SOC 2 Compliance - A Measure of our Commitment to Information Security and Customer Service
Business professionals around the world are continuously learning about the importance of information security and cybersecurity and the need to protect the physical, digital, and information assets used to successfully conduct business.
As accounting and business professionals, and trusted advisors, we are responsible for ensuring our clients are informed of all information that is most advantageous to the success of their business, including topics concerning information technology (IT), information security, and cybersecurity. Information technology, and the threats, vulnerabilities, and risks that are associated with the use of IT, has changed the way the world conducts business rapidly and continues to grow and change every second.
A System of Trust and Confidence
Accounting and business professionals are valued service providers and we must be accountable for protecting the information that we are trusted with using to provide our services, especially due to the sensitivity and confidentiality of the information we use to deliver our service. Karbon is no exception, get it - “exception”, to this requirement. We must be accountable for the protection of your information, since you are trusting our platform to store and manage your client data. It’s a trust system. Your clients trust you with their information, you trust us with this information, everybody trusts everybody. While that is not a direct quote from the movie, thinking of the Godfather’s voice does add some depth to the importance of being trusted with our client’s information.
At Karbon, protecting your data is a part of our company culture. We understand the importance of ensuring your data is secure when you place it within the boundaries of our platform. In our efforts to communicate the quality of our internal policies, procedures, and processes implemented to protect your information, we have added SOC 2 compliance to our objectives for continued security for our platform.
What is SOC Report?
There are many organizations in the world that have standards for appropriate safeguarding of information. The American Institute of Certified Public Accountants (AICPA) is a non-profit organization that provides oversight and representation for the Certified Public Accounting (CPA) profession, including the enforcement of compliance with the profession’s technical and ethical standards. One of the many standards that have been developed and issued by the AICPA include standards for Systems and Organization Control (SOC) reporting.
There are several types of SOC reports that can be issued by a CPA performing a SOC examination (e.g. SOC 1, SOC 2, SOC 3, SOC for Cybersecurity). Management of service organizations, like Karbon, make the decision on the type of SOC report that is required for their organization and the users of their system and service offerings.
The AICPA has developed and issued criteria, TSC’s, for CPA practitioners to use as a standard for evaluating the internal controls (i.e. policies, procedures, processes, systems, and people) implemented by companies that are providing services to other businesses, service organizations (like Karbon, a service organization).
CPA’s that have completed an examination of internal controls for a service organization based on these TSC’s issue a Systems and Organization Control (SOC) report to provide a professional opinion the design and operating effectiveness of these controls. This opinion provides assurance (i.e. confidence) to the customers of service organizations (e.g. Karbon customers) that the service organization has implemented controls within their company to adequately safeguard your data.
SOC 2 Reports
A SOC 2 report is issued to a service organization as a result of a completed examination performed by an independent CPA. The SOC 2 report includes a description of the system provided by the service organization, including the design, implementation, and, in the case of a Type 2 report, operation of the people, processes, and technologies in place to achieve the service commitments and system requirements of the service organization. The SOC 2 examination and the resulting SOC 2 report are performed and issued based on the description criteria and trust services criteria established by the AICPA.
Description Criteria and Trust Services Criteria
The system description included within the SOC 2 report is prepared to communicate the definition of the system, types of services provided to system users, boundaries of the system, technical components of the system, processes implemented around the system and its operation, and other relevant information needed for system users to make informed decisions based on the results of the SOC report. The description criteria issued by the AICPA for the performance of SOC examinations includes the requirements for the management of the service organization to document the system description included within the SOC 2 report. Trust Services Criteria (TSC’s) are standards that include categories and guidance for implementing appropriate safeguards for system or service delivery. When deciding the requirements for the SOC 2 report, management can select from 5 categories within the TSC to include within the report, which include: Security, Availability, Confidentiality, Processing Integrity, or Privacy. Management is not required to include all 5 categories within their SOC 2 report; however, every SOC 2 report must include the Security category at a minimum.
For a SOC 2 examination, the system description is documented based on the description criteria and the trust services criteria established by the AICPA, based on the trust services criteria that management has determined to be applicable and appropriate for communicating service commitments and system requirements to system users. The selected categories are also used by the external CPA (i.e. service auditor) when evaluating the service organization’s environment. Service commitments and system requirements include assurances, made by management, to system users in connection with the use of the system and its services. Further, the SOC 2 examination that is performed by the service auditor is conducted based on these TSC categories as well.
Trust Services Categories Overview
Trust services categories include the categories that reflect the service organization’s service commitments and system requirements, for the system and services offered to the system users. The following includes a description of the five trust services categories that can be included within a SOC 2 report:
- Security - Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability - Information and systems are available for operation and use to meet the entity’s objectives.
- Confidentiality - Information designated as confidential is protected to meet the entity’s objectives.
- Processing Integrity - System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Privacy - Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
The SOC 2 Examination Process
The AICPA requires that an independent CPA, the service auditor, perform SOC 2. examinations and issue SOC 2 reports. SOC 2 examinations require planning by the service auditor to properly perform procedures needed to evaluate the system description (documented by management) and internal controls of the service organization (implemented by management) and reasonably determine if these controls are meeting the TSC standards.
