21 November 2014 / Blog
The Value of Service Organization Control (SOC) Audits to Velocity Customers
By: Tricia Shippee
Tricia Shippee is Velocity’s Senior Director of Governance, Risk, and Compliance (GRC). She has held leadership roles in Customer Support and GRC at service organizations.
For years now, the American Institute of Certified Public Accountants (AICPA) has been developing standards and conducting audits at the request of service provider organizations, such as Velocity. The purpose is to provide customers of service organizations with objective attestation of the provider’s operations: “As companies take advantage of new technologies, such as cloud computing, and increasingly outsource functions to service organizations, these companies are requesting information and assurance that will enable them to assess and address the risks associated with an outsourced service.” (AICPA Press Release on SSAE 16)
The standards have evolved over time: They were first known by many as a SAS 70 audit, more recently SSAE 16 (Statements of Standards for Attest Engagements No. 16) and have now expanded to other standards, such as AICPA Audit Standard AT101, Attest Engagements.
Velocity has participated in SOC 1 audits for a number of years, and we are pleased to announce that we have successfully completed our first SOC 2 audit.
What are SOC 1 and SOC 2 audits? For context, “SOC” refers to “Service Organization Controls” in AICPA parlance.
The SOC 1 controls follow the AICPA Statement on Standards for Attestation Engagements No. 16 (SSAE16) and are relevant to report users’ financial statements. The controls are defined by the Service Organization and then audited by an accredited firm. For Velocity, the SOC 1 controls include Incident Management, Application Development, Change Management, Physical Access and Environmental Safeguards, User Access Administration, Network Security, Backup Processing.
The SOC 2 controls follow the AICPA Audit Standard AT101, Attest Engagements and are controls defined by AICPA under a set of Trust Principles. Velocity’s SOC 2 report includes the security, availability and confidentiality controls, a robust set relative to the scope of many SOC 2 reports in the marketplace.
Velocity participates in these audits because their output is valuable for our customers:
- Because Velocity’s operational procedures are being audited by an objective third-party, our customers can be reassured that our processes meet defined industry standards. It provides additional attestation that Velocity is doing what it says it is doing: “Trust but verify.”
- By giving our customers access to Velocity’s SOC reports, we make it easier for our customers to address their own financial and compliance reporting requirements.
- Velocity is always looking for opportunities to enhance and innovate the capabilities we provide. By regularly participating in these audits, we are continuously reviewing our procedures to ensure they are not only working as expected, but also finding new ways to streamline current processes or adapt them to changing market conditions.
SOC audits engage many groups within our organization and successful completion is a true demonstration of how Velocity team members, processes, and technologies come together to provide our customers with a positive user experience. Not every service organization is willing to subject itself to such scrutiny, but Velocity has always believed that transparency is essential to maintaining a strong partnership with our customers.
If you have further questions about SOC audits, please do not hesitate to contact your Velocity representative.