Completing and Maintaining 5 Years of SOC 2 Type 2 Compliance
EverChain’s cloud-based platform and operations are routinely submitted to SOC 2 Type 2 auditing, both internally and through independent audits by Coalfire, the leader in cybersecurity compliance. We recently marked our fifth year of SOC auditing, having received a clean audit for every audit over the past five years (meaning no remediation required). Based on our business processes, we are audited for four of the five trust service principles: Security, Availability, Processing Integrity, and Confidentiality. In this article, we’ll discuss what it means to maintain SOC 2 Type 2 compliance, how to do it, and why it matters.
SOC 2 Type 2 Overview
Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 Type 2 is one of three prevalent types of security frameworks that aim to address cybersecurity concerns in cloud-based systems (in addition to ISO/IEC 27001 and HITRUST). A Service Organization Control (SOC) audit reports on how a cloud-based service provider handles sensitive information. It covers both the suitability of a company’s controls and its operating effectiveness.
For companies involved with cloud and data storage of sensitive information, having an independent assessment of their security safeguards is a cornerstone of trust. SOC 2 Type 2 is designed to cover five total trust service principles (TSPs): security, availability, processing integrity, confidentiality, and privacy. As part of the assessment, a cloud-based vendor hosts independent inspectors, provides them with documentation of controls, and allows their systems to be sampled and tested.
SOC 2 Type 1 vs. SOC 2 Type 2
A SOC 2 Type 1 report describes the internal control policies you have in place at a single point in time and describes their suitability. But the scope of a SOC 2 Type 2 report is greater, testing those systems over time (typically six months). Preparation for both assessments includes drafting system descriptions, control mapping, research, and conducting a risk assessment for each area. The process is time-intensive and highly detailed, so plenty of time and resources will be required in preparing and executing the audit.
In a SOC 2 Type 2 assessment, auditors conduct fieldwork to observe controls, select samples, and test processes over weeks or months. The licensed CPA firm serving as your independent auditor will first determine which criteria will be included in the scope of your report by asking what kind of customer data you collect, what your storage methods are, and your business needs and operations.
Service Organization Controls (SOC) Reporting
The result of the audit is ultimately presented in the form of a report, attested to by the licensed CPA firm. These reports are intended to meet the needs of a broad range of users (such as creditors and potential clients) that need detailed information and assurance about the controls at a service organization relevant to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
Per the AICPA, SOC 2 reports can play an important role in:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
12-Month Validation Period for SOC 2 Type 2
A SOC 2 Type 2 assessment is good for 12 months from the issue date. The need to recertify annually means your organization will want to keep gathering documents, backing up data, building compliance and training norms, and keeping security at the forefront. Maintaining SOC 2 Type 2 compliance requires resources and processes dedicated to preparation, internal auditing, and ongoing compliance oversight systems in place to ensure a clean audit.
Given the relatively short validation period, maintaining compliance is a commitment to revolving seasons of preparation and audit— that is, a continual commitment to best practices and top-notch security.
5 Years of EverChain Compliance
Participating in SOC 2 Type 2 audits has been an important factor in attracting and retaining large, high-quality industry participants, ensuring data privacy, and continuously monitoring compliance internally. The effort and investment pay off in the ability to grow with larger clients and assure stakeholders that security is of utmost importance, not just in sentiment but in fact.
EverChain is the recognized pioneer of compliant and data-driven debt sales. In 2012, EverChain developed a market-disrupting debt sale management solution, and launched the first and largest certified buyer network, establishing them as THE marketplace for consumer debt transactions. Over the past decade, EverChain has facilitated the sale and transfer of billions of dollars in uncollected debt while simultaneously infusing creditors with millions of dollars in revenue. All with unprecedented consumer-centric compliance. EverChain specializes in the following areas of consumer debt: Auto Finance, Utilities, Buy Now Pay Later, Payday Loans, Credit Card Deficiencies, Bankruptcies and Point of Sale Loans. To learn more, visit www.everchain.com or email firstname.lastname@example.org.