What Printers Should Know About SOC 2 Compliance Reports
Businesses are scrutinizing who they work with, particularly when one entity shares highly sensitive or proprietary information with another entity, as often happens within the printing industry. Even if a printing firm is not providing fulfillment services, and therefore not receiving its client’s customer database, there is still increasing security and privacy risks between organizations that share data or rely on each other for services.
To address this risk, organizations are implementing vendor management programs to ensure security and privacy are being addressed. These programs will often have a requirement for a third-party assessment, such as a System and Organization Control Report, also known as a SOC 2 Report.
SOC 2 Reports are the least laborious of the many assessments printing operations and other organizations can undertake. These assessments are built upon the American Institute of Certified Public Accountants (AICPA) Standard SSAE 18 and the Trust Service Criteria (TSC). Due to the AICPA’s backing, SOC 2 Reports are widely known and accepted as assurance for security and privacy risk mitigation. Prior to beginning a SOC 2 assessment, an organization must have a documented and implemented information protection program. To ensure a successful outcome for the engagement, best practice is for the organization to complete a readiness exercise.
A Protection Program and SOC 2
An information protection program begins with a collection of policies and procedures, which address physical and logical security, data protection, access controls, among other aspects. Typically, policies and procedures are developed based upon a security framework, such as the National Institute of Standards and Technology (NIST) 800-53 or another similar framework. The policy and procedure documentation typically takes three to six months. The information protection program begins with documenting current practices and identifying the gaps based on best practices.
During the rollout of the information protection program, SOC 2 readiness can begin. The first step is to determine the scope of the assessment. A SOC Report may address a location, a process, or the entire entity, based upon why the assessment is needed and who will use it. Once the scope is determined, the organization will decide which of the five TSCs should be reported on. The five criteria are Security, Confidentiality, Availability, Processing Integrity, and Privacy.
This is often dictated by user entities of the report. An organization should also consider what is relevant to the services it provides. For example, a printing and fulfillment firm will generally report on Security, Availability, and Confidentiality. Users of the SOC 2 Report will want to know what level of security exists and that their proprietary or confidential information is in a secure environment.
Once the TSC and scope are established, the organization will describe the system in scope based upon the AICPA’s Description Criteria. This document is called the System Description and will identify the internal controls the assessment will be based upon. This standardized format is what makes SOC Reports comparable in the marketplace. The system description is typically a 10-20-page narrative of the system or process and describes such elements as services being provided, service commitments, and system components.
The last step of SOC 2 readiness is drafting the “Management’s Assertion.” Typically, this is a template letter, which management drafts and signs to include in the SOC 2 Report.
Readiness can take three to six months depending on complexity and resources available. Upon completion of SOC 2 readiness, an organization is ready for a SOC 2 – Type 1 Report. Type 1 reports on the fairness of presentation and suitability of design of the controls at a point in time. This report is a review of everything completed in readiness, and a report is issued by a CPA firm to express an opinion as to whether all requirements have been met. It sets the baseline for a SOC 2 – Type 2 Report.
A SOC 2 – Type 2 Report typically occurs six to 12 months after the Type 1 Report is issued. A Type 2 Report reports not only on the fairness of presentation and suitability of design of controls, but also the operating effectiveness of those controls. At this point, the procedures developed in the information protection program need to be in place and operating as defined by the organization. Evidence of control operation should be generated throughout the period. During the assessment, the auditor will sample this evidence to support his or her opinion on control operating effectiveness.
If a control does not operate during a period because a control trigger event did not occur, there are ways of handling that in the assessment without causing a testing exception. However, if a control does not operate, but should have, that is noted in the report as an exception. The auditor may perform additional procedures to determine if the exception(s) rise to a level material enough to warrant a modified opinion.
Assuming an unmodified opinion, the SOC 2 – Type 2 Report is issued to the organization and the assessment recurs on an annual basis. Generally, there is no reason to perform readiness again unless the system or scope of the report changes dramatically.
