Credit unions need to demand that their cloud-based service providers regularly assess their operations.
The Service Organization Control (SOC) assessment has emerged as the de facto standard across all industries for evaluating these providers. It’s important for credit unions to understand what they are, the differences between the various types, and most importantly, how some vendors might try to fool you.
There are three types of SOC assessments. The first, SOC 1, looks at controls at a service organization relevant to the provider’s internal control over financial reporting. It focuses on a description of a service organization’s system and on the suitability of the design of its controls to achieve the related control objectives as of a specified date.
The second form of assessments consider a cloud vendor’s controls based on the trust principles of security, availability, processing integrity and data confidentiality. There are SOC 2 Type 1 and Type 2 assessments. The SOC 2 Type 1 examines controls as of a specific point in time and establishes the basis for the SOC 2 Type 2 report. The SOC 2 Type 2 audit evaluates the suitability, design and operating efficiency of controls over a period of time.
The third report, SOC 3, covers the same topics as a SOC 2 Type 2 report, serving as somewhat of an executive summary of the SOC 2 Type 2. It furthermore provides assurance that the auditor has issued an unqualified opinion, meaning an opinion without caveats, affirming that the evaluated provider has met all SOC 2 Type 2 requirements.
The SOC 2 Type 2 is by far the most relevant type of audit for a software provider that delivers its services via the cloud and handles consumer data. It proves that the vendor’s systems and controls adhere to the latest standards for the protection of client data. Any credit union considering cloud-delivered products should insist on the availability of a SOC 2 Type 2 and SOC 3 report.
The process of maintaining a current SOC 2 Type 2 certification is a continual cycle of data collection and analysis. When one audit period ends, the next audit period begins. It then falls on the credit union to ensure that all of its cloud-based vendors are performing SOC 2 Type 2 evaluations on a regular, ongoing basis. Anything less should be considered unacceptable.
Although the National Credit Union Administration does not specifically require SOC evaluations from cloud providers, every credit union should. This is the current, industry-standard means to ensure that a cloud provider is living up to its commitment to safeguard your operations and your data.
Even worse than a company without a SOC 2 or 3 is a company that attempts to pass off another firm’s SOC evaluations as its own.
This is unfortunately more common than one might think. For example, a cloud-based software vendor might use Microsoft Azure as it’s cloud hosting provider. It’s not uncommon for a cloud vendor to, in this situation, present Microsoft’s Azure SOC 3 report to satisfy the credit union’s request for this information.
Be clear on this one point: A third-party cloud hosting provider’s SOC evaluations, while extremely important in their own right, do little to ensure the safety, security and stability of a cloud software vendor’s product. Knowing that the host company has invested in SOC assessments is helpful, but it’s no substitute for a vendor performing its own SOC assessments.
Credit unions also should beware of vendors that claim to be “certified” when in fact this claim of certification is based on an outdated standard.
The Statement on Auditing Standards No. 70 (SAS 70) and the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) are both outdated standards. The current standard – the one that includes provisions for the SOC evaluations discussed here – is the Standards for Attestation Engagements No. 18 (SSAE 18).
Unfortunately, some cloud vendors still talk about SAS 70s and SSAE 16s as if they’re relevant. They’re not. Any cloud vendor discussion of adherence to these legacy standards should serve as a red flag to the credit union.
SOC assessments set the standard for due diligence evaluations of cloud-based software providers. To ensure the safety and integrity of its systems, credit unions should insist on SOC 2 Type 2 and SOC 3 assessments from every cloud-based vendor with which it does business.