Procedures performed by service auditors to conduct a SOC 2 examination include:
- Inquiry of management and process owners
- Inspection of documentation and artifacts
- Observation of processes
- Re-performance of processes
- Analytical procedures
Management of the service organization cooperate with the service auditor to deliver requested information and evidence artifacts needed by the service auditor during the examination. In addition, the service auditor conducts meetings with process owners and management personnel to understand the evidence artifact and internal control processes implemented by the service organization to demonstrate the successful operation of internal controls and adherence to SOC standards.
The examination process can take one to three months to complete; however, the timeline for its duration depends on the circumstances of the SOC examination that is being performed. Factors that can impact the duration of the SOC 2 examination vary, but a few of them include:
- Service Auditor Selection and Methodologies
- Planning Activities
- Cooperation from the Service Organization
- Scope of Examination, including applicable TSC categories
- Nature and Complexity of the Service Organization’s System and Environment
- Internal and External Business Factors
Upon the completion of the SOC 2 examination, the service auditor issues a final SOC report to the service organization. Included within the SOC report is the service auditor’s opinion on the operation and/or design of the service organization’s internal control operations in accordance with the SOC standards and defined TSC categories, depending on whether the SOC report is a Type 1 (design only) or Type 2 (design and operation) report.
The final report can be shared with the users of the service organization’s system users to communicate the service commitments and system requirements for the service organization’s system.
Type 1 vs. Type 2
There are two types of SOC 2 reports that can be issued for a service organization:
- Type 1 - This report provides the service auditor’s opinion on the design of internal controls within the service organization. The opinion included within the Type 1 report does not include an opinion on the operation of the controls included within the service organization’s environment, it only speaks to the design of the controls (i.e. management has implemented internal controls, but the service auditor has not evaluated the operation of the controls).
- Type 2 - This report provides the service auditor’s opinion on the design and operation of internal controls within the service organization.
The Service Auditor’s Opinion
Included within the final and issued version of the SOC 2 report is the service auditor’s opinion on the operation and/or design of the service organization’s internal control operations in accordance with the SOC standards and defined TSC categories. This opinion is important to the users of the service organization’s system because it communicates an independent, unbiased, conclusion on the state of internal controls within the service organization. This opinion, in short, communicates whether these internal control processes are “good” or “bad”; however, the actual opinion is not communicated in this manner.
Service auditors have a few types of opinions (i.e. conclusions) that may be issued as a result of a SOC 2 examination. These opinions include:
- Unqualified - This is a “clean” or “good" opinion. It states that the service auditor’s examination collected sufficient evidence and did not find any material (i.e. significant) misstatements or misrepresentations, meaning the contents of the report reflect an accurate state of the system and environment, within reason. Please note the following regarding the unqualified opinion:
- The term "within reason" is mentioned because a service auditor can provide no absolute assurance to the accuracy of the state of the environment, due to inherent limitations that restrict the auditor’s ability to provide an absolute level of certainty.
- An unqualified opinion does not mean that the examination did not find any issues. An unqualified opinion states that the service auditor did not identify any significant issues that would misinform the reader/users of the SOC report.
- Users of the SOC report should read the entire SOC report to identify any audit findings noted by the service auditor, which are typically listed within Section 4 or Section 5 of the report. _(Note: Type 1 examinations do not typically include audit findings since they only include an evaluation of design.) _
- Qualified - This opinion is similar to an unqualified opinion; however, the service auditor has identified areas within the environment or circumstances during the examination that warrants explicit mention within the report to provide transparency and inform the reader of the report.
- Similar to the unqualified opinion, qualified opinions may include audit findings. Users of the report should read the report entire report o identify any audit findings identified during the SOC 2 examination.
- Adverse - This opinion is essentially a “bad” opinion. An adverse opinion is the most unfavorable of all opinions issued by the service auditor. This opinion states that there were significant issues identified during the SOC examination, based on the procedures performed by the service auditor.
- Disclaimer - This opinion states that the service auditor was unable to issue a professional opinion due to limitations that impacted the auditor’s ability to complete a fair examination. A disclaimer of opinion can be issued due to various reasons, some include a lack of evidence, lack of cooperation from management, etc.
SOC 2 Benefits and Users of the Report
The users of the report include all individuals and businesses that read the issued SOC 2 report and make decisions based on the contents of the report. The SOC report is a valuable report for report users because it communicates an independent, unbiased, professional opinion on the state of the service organization’s internal control environment and ability to meet their service commitments and system requirements. Having an independent professional opinion, and a description of the testing procedures and results, provides users of the report with transparency that will allow them to make informed decisions.
Karbon’s SOC 2 Journey
Karbon is committed to delivering the most robust, professional, and secure experience to our customers. In 2021, we successfully completed a SOC 2 Type 2 examination. The SOC 2 Type 2 report certifies that the Karbon application complies with best practices for security, availability, and confidentiality according to standards set by the American Institute of Certified Public Accountants (AICPA).