EverChain’s cloud-based platform and operations are routinely submitted to SOC 2 Type 2 auditing, both internally and through independent audits by Coalfire, the leader in cybersecurity compliance. We recently marked our fifth year of SOC auditing, having received a clean audit for every audit over the past five years (meaning no remediation required). Based on our business processes, we are
audited for four of the five trust service principles: Security, Availability, Processing Integrity, and Confidentiality. In this article, we’ll discuss what it means to maintain SOC 2 Type 2 compliance, how to do it, and why it matters.
SOC 2 Type 2 Overview
Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 Type 2 is one of three prevalent types of security frameworks that aim to address cybersecurity concerns in cloud-based systems (in addition to ISO/IEC 27001 and HITRUST¹). A Service Organization Control (SOC) audit reports on how a cloud-based service provider handles sensitive information. It covers both the suitability of a company’s controls and its operating effectiveness.
For companies involved with cloud and data storage of sensitive information, having an independent assessment of their security safeguards is a cornerstone of trust. SOC 2 Type 2 is designed to cover five total trust service principles (TSPs): security, availability, processing integrity, confidentiality, and privacy. As part of the assessment, a cloud-based vendor hosts independent inspectors, provides them with documentation of controls, and allows their systems to be sampled and tested.
SOC 2 Type 1 vs. SOC 2 Type 2
A SOC 2 Type 1 report describes the internal control policies you have in place at a single point in time and describes their suitability. But the scope of a SOC 2 Type 2 report is greater, testing those systems over time (typically six months). Preparation for both assessments includes drafting system descriptions, control mapping, research, and conducting a risk assessment for each area. The process is time-intensive and highly detailed, so plenty of time and resources will be required in preparing and executing the audit.
In a SOC 2 Type 2 assessment, auditors conduct fieldwork to observe controls, select samples, and test processes over weeks or months. The licensed CPA firm serving as your independent auditor will first determine which criteria will be included in the scope of your report by asking what kind of customer data you collect, what your storage methods are, and your business needs and operations.
Service Organization Controls (SOC) Reporting
The result of the audit is ultimately presented in the form of a report, attested to by the licensed CPA firm. These reports are intended to meet the needs of a broad range of users (such as creditors and potential clients) that need detailed information and assurance about the controls at a service organization relevant to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
Per the AICPA, SOC 2 reports can play an important role in:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
12-Month Validation Period
A SOC 2 Type 2 assessment is good for 12 months from the issue date. The need to recertify annually means your organization will want to keep gathering documents, backing up data, building compliance and training norms, and keeping security at the forefront. Maintaining SOC 2 Type 2 compliance requires resources and processes dedicated to preparation, internal auditing, and ongoing compliance oversight systems in place to ensure a clean audit.
Given the relatively short validation period, maintaining compliance is a commitment to revolving seasons of preparation and audit— that is, a continual commitment to best practices and top-notch security.
5 Years of EverChain® Compliance
Participating in audits has been an important factor in attracting and retaining large, high-quality industry participants, ensuring data privacy, and continuously monitoring compliance internally. The effort and investment pay off in the ability to grow with larger clients and assure stakeholders that security is of utmost importance, not just in sentiment but in fact.
At EverChain®, we are experienced and driven receivables management professionals creating a future where recovering, selling, and buying receivables is transparent, safe, and profitable. Our one-stop receivables management platform (patent pending) uses innovative AI tools and technologies to simplify and streamline the debt sales & recovery process—optimizing outcomes for the creditor, collector, and borrower.
Over the past decade, EverChain has helped creditors, agencies, and buyers recover tens of billions of dollars while empowering compliant collections for millions of American consumers.
EverChain specializes in the following areas of consumer debt: Auto Finance, Utilities, Buy Now Pay Later, Payday Loans, Credit Card Deficiencies, Bankruptcies and Point of Sale Loans.
To learn more, visit www.everchain.com or email us today!
¹HITRUST created the HITRUST Common Security Framework (CSF) to provide an objective, measurable way to manage the security risks that come with handling healthcare information and other sensitive data. HITRUST CSF certification is a way for organizations to demonstrate that specific systems within their environment meet the framework’s rigorous standards and regulations. HITRUST-certified assessors perform certifications and produce detailed reports to help organizations understand and improve their maturity levels.