Risks and Rewards of GenAI in State Government A new report from NASCIO explores how states use GenAI, as well as the role of the state CIO related to GenAI. Generating Opportunity: The Risks and Rewards of Generative AI in State Government features interviews with 11...
A survey of state CIO’s shows security tops the list of priorities for 2023. To protect the security of your regulatory agency, consider requiring SOC 1 and SOC 2 reports from your service providers. The SOC 1 audit helps you ascertain the reliability of a vendor’s financial processing and reporting. And the SOC 2 audit reports on a vendor’s controls related to security, availability and confidentiality. Let’s explore the differences by type of SOC report in detail, as well as why these auditing standards matter to your regulatory agency.
SOC 1
SOC 1 auditing helps your agency answer these important questions:
- How do I know my vendor processes renewal credit card fees accurately?
- Are my state financial reports that show the allocation of funds received accurate?
- What happens if some part of the financial system fails? Are there alerts? Logging? Recovery?
- Is the overall environment secure and maintained appropriately?
“The SOC 1 audit looks into these questions and provides a third-party auditor’s perspective of how well your vendor performs these functions,” explains Bill Moseley, CEO of GL Solutions.
Reasons to require SOC 1 from your vendors:
Reporting requirements: Your regulatory agency must meet strict reporting requirements related to finances and security. Requiring SOC 1 reports from your vendors helps ensure compliance with these regulations and shows how your vendor’s controls align with industry standards.
Protecting information: Your agency handles sensitive information, such as confidential records. Requiring SOC 1 reports helps ensure that vendors implement privacy controls to protect your licensees’ sensitive data from unauthorized access.
Public Trust: Requiring SOC 1 reports from your vendors shows your commitment to financial accountability, helping to maintain trust with the citizens your regulatory agency serves.
Audit Processes: SOC 1 reports from vendors provide evidence of the effectiveness of your vendor’s internal controls. That information supports your agency when you go through regulatory oversight.
What your vendors provide for a SOC 1 certification:
To receive a SOC 1 certification, a vendor must thoroughly explain the design of their system, as well as describe how they meet a detailed list of control objectives.
System Description
A vendor must describe how their system processes transactions as related to your regulatory agency’s internal controls for financial reporting. A business describes the software system’s design and implementation to process relevant user transactions, including:
- Types of services provided
- Types of transactions processed
- Procedures for providing those services, such as initiating and processing transactions
- Information used in the performance of those procedures, like related accounting records
- Information involved in authorizing, recording and reporting transactions
- How the system captures and addresses significant events and conditions, besides transactions
- Processes followed to prepare reports and other information for users
- Services performed by other involved organizations, like a cloud hosting company, for example
Control Objectives
Your vendors also explain the methods they use to meet a variety of control objectives. These objectives fall under several categories, including:
- Control environment: Recruiting, training and hiring processes of company staff and contractors follow policies and processes.
- Information and communication: Authorized internal and external users receive information on the design and operation of the system.
- Risk assessment: The company identifies potential threats, analyzes the risks associated with the threats and determines mitigation strategies.
- Monitoring of controls: Controls get monitored on a regular basis.
- Control activities: Periodic assessments evaluate the effectiveness of controls.
- Logical and physical access: Controls protect the information system from unauthorized access, breach or modification.
- System operations: Review system maintenance to maximize a system’s up time. Systems, in addition, receive regular backups.
- Change management: Systems changes receive authorization, testing and approval, along with proper documentation and implementation.
- Risk Mitigation: Mitigate potential risks, including evaluating vendors regularly.
- Client onboarding: New customers get on the new system, following applicable contracts and requirements.
- Client reporting: Controls ensure the accuracy of client reports relevant to financial reporting related to license renewal and application fees.
- Client payments: Record client transactions in an accurate, complete and timely manner.
SOC 2
SOC 2 auditing helps your agency answer these important questions:
- Are my vendors following best practices to protect the data at our regulatory agency?
- Have our vendors implemented the security controls they said they would implement?
- Are the security controls working?
A SOC 2 audit offers your regulatory agency peace of mind that your agency’s information remains secure. The SOC 2 report helps to evaluate the internal controls associated with the systems that make up a vendor’s operations and security. The report reveals the effectiveness of the controls in place related to the confidentiality, privacy and security of your vendors’ systems.
Reasons to require SOC 2 from your vendors:
Data Security Assurance: Your regulatory agency handles sensitive information, especially personal and confidential data. SOC 2 reports focus on controls related to security, confidentiality and data privacy.
