January 3, 2018
Last month, MiraMed Global Services received Statement on Standards for Attestation Engagements (SSAE) No. 16 Service Organization Control (SOC) 2 Type II Certification. The certification criteria reviewed and tested the following areas of MiraMed’s policies and practices:
- Infrastructure: The physical and hardware components of a system.
- Software: The programs and operating software of a system.
- People: The personnel involved in the operation and use of a system.
- Procedures: The automated and manual procedures involved in the operation of a system.
- Data: The information used and supported by a system.
Achieving certification of this type is a big accomplishment in today’s security-minded business environment. The following is an overview of SOC Certification, and why it is important for service organizations and their clients.
What are SSAE and SOC?
SOC is a part of the SSAE, Reporting on Controls at a Service Organization. It was put into place by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010. SSAE 16 replaces Statement on Auditing Standards (SAS) No. 70, Service Organizations, which was a widely recognized auditing standard developed by the AICPA. For over 17 years, SAS No. 70 was the authoritative guidance that allowed service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. The issuance of a service auditor's report from SAS signified that a service organization has had its control objectives and activities examined by an independent accounting and auditing firm. In 2018, SAS was phased out, and SSAE SOC is the new standard by which service organizations are measured.
Understanding SOC 1, SOC 2 and SOC 3
SSAE 16 SOC is part of the new Service Organization Control (SOC) reporting platform put forth by the AICPA, for which there are three (3) reporting options; SOC 1, SOC 2, or SOC 3.
SOC 1 is the reporting option for the SSAE 16 professional standard that results in a SOC 1 SSAE 16 Type 1 and/or a SOC 1 SSAE 16 Type 2 report. SSAE 16 is geared towards service organizations that have a credible relationship with Internal Control(s) over Financial Reporting; more commonly known as the "ICFR" concept.
SOC 2 is the reporting option for companies who use cloud computing to transfer and store data. Because business models and service types provided by service organizations has evolved significantly within the last decade, a new reporting option was needed to facilitate these changes. SOC 2 reporting utilizes the AICPA AT 101 professional standard and can be a Type 1 or a Type 2. Additionally, SOC 2 reports are comprised of five Trust Services Principles (TSP), which are Security, Availability, Processing Integrity, Confidentiality and Privacy.
SOC 3 is the reporting option that allows service organizations to report on any number of the five (5) Trust Services Principles. The SOC 3 report is a public-facing document that gives a high-level overview of information in the SOC 2 report. Therefore, a SOC 3 report is used as a non-specific front-facing report for marketing materials and other documentation.
Why is a SOC 2 Type II Certification Important for Vendors and Clients?
A SOC 2 Type I examination demonstrated an independent review and examination of an organization’s control objectives and activities and tested those controls in an initial audit to ensure that they are operating effectively. An SOC 2 certification is based on policies; communications, procedures and monitoring that meet the tenants of the TSP:
- The system has controls in place to protect against unauthorized access (both physical and logical).
- The system is available for operation and use as committed or agreed.
- System processing is complete, accurate, timely and authorized.
- Information that is designated as “confidential” by a user is protected.
- Personal information is collected, used, retained and disclosed by the operation’s privacy notice and principles set by the AICPA.
The SOC 2 Type II report is issued to organizations that have audited controls in place and the effectiveness of the controls have been audited over a specified period, typically six months to one year.
Since the Type II Certification consists of a thorough examination of an organization’s internal control policies and practices over a minimum of six months, this independent review ensures that the organization will meet the stringent requirements and can prove performance over time.
When a company works with a third party who has been granted access to any type of system that the client owns, this creates some level of internal control risk. The type of access granted to a third-party vendor and the type of systems they have access to ultimately determine the level of risk for the organization. By working with a SOC 2 Type II certified vendor like MiraMed, users ensure that data is kept secure through the implementation of standardized controls as defined in the AICPA Trust Service Principles framework (as mentioned above). Applications and data warehoused by organizations that are not SOC 2 certified do not have the same level of assurance.
A company that has achieved SOC 2 Type II certification has proven over time that its systems and controls are designed to keep client data safe and secure. When it comes to working with vendors who have access to client data, performance and reliability for keeping data secure is essential and required by regulators, examiners and auditors for such controls as the Health Information Technology for Economic and Clinical Health (HITECH) Act. Working with a company who has achieved a SOC 2 Type II certification is proof that their systems are protected and available for operation in a timely manner with controls in place to protect the confidentiality and privacy of any data processed or stored.