When looking for a third-party vendor who will have access to sensitive data, it is important to know if an organization prioritizes data security. Luckily, most reputable firms have some sort of certification for their data security framework and procedures. These certifications are important to look for because it is your responsibility to verify the third-party is dependable and their system has the proper safeguards in place. To ensure the third-party service provider is up to these standards, you can ask for a report showing proof that it has proper security controls in place, which has been verified by a third-party. This proof can come in the form of a SOC 1 report, which is the audit of a vendor’s accounting and financial controls. In other words, it is the metric of how well they keep up their books of accounts.
HISTORY OF SOC 1
SOC (Service Organization Control) reports were created by the AICPA to set compliance standards for third party data hosting firms. In 2011, the Standards for Attestation Engagements No. 16 (SSAE 16) replaced SAS 70 as the new auditing standard. According to AICPA, it required service organizations, like data centers, to provide a written report that describes all controls at any organizations that provide services to customers relevant to financial reporting. These requirements are specifically designed for companies like FBS that store customer data in the cloud.
In May of 2017, these standards were updated to SSAE 18, which now includes all attestation engagements. It is important to note that the while the SSAE 16 standard was specific to service organizations, the SSAE 18 is for all attestation engagements. Additionally, while it was previously acceptable to refer to a SOC 1 as an SSAE 16 examination, the standard will no longer be named after the examination, but rather the reporting standard. Therefore, organizations who have passed the SSAE 18 examination will be “SSAE 18 SOC 1” or simply “SOC 1” certified.
TYPE I OR TYPE II?
A SOC 1 Type I and a SOC 1 Type II both report on the controls and processes at a service organization that may impact their user entities’ internal control over financial reporting. The main difference is time:
- SOC 1 Type I report is an attestation of controls at a service organization at a specific point in time.
- SOC 1 Type II report is an attestation of controls at a service organization over a minimum six-month period.
The SOC 1 Type I reports on the description of controls provided by management of the service organization and attests that the controls are suitably designed and implemented. The SOC 1 Type II reports on the description of controls provided by management of the service organization, attests that the controls are suitably designed and implemented, and attests to the operating effectiveness of the controls.
Data security and protection of an employee’s private health information is of the utmost importance to FBS. Since its launch in 2002, THEbenefitsHUB team constantly works on improvements and updates that continue to ensure secure data transmission and the protection of our clients’ personal information. This includes maintaining a SOC 1 Type II certification, which is renewed every six months. Each renewal requires a lengthy process where an independent auditor reviews numerous control areas such as incident management, human resources, physical and network security, and data backup/restoration. This means the way we manage your data has withstood some of the most vigorous security audits in the industry, making us a trustworthy partner.
If you would like more information on the data security of our systems, contact us to speak to a consultant.