SOC2, no it’s not the argyle one you’ve been missing

Many of our clients are marketers. We work closely with CMOs, marketing directors and other direct marketing professionals.

Recently, many of them have been approached by folks “on the other side of the building” with unusual questions about vendor compliance. These questions typically involve a request for vendor partner reports with strange acronyms and funny names.

“I thought I was in marketing. Then our internal auditor asked if our direct marketing partner was compliant and wanted a copy of your AICPA SOC 2?”

It’s o.k. They ask for a good reason, and it should be your concern as well.

Internet security breaches are on the rise and involve some of the most prominent companies in the world. Many organizations were demanding that new standards be developed that would provide audits on service organizations’ internal controls.

Service providers have access to your highly sensitive data, processes and information and you need to be assured that they have adequate controls in place to safeguard these assets.

The American Institute of Certified Public Accountants (“AICPA”), which provides the guidance and attestation standards for the reporting on controls for service organizations, has introduced new standards for reporting on controls for service organizations.  The more commonly known SAS 70 reports are no longer valid reports related to internal controls for service organizations.

There are two primary types of new reports, referred to as Service Organization Controls (“SOC”) reports.

A SOC1 report is the report to be used by clients and their auditors to plan and perform an audit or integrated audit of client’s systems that impact their financial statements.

A SOC2 report is the report used by clients or stakeholders to gain confidence and place trust in a service organization’s systems. The SOC2 report is intended to meet the needs of a broad range of users that need information and assurance about the controls that affect the security, availability, and processing integrity of the systems used to process data and the confidentiality of the information processed.

The SOC2 report is more comprehensive than a SOC1 report and reflects all the internal controls that would be relevant to a SOC1 audit with additional controls included related to the security, availability, processing integrity, and confidentiality of your data.

So now you’ll know exactly what your internal auditor means and you won’t have to search for a missing SOC.

But you might want to check with your direct marketing partner, and ask if they can find theirs.