In today’s highly-regulated industries, companies must comply with a large number of requirements. Many of these companies also outsource components of their critical business processes to third parties, also known as service organizations. Although the execution of business processes is delegated to a service organization, companies are still responsible for compliance issues related to the business processes they outsource.
For example, if a company outsources a process that handles non-public customer information, such as Social Security or account numbers, the service organization must be able to demonstrate their controls over protecting the information. If the service organization slips up or is hacked, customer data could be compromised or stolen. The customer is hurt, and the client is the one who would have to pay; the penalties could include hefty fines, lost revenue, legal fees and, of course, embarrassment. The cost may be high, especially when it comes to a lost reputation. That’s extremely important, since the client may entrust service organizations with people’s account details, credit card numbers, medical information and so on.
The service organizations of these highly regulated companies may be subject to several compliance issues depending on the variety of customers that they serve. For example, a data center provides collocation facilities and managed services that may serve hospitals, banks and publicly traded companies. In such instances, the data center might be responsible for certain aspects of the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. The data center might also have its own compliance-related issues pertaining to the nature of the services that it is providing, such as Occupational Safety and Health Administration (OSHA) electrical safety standards. Service organizations in these situations may receive a large number of due-diligence checklists from their customers. The execution of these checklists can consume internal resources of the service organizations—resources that could be focused on operating and improving the core business. In such situations, obtaining a Service Organization Control 2 (SOC2) report could help the service organization address multiple compliance issues.
Whereas Service Organization Control 1 (SOC1) reports were designed specifically for service organizations that have a material impact on the internal controls, SOC 2 reports were designed to cover security, availability, integrity, confidentiality and/or privacy. These reports may also cover additional subject matters not specifically addressed by these principles, such as compliance with HIPAA or addressing specific service-level agreements.
More and more frequently, service providers are trusting SOC 2 audits to ameliorate their concerns. They have several advantages:
- Many client companies view service organizations that undertake SOC audits as being proactive instead of waiting for the latest checklist; they have taken the initiative to get ahead of the game.
- A service organization that gets an SOC audit may gain an edge over its competitors. The fact that it has a clean SOC 2 opinion may give it a leg up compared with another company that did not.
- And finally, instead of spending time answering the demand for multiple audits, the people hired to handle data can spend their time doing their jobs.
Although no audit can cure all ills, service providers that choose an SOC 2 audit may be able to move forward and free up key resources to focus on fine-tuning their strategic visions and growing their businesses.
About the Author
Mike Morris, CISA, is Systems Partner at Porter Keadle Moore, LLC accounting firm.
Photo courtesy of YuviPanda