In today’s interconnected world, the need for risk management of third party vendors is increasingly important. In response, the American Institute of Certified Public Accountants (AICPA) instituted System and Organization Controls (SOC). SOC refers to a report outlining standards with which technology companies must follow; it evolved from the original version called SAS 70 (Statement on Auditing Standards No. 70). It is important to note that SOC is not a statute or regulation, rather a reporting standard.
SOC applies to a category of organizations known as SaaS (“Software as a Service”) companies. An SaaS company is categorized as one that maintains servers, databases and software accessed over the internet (i.e., web browsers, or cloud software). Examples of which are payroll processors, medical claims processors, loan servicing companies, and data center companies.
There are three levels of SOC reports—SOC 1, SOC 2, and SOC 3. While each vary in detail, all affirm to SaaS clients that the software in use maintains the proper security and privacy controls.
SOC 1 targets organizations that store financial data. It requires written evidence of the company’s internal controls of financial reporting and the monitoring of security activities, for auditors. Examples of companies that need to comply with SOC 1 are SaaS organizations, medical or payroll processing, cloud computing, and lending services.
There are two types of reports for SOC 1:
Type 1—Focuses on whether the control design and implementation is adequate, as of specified dates.
Type 2—Addresses the control effectiveness over a specified period of time. It includes a description of the tests performed and the company’s response to the results.
The reports are intended for internal Board and management reports, Compliance Officers, and external auditors. A complete report will include an independent auditor’s opinion of the effectiveness of controls in place and adequate description of such controls.
SOC 2 broadens the scope of the report by including protections unrelated to financial reporting. It is more technical and security-focused than a SOC 1 report. SOC 2 reports include a description of the infrastructure, software, people, procedures (i.e. a “system”). There is also a privacy and confidentiality component.
The following five areas should be addressed, as they relate to controls:
- Security—Confirmation that the system in place is protected against unauthorized access. This includes monitoring system activity and alerting procedures.
- Availability—The system is available for use as agreed.
- Processing Integrity—System is complete, accurate, valid, timely, and authorized.
- Confidentiality—Information designated confidential is protected.
- Privacy—Personal information is stored, used, and disposed in accordance to best practices.
Due to more reliance on outsourcing data processing and other corporate functions, there is an increased request for SOC 2 reports. Those companies that handle both financial and non-financial data will complete both SOC 1 and SOC 2 reports. SOC 2 reports are typically of interest to vendors, prospective clients, and regulators, among others. Like SOC 1, there are two types of reports:
Type 1—Specific evaluation of controls at a point in time; and to include a description of the system, auditor’s opinion of the description and design of programs in place.
Type 2—Again covers a range of time and follows that of Type 1, with the added requirement of the detailed tests, their results, and the company’s response.
SOC 3 is a certification primarily for general public use. It is mainly comprised of a system description and an auditor’s opinion in a less detailed and technical manner. In order to have a SOC 3 examination, first a SOC 2, Type 2 report must be complete.
SOC and Europe’s GDPR
Other statutes reflect the principles of SOC, including the European Union’s (EU) GDPR (General Data Protection Regulation), which was enforced on May 25, 2018 following a two-year transition period. Like SOC, it is intended to protect customers’ privacy in the following ways:
- Standardize data privacy laws across Europe,
- Protect EU citizens data privacy
- Ensure organizations’ strict adherence to data privacy.
The regulation applies to all companies’ processing personally identifiable data of residents of the EU, whether the processing of data occurs in the EU, or not. Moreover, it applies to organizations outside the EU that provide goods or services to EU residents.
European residents have the following rights under GDPR:
- Knowledge of who is processing the data, and why
- Access to the data a company has on you, in a readable format
- Objection of use, if for marketing or other unsolicited use
- Correction of data, if you believe it might be inaccurate
- Timely deletion of data, if there are no legal grounds for maintaining the information
- Automated (algorithm-based) marketing rules reviewed by a person
- Transfer of data among vendors
Unlike SOC, GDPR is law in the EU and therefore operates on a pass / fail system. Companies failing to adhere to the Guidelines can be penalized up to the greater amount of €20Mn or 4% of annual global turnover. All consent forms must be clear and concise, with the ability to consent or opt out. Should a client wish to be removed from a company’s database, it must be immediately done.
Companies must also appoint a Data Protection Office (DPO) if processing data is a core business activity, or on a large scale. Following a breach, the organization has 72 hours to advise regulators without penalty.
Transferring personal data outside the European Economic Area, to include the EU, Iceland, Liechtenstein, and Norway is permitted if the following criteria are met:
- Receiving country’s protections are considered adequate by the EU,
- The company takes steps to ensure privacy of data, or
- Agreement to the sharing of personal data.
Read the full report here.