In 2022, our world is data-centric. In every part of our lives, decisions are made based on data. From reviews on products for personal use to in-school district decisions – our world is data-centric. It is more important than ever for the data we transmit, collect, and house to be adequately and appropriately stored. This adequacy is not something that eScholar takes lightly. That is why we put forth the effort to be Service Organization Controls (SOC) compliant. A Certified Public Accountant firm can only conduct the audit.
SOC Reporting – Some Background
SOC reporting has not always been known as SOC reporting, and its original compliance was not what we know today. SOC’s predecessor was created out of the need to “gather evidence on internal controls of a service organization (SO) in which those controls were associated with the delivery of a service that was (and is) related to the financial reports and impacted the financial statement to a material degree.”
From the ISACA, we learn that the original SOC report was known as a SAS 70 audit. The SAS 70 audit was designed to describe how companies report their financial data and the controls that were related to those financial reports.
Shortly after the SAS 70 audit was first implemented, unexpected marketing and service value was found: “service providers (especially entities such as data centers, cloud computing companies, flexible spending account vendors, banks and retirement account vendors) found that when they called on prospects, the primary concern was one of security (i.e., controls). Thus, a SAS 70 became a valuable marketing tool to show businesses that the user had sufficient controls about which the prospect could be comfortable and could gain an adequate assurance of the level of security being provided.”
This source of external accountability that proved high control measures quickly began spreading and being used as control assurance in many fields of business. That is when many issues with the SAS 70 began arising; the framework SAS 70 provided didn’t necessarily address the scope of every industry, nor did it provide standardized controls for the data – that is when SOC reporting was born.
Today, there are three levels of SOC reporting:
SOC-1: Reports on Controls at a Service Organization regarding Financial Reporting. This means that it reports on what controls an organization implements regarding its finances.
SOC-2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. A SOC 2 report, Overall, Type 1 and Type 2 reports are similar, but a Type 2 report is considered more rigorous, as it requires an audit over the course of at least six months.
SOC-3: Trust Services Report for Service Organization. SOC Type 3 is an updated and revised version of the former SysTrust and Privacy documents. “This report type is intended to meet the needs of users who want assurance on the controls at an SO, such as confidentiality, availability, processing integrity (again, the conventional information security triangle), security and privacy, but who do not have the need for or the knowledge necessary to make effective use of a SOC-2 report.
So what exactly does this mean for YOU and eScholar CDW™?
Since 2018, the eScholar CDW solution has been SOC certified; since 2019, we have maintained SOC 2 Type 2 compliance. This means the eScholar CDW reflects the highest standards for privacy and security based on SOC 2 Type 2 requirements.
eScholar is committed to continuing with the SOC 2 Type 2 certification process because we know how critical the data that the eScholar CDW™ enables our clients to collect is. The sensitivity and reliability of safety standards for our client’s data is of the highest importance at eScholar. As you’re considering eScholar and other vendors to provide solutions that enable you to manage your data, ask what organizational controls they have in place to manage Security, Availability, Processing Integrity, and Confidentiality/Privacy.
Click the link below to request more SOC Type 2 Information!
Oops! We could not locate your form.
