthcare records management.
SOC 3: A consumer version and subset of SOC 2 and makes it possible for you to share your audit reports publicly.
Type 1: An audit that pulls information from point in time.
Type 2: An audit assessed from control points pulled from a time frame (months).
In all honesty, major clients who will know what a SOC is will ask for you to provide it. It is the most standardized way of decreasing risk for your client, and most companies are all about managing risks. There’s absolutely nothing wrong with asking for SOC 2. It’s a good baseline level benchmark when working with a vendor.
Tip: Don’t try to be grandfathered into SOC 2 just because you’re affiliated with a vendor who has one. That’s like saying, “Trust me, I’m not a doctor, but I know someone that is.” In the SOC world, it’s just as bad.
Now, remember when I said that SOC is a North American audit? This is important because the rest of the world tends to favor the audit system developed by the International Organization for Standardization (ISO) and its associated ISO standards, which predates SOX and SOC by more than 50 years. So European clients won’t generally consider your SOC. This is a major challenge for international companies (like SmartSimple) who need to comply with the preferred standards in different countries.
Here’s how we worked on this challenge:
Normally, to obtain ISO certification requires being audited by an ISO-accredited firm, such as the British Standards Institute (BSI). But the AICPA recently made efforts to expand the use of SOC 2 reporting to take account of other frameworks.
The “SOC 2 + Additional Subject Matter” report (aka SOC2 Plus or SOC2+) includes all the requirements laid out by the Trust Principles as in SOC 2, but allows service providers’ auditors to incorporate the standards of other compliance frameworks, including ISO standards, and report on those too. Engaging our SOC auditor to perform a SOC 2+ audit allows us to meet SOC 2 compliance as well as cover any gaps from the ISO standards.
The BSI has branches here in Canada where we conducted our SOC 2 audit and, by this time next year, we’ll have a SOC2+ report which covers both the AICPA’s SOC 2 Trust Principles as well as the ISO standards.
Why do we do all of this? Because it’s important. Trust is everything to us, that’s why we spend millions of dollars to make ourselves trustworthy. The flipside just isn’t an option.
