Return to Case Studies Back

SOC 2 Certification – What It Means for Customers

SOC 2 Certification – What It Means for Customers

As more business operations take place online and vast amounts of sensitive data are transmitted electronically every day, cybersecurity has become a key consideration for businesses. Digital security breaches are becoming more prevalent, costly, and harmful to those affected, so it may be necessary for businesses to take additional measures to help ensure the security of their digital data.

If you currently contract with outside service providers to hold, store, or process information for your business, one way to help enhance the security of your sensitive data is to work with vendors that have completed SOC 2 audits. Service Organization Controls (SOC) are a series of accounting standards set by the American Institute of CPAs (AICPA) for service organizations and are widely recognized as the industry-standard method for measuring financial and operational controls relevant to services provided to third parties.

While a SOC 1 audit from your vendor helps provide your management with assurances regarding vendor controls that are likely to be relevant to an audit of your financial statements, the SOC 2 audit provides additional assurances regarding vendor controls that relate to operations and compliance relevant to one or more of the following five principles: security, availability, processing integrity, confidentiality, and privacy.

Both SOC 1 and SOC 2 audits can be designated as either Type I or Type II. A Type I SOC audit provides assurance that the service organization’s controls are suitably designed to achieve specified control objectives. A Type II SOC audit provides additional assurance that a service organization’s controls were operating as designed during the audit period. A Type II audit report also includes a detailed description of the tests performed and the audit results of those tests.

Since the 1970s, third-party service provider organizations have often opted to complete SOC 1 audits (previously known as SAS 70). However, as data security concerns have increased, SOC 2 audits have become increasingly more relevant, especially to entities such as data centers, IT-managed service providers, software as a service (SaaS) vendors, and other cloud-computing-based businesses. Third-party organizations that successfully complete a SOC audit can offer their clients reasonable assurance that an independent auditor has reviewed their operations and confirmed that they meet the criteria prescribed by the AICPA for the five Trust Services Principles:

Security: The system is protected against unauthorized access (both physical and logical).

Availability: The system is available for operation and use as committed or agreed.

Processing Integrity: System processing is complete, accurate, timely, and authorized.

Confidentiality: Information designated as confidential is protected as committed or agreed.

Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and Canadian Institute of Chartered Accountants (CICA).

The SOC 2 criteria that third-party vendors are required to meet are predefined by the AICPA for each of the five Trust Services Principles. A third-party vendor can choose to complete an audit of any combination of the principles from one to all five depending on their relevance to the provided services and the needs of the vendor and its clients. SOC 2 audits covering all five principles are much less common, as many vendors choose something less extensive.

If your company currently uses third-party vendors to provide services that include the collection, processing and/or retention of sensitive information, you should consider inquiring into whether they have successfully completed a SOC 2 Type II audit, as it helps to ensure a higher standard for protecting your data. Successfully completing a SOC 2 Type II examination proves that systems are properly designed to keep data secure.

SOC 2 Type II Examination

CEIPAL has successfully completed SOC 2 Type II Service Organization Control (SOC 2) audit in accordance with the stringent data security standards set forth by the American Institute of Certified Public Accountants (AICPA). CEIPAL joins a rare group of companies in the human capital management technology industry who are committed to delivering robust services, controls, and data privacy systems. By achieving SOC 2 Type II accreditation, we are following through on our commitment to developing the human capital management industry’s most trustworthy and transparent solution.

The successful SOC 2 report provides assurance to CEIPAL and its customers that the company has designed and implemented effective security controls, policies, and practices. During the examination, independent auditors evaluated and tested controls over the Security domain. This domain refers to how a company handles and protects information and systems from unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the security of information or systems and impact the entity’s ability to meet its objectives.

“One of our most important company goals is to ensure that our systems, controls, and company governance is best-in-class. Achieving SOC 2 compliance is a huge milestone in our broader effort to meet and exceed stringent data security and company controls” said Saahit Togaru, Business Strategy & Marketing Head at CEIPAL. “With this examination, our global customers can trust that we have the controls and data security in place to act as their system of record and for the greater HCM industry.”

For more information about SOC 2 audits, see the American Institute of Certified Public Accountants website.