Main Menu

Requests Increase for Vendors to Provide Security and Controls Transparency


As Seen in BizTalk in the St. Louis Business JournalTracked data breaches in the U.S. in 2015 totaled 781, the second highest on record since 2005, according to the Identity Theft Resource Center. It is no wonder then that security, specifically cybersecurity, is top of mind for boards, management and regulatory organizations. That rising concern is causing increased requests and pressure for businesses and vendors to provide more transparency into their security and controls.

Remain a Trusted Vendor

Within the health care industry, for example, organizations are beginning to require their business associates and service organizations to provide this information through specific questionnaires or assessment documents. Claims management and processing companies, printing and mailing businesses, customer call centers and IT data centers, among others, may receive tens or hundreds of these requests annually. While it takes significant time and effort to complete these requests, the alternative is to risk losing your position as a trusted vendor.

If your organization is receiving requests from your customers via security or controls questionnaires and/or letters requiring you to complete some type of internal controls audit, you can benefit by having a SOC 2 report completed on your organization. SOC 2 reports are intended to meet the needs of a broad range of users — from a small manufacturing company to an international financial services business — that need information and assurance about the controls at a service organization.

Benefits of a SOC 2 Report

There are many benefits for business associates and service organizations to utilize a SOC 2 report aligned to the Common Security Framework (CSF) requirements. These benefits include:

  • Save internal time — A SOC 2 report can significantly reduce the time personnel spend on responding to the numerous requests you receive.
  • Decrease costs — The report reduces the number of audits that your organization undergoes to meet a customer’s request.
  • Standardize delivery — Recipients of the report will recognize the AICPA standard reporting format.

In addition to these specific benefits for your customers, enhancing your control environment can help reduce risks throughout your organization. Plus, if an organization proactively shows the transparency of their security and controls, they will likely have a competitive edge in the market.

What is a SOC 2 Report?

A SOC 2 report focuses on the controls that affect the security, availability and processing integrity of the systems a service organization uses to process users’ data. These reports also cover the confidentiality and privacy of the information processed by these systems.

Why Utilize a SOC 2 Report Aligned to CSF?

In December 2015, the American Institute of Certified Public Accountants (AICPA) announced it had collaborated with the Health Information Trust Alliance (HITRUST) to develop an illustrative SOC 2 report that met the applicable trust services criteria and the HITRUST Common Security Framework (CSF) requirements.

HITRUST established the CSF requirements for use by organizations that create, access, store or exchange personal health and financial information. The SOC 2 report enables a service organization to communicate information about its processes and procedures used to meet the HITRUST CSF requirements. These reports also enable service organizations to communicate information about its applicable trust services criteria relevant to security, availability and confidentiality, increasing transparency and providing information for decision making.
Greg S. Smith, CPA

If you have questions about SOC 2 reporting, or to learn more about SOC 2 report or other security controls, fill out the adjacent form or contact Greg Smith, Principal, Advisory Services, at 314.983.1306 or


Back to Page