Why Organizations Need SOC 2 Compliance
A SOC 2 Report is more than compliance — it can also bring a range of benefits for those organizations working in the printing industry. A SOC Report gives clients important information about the internal control processes, facing externally. But this assessment also measures a printing company’s security and data privacy position internally, providing a road map in the development of efficient internal control by standardizing processes and procedures. Once achieved, the company will have a comprehensive set of security policies and procedures that will clearly show its commitment to information security.
Here are three reasons to obtain a SOC 2 compliance report:
1. Customer or regulatory compliance: To work with larger businesses and government agencies, a SOC 2 Report will be required to prove that if they exchange data with a printing company, it can keep their information secure and private. A SOC 2 Report will also help them understand what controls are in place. From a vendor/regulatory compliance standpoint, printing operations can submit a SOC 2 in place of a questionnaire, saving valuable staff time. The company will have one standard report that it can provide to multiple customers and multiple regulators.
2. Proactively show commitment to security/privacy: Being proactive and showing a commitment to security and privacy can be used as a differentiator in the marketplace. This will help when trying to stand out from the competition, and it can be used as a marketing piece. It will especially be true in areas where there are many businesses playing in the same market. A printing company’s demonstrated commitment to security and privacy will show the maturity of its business and system.
3. Measure risk mitigation maturity: Every organization has risk. SOC 2 helps mitigate that risk and develop internal controls by standardizing policies and procedures. Hiring a third party to evaluate controls is important. It identifies what areas the organization is doing well in and what areas need improvement. This leads to the maturity aspect of what an SOC 2 brings. SOC 2 is a standard format for everyone. If one customer is measuring the company’s SOC 2 against another SOC 2, it’s easy to compare the two reports to determine who has the more mature controls in place, and who is going to be better to work with.
Tips for Creating SOC 2 Reports
1. Avoid redundant controls – The same control will be used multiple times in the TSC mapping. Use the same wording each time the same control is used. This will reduce complexity of the report and increase audit efficiency. Audit efficiency is important to keeping fees down and reducing the amount of evidence an auditor requests.
2. Multiple controls for criterion – Attempt to have multiple controls to support a criterion. Should one control fail, it will be necessary to have a compensating control for backup. If there is no compensating control, a control failure could result in a modified or qualified opinion.
3. Internally audit controls – Throughout the period, it’s important organizations self-audit their controls. No one likes to find out about a control failure during the assessment. Saving internal control evidence in a centralized repository is also helpful. It ensures that when audit time comes, there is one place where all the evidence is located.
4. Evidentiary dates – Auditors look to ensure the documentation they collect is date stamped during the reporting period. This includes policies and procedure documents. Ensuring these documents are annually reviewed is critical not only for the assessor evidentiary support, but to match documentation to changes in the business and business processes.
5. Be proactive – For those who are in an industry sharing data with business associates providing services to large businesses or government agencies, a SOC 2 Report will be needed at some point. Don’t wait until it is requested. Having an SOC 2 ready when requested demonstrates not only that an organization is mature, but it will likely be easy to work with.
6. Reduce customer questionnaires – As part of the vendor management process, businesses will often send lengthy security and privacy questionnaires. Leverage the SOC Report to avoid filling out these documents. Often, a SOC 2 Report is an alternative to these questionnaires, or an abbreviated questionnaire can be filled out.
7. Leverage the auditor – The audit firm has likely worked with many different clients and probably several in the same industry. They have real-world experience and can reduce the effort on the company’s end.
8. Be honest – Companies should only document what they are doing or can do. Adding controls or information to a SOC 2 Report because “it would look good” or the company “plans to implement it” can lead to a qualification of the report if there is not sufficient evidence to support the statement or control.
9. SOC 2 is not an IT responsibility – IT plays a large role in the execution of internal controls, but much of the information needed for the assessment is business governance. IT doesn’t necessarily know long-term business objectives or risk tolerance. Often, business owners or compliance personnel lead the SOC 2 effort, and are supported by IT, HR, and other departments.
10. Address change – Businesses change, people within businesses change, and policies and procedures change. Ensure all policies and procedures along with the SOC 2 System Description are reviewed annually. Changing these documents is not a bad thing — it demonstrates that the company is monitoring and managing its security and privacy risk.