Data Security Audits in the ARM Industry
There are several types of audits common to the accounts receivables management (ARM) industry. In particular to data security audits, SOC and PCI compliance are two of the most common. In this article, we will provide a high-level overview of these terms and what they mean.
What does SOC mean?
SOC in this context stands for Service Organization Controls or System and Organization Controls (sources vary). Clients may request SOC reports as a standard of vetting new partners and auditing ongoing business relationships. SOC in the IT context can also refer to a Security Operations Center, which is sometimes the name of the team an organization uses to ensure security controls are in place and carefully monitored.
Several key industries must have strong security operations management as a cornerstone of operations including the payment card industry (PCI), healthcare, manufacturing, financial services, government agencies, and education. Data security audits ensure that the systems and controls used internally are effectively keeping sensitive data secure.
What is a SOC audit?
According to the American Institute of CPAs (AICPA), SOC audits can include 3 separate categories of reports: SOC 1, SOC 2, and SOC 3. Further, in both the SOC 1 and SOC 2 categories, there are Type I and Type 2 reports, increasing the possible SOC iterations and variants you may hear about. An organization may be audited according to one or more of these reports.
SOC 1 and SOC 2 are most common in the ARM industry. Auditing is a standard part of ensuring compliance in the ARM industry (and many other industries). Compliance standards serve to make the industry and the organizations within it stronger and safer for all involved.
What is SOC certification?
The result of a SOC examination is to obtain certification from an independent auditing firm. The purpose is to demonstrate adherence to the security standards set forth in the SOC frameworks. To maintain the certification, audits must continue annually. Unlike legal compliance standards, however, SOC compliance is not legally mandated. Certification is voluntary.
What’s the difference between SOC I & SOC II?
SOC I reports are focused on an organization’s internal controls surrounding safe, secure handling of financial information and financial reporting systems. SOC 1 reports may also be referred to as SSAE 16 reports because they are based on the Statement on Standards for Attestation Engagements (SSAE) number 16, Reporting on Controls at a Service Organization, developed by the Auditing Standards Board of the AICPA.
SOC 2 reports are focused on the Trust Services Criteria as put forth by the AICPA. This report is focused on a broader look at IT security and privacy controls. A SOC 2 Type I audit ensures the controls are in place, while a SOC 2 Type II audit takes a longer view and ensures the controls are effectively implemented over time. Keep in mind, these are highly simplified explanations. Many organizations even work with outside compliance specialists to get into the advanced details of these standards and how they apply to internal controls.
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standards. These standards for the secure handling of payment processing and transaction information were developed by the Payment Card Industry Security Standards Council (PCI SSC). Becoming compliant can be less complex for organizations that do not store payment card information, but any organization that qualifies as a merchant must adhere to PCI compliance standards. Compliance is mandated by contracts with the payment card brands and banks that handle payment processing, however, and not by the law.
PCI compliance can be part of the reason why some organizations route payment processing to a 3rd party credit card vault, especially for recurring payments where data storage is necessary. PCI compliance is necessary for any organization that accepts, transmits, or stores any cardholder data. Some aspects of SOC 1 compliance and PCI compliance overlap, so these two frameworks are sometimes audited at the same time.
Part of protecting consumers includes ensuring all consumer data is handled and stored with meticulous security measures. As a recap, SOC standards were developed by the American Institute of CPAs, and PCI standards were developed by the Payment Card Industry Security Standards Council.
Not discussed here but also relevant to some ARM organizations– particularly those servicing medical debt– are HIPAA data security standards, which were developed by the Health Insurance Portability and Accountability Act of 1996 and continue to be refined by additional legislation over time.
For official information about PCI compliance, please visit pcisecuritystandards.org. For official information about SOC auditing and compliance, please visit aicpa.org.
About Receivables Info
The ReceivablesInfo team is led by receivables management industry veterans who wanted to create a website for the industry, by the industry. Their goal is to provide a voice to high-quality debt buyers, collection agencies, law firms, and industry veterans to share information about their businesses and their place within the marketplace and the community. The website provides relevant news alerts, articles, videos, and other receivables-related information to industry partners and colleagues around the industry and the globe. Receivables Info is also home to financial education resources for consumers through series like Money Chat.
The information contained in this article is meant to serve as general guidance for entry-level to mid-level ARM industry professionals and is not meant to serve as comprehensive business, legal, or financial advice.