What does that mean for our customers?
The Service Organization Control (SOC) 2 Type II examination demonstrates that an independent accounting and auditing firm has reviewed and examined Sage Direct’s control objectives and activities, and tested those controls to ensure that they are operating effectively.
SOC 2 is based on Policies, Communications, Procedures, and Monitoring. The specific Trust Service Principles explained below must be met to successfully achieve certification.
- Security:The system has controls in place to protect against unauthorized access (both physical and logical).
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity:System processing is complete, accurate, timely, and authorized.
- Confidentiality:Information that is designated as “confidential” by a user is protected.
- Privacy: Personal information is collected, used, retained and disclosed in accordance with the operation’s privacy notice and principles set by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
There are two types of SOC 2 reports: Type I and Type II.
The Type II report is issued to organizations that have audited controls in place, and the effectiveness of the controls have been audited over a specified period of time. The Type I report is preliminary to the Type II report and is based on the ability to test and report on design.
Why is it important and why does it matter?
Type II Certification consists of a thorough examination of an organization’s internal control policies and practices by a third party firm over a specified period; typically six months to one year. This independent review ensures that the organization meets the stringent requirements set forth by the AICPA and CICA. When trusting an application with highly sensitive and confidential information, such as passwords, documents, and secure images, obtaining high level certification is imperative.
How does it impact applications?
Applications and software developed by a SOC 2 certified organization must be developed following audited processes and controls, which helps ensure that applications and code are developed, reviewed, tested, and released following the AICPA Trust Services Principles. The result is an application that has been developed under an audited processes and controls to help ensure the highest level of trust and security.
How does it impact users?
When a company works with a third party who has been granted access to any type of system that the customer owns, this creates some level of internal control risk. The type of access granted to a third-party vendor and the type of systems they have access to ultimately determines the level of risk for the organization. Even the smallest of data breaches can become a substantial issue for a large company if it has inadequate internal control policies and systems.
By working with a SOC 2 certified vendor like Sage Direct, users ensure that data is kept secure through the implementation of standardized controls as defined in the AICPA Trust Service Principles framework.