Your company has decided to outsource but searching for the best partner can be overwhelming. If you type “best outsourcing firms” into Google you will get pages and pages of search results but can you trust that these companies are compliant or secure?

Start by evaluating only service organizations that are SOC compliant.  Not sure what that is? We’ve removed all the CPA jargon and broken down SOC audits for you.

What is a SOC?

In this context, SOC stands for Service Organization Control and does not refer to the fuzzy things you put on your feet to keep them warm. Developed by the AICPA (a professional organization of CPAs), SOC audits are an assurance that the controls surrounding a service provider’s offering is designed well and operating effectively. There are a few different types of SOC reports but simply put, SOC 1 deals with financial information and SOC 2 deals with non-financial information.

The SOC 1 Report

A SOC 1 is a report on controls at a service organization which are relevant to user entities’ internal control over financial reporting. An example of a service organization that may need a SOC 1 report is a company that provides payroll processing services to user entities.

User entities that use the payroll processing company realize the material impact of payroll on their financial statements and request some independent assurance that their payroll is handled in accordance with their expectations.

A SOC 1 report provides user entities of the payroll processing company reasonable assurance that the internal controls of the payroll processing company are suitably designed (Type I report) or suitably designed and operating effectively (Type II report) to provide the payroll services.

The SOC 2 Report

As companies increasingly leverage the cloud to store customer data, SOC 2 compliance is becoming a must-have for a wide variety of organizations.  These audits are more technical in nature and designed specifically for service providers storing customer data in the cloud. That means SOC 2 applies to nearly every Software as a Service (SaaS) company, as well as any company that uses the cloud to store its customers’ information.

So what are the exact requirements of SOC 2?

Considered a technical audit, SOC 2 requires companies to establish and follow strict information security policies and procedures, encompassing the security, availability, processing, integrity, and confidentiality of customer data. SOC 2 ensures that a company’s information security methods are in line with the unique factors of today’s cloud requirements.

Why are SOC 1 and SOC 2 reports important?

The market landscape changes rapidly and businesses are outsourcing at a much higher rate. Why? The value proposition is simple: organizations can be more efficient and cost effective by focusing on what they do best and outsource the other details required to run their organization.

The SOC 1 and 2 reports provide transparency of the specific controls implemented by a service organization, and the tests performed by the auditor. The success or failure of these controls has a direct or indirect impact on the reputation, financial statements and stability of the user organization.

Becoming certified is a rigorous process wherein a third-party CPA firm conducts the SOC audit.  Translation? A service organization gets put through the ringer, and you get peace of mind knowing they came out on the compliant side.

What should you do next?

It’s simple.  Only evaluate and partner with SOC compliant organizations! If you are a publicly traded company this is a requirement to do business.  Customers need to know that when the next cyber threat occurs (and it will), their confidential information will be safe in your care.

Therefore, when choosing to outsource, selecting a partner you can trust with you and your customer’s data is non-negotiable.

Need more help? Contact Altus for more information on SOC compliance.

Altus is both SOC 1 Type II and SOC 2 Type II certified commercial collection agency helping leading companies gain confidence and control over their entire credit to cash cycle.

Payment Card Industry Data Security Standard