Risk Mitigation: By requiring vendors to obtain a SOC 2 audit, your regulatory agency ensures that your vendor’s processes protect your agency from security vulnerabilities.
Controls Assessment: SOC 2 reports offer your agency a thorough evaluation of a vendor’s controls related to security, confidentiality and privacy. The comprehensive assessment makes sure your vendor adheres to the best practices in data security.
Liability Considerations: In some cases, regulatory or legal requirements mandate that vendors undergo third-party assessments, like SOC 2 audits. Requiring these SOC 2 reports ensures your regulatory agency complies with those mandates.
Continuous Improvement: Requiring SOC 2 reports encourages your vendors to continuously improve their data security practices; vendors stay current with the latest security threats and industry best practices—and benefit your agency with their knowledge.
What your vendors provide for a SOC 2 certification:
Description and objectives
Like SOC 1, to receive a SOC 2 certification, a vendor must thoroughly explain the design of their system, as well as describe how they meet a detailed list of control objectives. For each area, such as Control Environment, the audit reviews how your vendors meet that requirement. A detailed report from the auditor lists:
- Objectives the vendor must meet
- Methods your vendor uses to meet the objectives
- Testing procedures of your vendors’ methods
- Results of their testing
SOC 1 versus SOC 2
Trying to decide if you need to ask your vendors for SOC 1 and/or SOC 2 reports? Discover the differences between SOC 1 and SOC 2 and make the best choice for your regulatory agency.
SOC 1 Differences
SOC 1 focuses on financial controls, processing and reporting. Differences include:
- Addresses a vendor’s internal controls relevant to the financials of your regulatory agency.
- Includes control objects for the provided services.
- Tests all aspects of a service.
- Tests controls for IT and business processes.
According to Eric Staley, Vice President for Administration at GL Solutions, for SOC 1, “they focus on cash handling—that the reporting that the clients use for cash handling remains secure and accurate, and not likely subject of fraud. GL Solutions helps to build financial reports with our GL Suite regulatory software for clients, based on the agency’s specifications. The client compares what the state auditor gives them to what GL Suite reports.”
GL Solutions received a SOC 1 certification on September 1, 2023. According to Bill Moseley, CEO of GL Solutions, “GL Solutions’ auditor found that we meet industry standards, and can prove that our systems, processes, software and controls are designed and executed to deliver sound financial systems for regulatory agencies.”
An independent auditor reviewed GL Solutions and our regulatory software, GL Suite, with relevance to user entities internal control over financial reporting. The auditors determined that the reporting that GL Solutions’ clients use for cash handling remains secure and accurate, and not likely subject of fraud.
SOC 2 Differences
SOC 2 reports focus more broadly on availability, security, processing integrity, confidentiality and privacy. According to the article, SOC 1 vs. SOC 2 – How They Are Different & Which Report You Need, specific differences of the SOC 2 audit include:
- Controls relevant to an organization’s operations and compliance.
- Defined Trust Services Criteria (TSC)
- TSCs options include security, availability, processing integrity, confidentially and privacy.
- Organizations select which TSCs to include in the examination.
GL Solutions’ VP for Administration Eric Staley, who compiled GL Solutions’ SOC 1 and SOC information, describes SOC 2 as: “Policies and controls to ensure that we offer a secure environment for data. They make sure we review current standards, such as NIST 800-53. In addition, they verify we have policies related to those standards and that we follow the policies. In our case, we follow the policies using a system of tasks. I provide them with actual evidence that yes, we in fact conform to the policies.” GL Solutions received their latest annual SOC 2 certification on June 30, 2023.
SOC 2 auditing, developed by the American Institute of CPAs (AICPA), establishes criteria for managing client data according to five “trust service principles.” These are privacy, security, availability, process integrity and confidentiality. The SOC 2 Type II audit examines the operational effectiveness of company systems designed to comply with the principles. GL Solutions’ audit reviewed system and company controls related to security, availability and confidentiality.
Conclusion
Whether you require the SOC 1 or the SOC audit of your vendors, these internal governance audits help to preserve the integrity of your regulatory agency, keeping data secure for your agency—and the public that you serve. In turn, these SOC reports help to maintain trust in your agency from your constituents, along with those boards that oversee your agency.
Interested in exploring regulatory software from our SOC 1 and SOC 2 certified company, contact us. We look forward to hearing from you.