One question we’re often asked is whether a service organization that elected to use a SOC-certified data center needs to undergo a SOC examination of its own.
The answer is simple: If a service organization processes data on behalf of customers, it should undergo a SOC examination. This exam should specifically cover its internal controls in place for accessing, securing and processing customers’ data.
Below are some examples of the types of service organizations that may need SOC examinations:
- Accounts receivable management services
- Document management services
- Managed technology services
- Application development services
- Healthcare billing services
- Order fulfillment and distribution services
- Benefit plan administrators
- Hosted application providers
- Payroll processors
- Check imaging and processing services
- Information security management services
- Practice management systems
- Claims processors
- Internet banking providers
- Printing and mailing services companies
- Collections services
- Loan servicing providers
- Third-party administration services
A service organization should have a clear understanding that outsourcing the data-hosting component of a service organization’s operations does not shift away the responsibility of protecting customer data. Outsourcing does free up time and resources so organizations can better manage and enhance their own internal security and operational controls. For that important reason, service organizations should look to undergo a SOC examination of their own to help independently examine and validate internal controls and processes in place around the processing and protection of customer data.
Are you ready to undergo a SOC exam?
Once the need for a SOC examination is identified, a service organization should evaluate its preparedness to undergo one by taking these steps:
- Determine the type and scope of a SOC examination needed based on the nature of services provided to its customers.
- Assess and define regulatory and compliance requirements that need to be addressed as part of a SOC examination.
- Evaluate and update existing policies and procedures in place around internal controls to be validated as part of a SOC examination. For any internal controls that lack written policies and procedures, a service organization should work on writing and enforcing them.
- Perform a readiness assessment either internally or with a help of a third-party auditor. A readiness assessment should help identify internal control gaps or deficiencies that would need to be addressed prior to undergoing a SOC examination.
Once internal control gaps and deficiencies are remediated and policies and procedures are written and enforced, a service organization can begin its SOC examination.
A SOC examination should also include a section on what a service organization does for validating internal controls in place at its mission critical vendors such as data centers. As mentioned earlier, the overall responsibility of protecting customer data would always remain with a service organization and would require it to build a rigorous oversight function and gain clear understanding of how the data center hosting affects the security, confidentiality and availability of customer data. Understanding the type and nature of data center hosting services used is imperative for understanding which data center’s internal controls and processes should be examined as part of the oversight function.
If a service organization uses a data center for colocation purposes, it should validate that appropriate physical and environmental safeguards are in place at the data center.
If a service organization uses cloud services offered by a data center, along with physical and environmental safeguards, it should also, at minimum, validate the existence of controls around logical access administration, change management, security monitoring and cyber threat prevention.
How Wipfli can help
If you’re a service organization that controls all its own data or outsources it, our team can help you understand the complexities of SOC exams and determine which controls would need to be in place and covered by such an examination. Click here to learn more. Or continue reading on:
SOC exams for service organizations
What will my first SOC audit be like?
SOC 1 vs SOC 2: What’s the difference?
Tips for passing a SOC audit