SOC 2 COMPLIANCE
SOC FOR SERVICE ORGANIZATIONS
Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.
WHAT IS SOC-2?
Developed by the American Institute of CPAs (AICPA), SOC 2 Compliance is a component of Service Organization Control reporting platform, which defines criteria for managing customer data based on five “trust service principles”:
- Processing Integrity
SOC 2 is both a technical audit and a requirement that comprehensive information security policies and procedures are not only written, but they are implemented and followed.
SOC 2 | SOC FOR SERVICE ORGANIZATIONS
Trust Services Criteria
These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports are restricted.
SOC AUDITOR’S REPORT
Independent Service Auditor’s Report on a Description of a Service Organization’s System and the Suitability of the Design and Operating Effectiveness of Controls Relevant to Security, Availability, and Confidentiality
In our opinion, in all material respects —
a. the description presents BKM’s integrated marketing solutions and systems that was designed and implemented throughout the period July 1, 2019 to June 30, 2020 in accordance with the description criteria.
b. the controls stated in the description were suitably designed throughout the period July 1, 2019 to June 30, 2020 to provide reasonable assurance that BKM’s service commitments and system requirements would be achieved based on the applicable trust services criteria, if its controls operated effectively throughout that period, and if the subservice organization and user entities applied the complementary controls assumed in the design of BKM’s controls throughout that period.
c. the controls stated in the description operated effectively throughout the period July 1, 2019 to June 30, 2020 to provide reasonable assurance that BKM’s service commitments and system requirements were achieved based on the applicable trust services criteria, if complementary subservice organization controls and complementary user entity controls assumed in the design of BKM’s controls operated effectively throughout that period.