02.24.15 |
SHARE   |  

Why Choosing Vendors Who Have Completed SOC 2 Audits Means More Today

Security 1As more business operations take place online and vast amounts of sensitive data are transmitted electronically every day, cybersecurity has become a key consideration for businesses. Digital security breaches are becoming more prevalent, costly and harmful to those affected, so it may be necessary for businesses to take additional measures to help ensure the security of their digital data.

If you currently contract with outside service providers to hold, store or process information for your business, one way to help enhance the security of your sensitive data is to work with vendors that have completed SOC 2 audits. Service Organization Controls (SOC) are a series of accounting standards set by the American Institute of CPAs (AICPA) for service organizations, and are widely recognized as the industry standard method for measuring financial and operational controls relevant to services provided to third parties.

While a SOC 1 audit from your vendor helps provide your management with assurance regarding vendor controls that are likely to be relevant to an audit of your financial statements, the SOC 2 audit provides additional assurance regarding vendor controls that relate to operations and compliance relevant to one or more of the following five principles: security, availability, processing integrity, confidentiality and privacy.

Both SOC 1 and SOC 2 audits can be designated as either Type 1 or Type 2.  A Type 1 SOC audit provides assurance that the service organization’s controls are suitably designed to achieve specified control objectives.  A Type 2 SOC audit provides additional assurance that a service organization’s controls were operating as designed during the audit period.  A Type 2 audit report also includes a detailed description of the tests performed and the audit results of those tests.

Since the 1970s, third-party service provider organizations have often opted to complete SOC 1 audits (previously known as SAS 70). However, as data security concerns have increased, SOC 2 audits have become increasingly more relevant, especially to entities such as data centers, IT-managed service providers, software as a service (SaaS) vendors and other cloud-computing based businesses. Third-party organizations that successfully complete a SOC audit can offer their clients reasonable assurance that an independent auditor has reviewed their operations and confirmed that they meet the criteria prescribed by the AICPA for the five Trust Services Principles:

  • Security: The system is protected against unauthorized access (both physical and logical).
  • Availability: The system is available for operation and use as committed or agreed.
  • Processing Integrity: System processing is complete, accurate, timely and authorized.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and Canadian Institute of Chartered Accountants (CICA).

The SOC 2 criteria that third-party vendors are required to meet are predefined by the AICPA for each of the five Trust Services Principles.  A third-party vendor can choose to complete an audit of any combination of the principles from one to all five depending on their relevance to the services it provides and the needs of the vendor and its clients. SOC 2 audits covering all five principles are much less common, as many vendors choose something less.

If your company currently uses third party vendors to provide services that include the collection, processing and/or retention of sensitive information, you should consider inquiring into whether they have successfully completed a SOC 2 Type 2 audit, as it helps to ensure a higher standard for protecting your data.

ADP Tax Credits has completed SOC 1 Type 2 audits since 2005 and has recently completed its first SOC 2 Type 2 audit covering all five Trust Services Principles. Visit the ADP Tax Credits page to learn how your business can benefit from a tax credits program that is designed to help protect your company’s sensitive data.


Learn More About ADP SmartCompliance® Tax Credits



Sign Up for
Email Updates

featured webinar