Roberts is officially SOC 2 Type 1 compliant and we are working towards becoming SOC 2 Type 2 compliant soon!
What is a SOC 2 report and why are we on the journey to be SOC 2 Type 2 compliant?
THE WHY:
As part of our Lean Thinking initiative, we are working towards full standardization of all our processes.
We are committed to offering innovative high quality mailing services to our clients; to do this we understand that we will be tasked to handle sensitive data for our clients. For this reason, we have embarked on the journey of improvement to prove we are able to offer these trust-based services.
A SOC 2 report follows a set of criteria to examine whether our controls are effective in delivering trust-based services to our clients. It allows our clients to trust that we can handle their data in a safe and secure manner.
The process will be in two stages:
Stage 1: Stage one is complete. We are SOC 2 Type 1 Compliant.
Stage 2: Once we have passed our SOC 2 Type 1 audit, we will embark on SOC 2 Type 2 compliance. This takes 9-12 months – our goal is to be SOC 2 Type 2 compliant by Q4 2024.
THE WHAT:
A System and Organization Controls (SOC 2) report is a formal audit of a service provider’s controls.
A SOC 2 report focuses on objectives that impact on operational and non-financial reporting controls as they relate to the security, availability, processing integrity, confidentiality, and privacy of a system.
A SOC 2 report must include at least one of the following five AICPA Trust Services Principles:
- Security – The system is protected against unauthorized physical and logical access.
- Availability –The system is available for operation and used as agreed upon.
- Processing Integrity – System processing is complete, accurate, timely and authorized.
- Confidentiality –Information designated as confidential is protected as agreed upon.
- Privacy –Personal information is collected, used, retained, disclosed, and/or destroyed in accordance with established standards.
In addition to the Trust Services Principles, a SOC 2 report may also include criteria defined by management, industry standards or third parties. The criteria must meet these basic characteristics:
- Objectivity
- Measurability
- Completeness
- Relevance
THERE ARE TWO TYPES OF SOC 2 REPORTS – OUR GOAL IS TO BE SOC 2 – TYPE 2 COMPLIANT
Type 1: The Type 1 report informs your clients and their auditors that your organization has accurately described its systems and controls, that the described controls are in place, and that the controls are designed to accomplish your financial control objectives. This type of report reflects an organization’s controls as of a specific date in time.
Type 2: The Type 2 report, in addition to providing the same information as the Type 1 report, verifies that the controls are operating as intended, describes the tests your auditors performed to make that determination, and provides the results of those tests. This type of report reflects an organization’s controls over the course of a specific review period.
THE HOW:
We have engaged Control Logics, a Tampa-based licensed CPA firm that provides compliance, assurance, and internal audits services to assist us through this process. We have a highly energetic and committed team in place at Roberts to make this happen.