Making the decision to entrust an outsource provider with your critical business documents can be an anxiety-ridden experience. You worry about the security of your data and understand the importance of completing thorough due diligence, but may find it difficult to evaluate a service provider’s information systems and controls effectively. Being SOC 2 Type II audited is one way that service providers can provide you with specific assurance around their information protection procedures and how well their systems and controls operate.
System and Organization Controls (SOC) Audits
Created by the Canadian Institute of Charted Accountants, (CICA) and its American counterpart, (AICPA), the original standard for auditing service organizations began in the early 1990’s as SAS 70 (Statement of Auditing Standards No. 70). These audits generated reports evaluating the effectiveness of service providers’ internal financial controls. System and Organization Controls, or SOC audits were subsequently developed due to the need for specific assurance about service providers’ handling of information and data.
What is the Difference Between an SOC 1 and SOC 2 Audit?
Similar to the original SAS 70, SOC 1 audits evaluate the controls of service providers that impact the financial statements of customers. SOC 2 audits however, evaluate the extent to which service providers’ information controls comply with the Trust and Services Criteria (TSC):
Security: Information and systems are protected against unauthorized access and data breach. Examples of security controls include firewalls and two-factor or multi-factor authentication.
Availability: The system is always available to customers and therefore meets minimum acceptable performance, security incident handling, and disaster recovery.
Processing Integrity: System processing delivers data that is accurate, complete, and on time.
Confidentiality: Confidential information is secure and access is controlled. Examples of confidentiality controls include encryption, limiting access controls to specific people, and firewalls.
Privacy: Confidential information, particularly personally identifiable information is collected, used, retained, disclosed, and disposed according to the company’s data policies and the CICA’s Generally Accepted Privacy Principles.
Types of SOC 2 Reports
A SOC 2 audit can generate two types of reports. For a SOC 2 Type I report, a CPA firm verifies that a service provider’s systems and controls are in place and designed effectively. In the case of a SOC 2 Type II report, a CPA firm evaluates the service provider’s systems and controls over a period of time to attest that their systems and controls are both designed and operated effectively. Since SOC audits can only be conducted by CICA or AICPA certified independent, third party organizations, the resulting reports help to establish trustworthiness and credibility for service providers.
Octacom is Proud to be a SOC 2, Type II Audited Organization
As a SOC 2, Type II audited organization, Octacom’s physical and information security is regularly tested, validated, and audited. We are also compliant with HITRUST CSF security certification criteria, as attested to by our SOC 2, Type II Report. HITRUST’s Common Security Framework (CSF) has been assembled by North America’s largest health care service organizations in healthcare, technology and information security, and is one of the most well-respected frameworks of its type. Our commitment to assuring the security of your data will provide you with the peace of mind you need and the protection you deserve.
Octacom is a SOC 2, Type II Audited enterprise software and services company focused on document and data automation solutions, including automated data capture. Founded in 1976, Octacom specializes in accounts payable automation and automated invoice processing, among other digital / automated business process outsourcing services.
If your organization is looking to learn more about our solutions and services, please contact us and we would be glad to help.