Do you know what SOC Compliance is and why it is important that your eClinical vendors have one?

When evaluating a vendor, especially a technology vendor, certain items are expected like security and compliance. One of the ways to ensure a vendor is secure and compliant is being SOC 2® Type II certified. As our annual SOC 1® & SOC 2® recertification process completed successfully over the summer, I thought it would be a good idea to explain what these certifications mean and why they are important for any technology vendor.

What is SOC? SOC stands for “System and Organization Controls,” which is a suite of reports from the American Institute of Certified Public Accountants’ (AICPA) that CPA firms issue in connection with system-level controls at a service organization. There are two main types of SOC: SOC 1® - Report on Controls over Financial Reporting SOC 2® - Report on Controls over information systems relevant to security, availability, processing integrity, and confidentiality or privacy. Many recognize SOC 2® as the worldwide standard for secure and confidential information handling. SOC audits are conducted by third-party service providers, and a report is presented following the audit. At Fountayn, we use Skoda Minotti to perform both SOC 1® & a SOC 2® Type II audits annually.

What is the Difference between a Type I and a Type II in a SOC Report? Not only are there different types of data reviewed, but there are also different types of exams that can occur: Type I – the report and review is of a point in time, a specific date Type II – is a report that covers a period that is typically twelve months A Type II SOC audit effectively addresses the same subject matter as a Type I SOC engagement; however, a Type II SOC report goes further in that it contains an opinion on the operating effectiveness of controls over time and provides a detailed description of the tests of controls performed by the service auditor as well as the results of those tests. The results of those tests will indicate whether the test performed without exception or else the exception noted will be documented in the service auditor’s report.

Why is a SOC audit important? SOC Certifications provide an independent assurance that the technology is safe and secure. We at Fountayn take the safety and security of our platform seriously and choose to go through the SOC certification process to give ourselves and our clients peace of mind that their data is protected.

SOC 1® Type II reports are important components of Fountayn’s internal controls over financial reporting for purposes of complying with laws and regulations, such as the Sarbanes-Oxley Act, and our corporate auditors as they plan and perform audits of our financial statements. SOC 2® Type II reports are important because it involves testing of Fountayn’s controls included examination of our policies and procedures regarding network connectivity, firewall configurations, systems development life cycle, computer operations, logical access, data transmission, application change control, information security, data communications, backup and disaster recovery, and other critical operational areas of our business. Upon completion of the audit, Fountayn received a Service Auditor’s Report with an unqualified opinion (which means the audit report was clean) demonstrating that our policies, procedures, and infrastructure meet or exceed the stringent criteria. The successful completion of this voluntary engagement illustrates our ongoing commitment to create and maintain a secure operating environment for our clients’ confidential data.

Are all of your vendor’s SOC 2® Type II certified? If you don’t know the answer, we recommend you verify they are…..or better yet schedule a demo with us and let us show you why you should be using Fountayn! Are there certifications or processes you know your vendors need but not sure why? Send us an email or contact us so we can answer your questions in a later blog!