The what, why, & how of our SOC 2 audit
In July 2022, OMTI completed its first SOC 2 compliance audit. We received a SOC 2 compliant with no exceptions result, which is the best rating. You can read more about it on our website. You can also request a copy of the audit report.
What a SOC 2 audit is
SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data, especially when that data is managed in the cloud. SOC is short for System and Organization Controls. It provides an independent assessment of a company’s security and privacy controls environment.
The SOC 2 audit OMTI submitted to was a time based audit conducted to assess that we have proper security policies and protocols in place, that we follow those policies and protocols, and how well we performed in relation to our protocols over a period of time.
Why OMTI got a SOC 2 audit
As Jason Yee, OMTI’s Director of Client Services, explained it, while SOC 2 audits are voluntary, “We did it to give our clients peace of mind that we did our due diligence and we are protecting their data. We were getting security questions from some clients, and we realized the importance of doing this independent audit, so that’s why we did it.”
Even if the majority of our clients haven’t asked for this type of security verification, Jason said, “We are following the trend now. In the future it might become a requirement because everything is becoming cloud based. Every SaaS vendor should have this.”
Jason’s plan is to do these annual SOC 2 audits for 3 years to see how we do according to a third party assessment. We will also monitor how our clients feel about this type of security verification and what other developments there are in this new area to see if we will continue SOC 2 audits or change to a different process.
And while these audit reports might help us get new clients, ultimately it will be whether our regular clients want this outside verification that determines if we continue SOC 2 or similar audits.
How the audit was conducted
At the beginning of the audit, we reviewed our policies and procedures. While it didn’t necessarily change how we did things, we found some gaps in our documentation which we had to fill according to the audit guidelines. Things we had to document ranged from updates to our employee policies to lists of tools our developers use to how we monitor and manage third-party services. In addition to making sure we had complete policies for all areas of our business, we also had to prepare evidence to prove to the auditors that we were “walking the walk.”
There are 2 types of SOC 2 audits. One is a snapshot of a point in time to see if a company has all of the appropriate security policies. OMTI submitted to the other type of audit, which tracks the company over a period of time to see if they not only have policies and procedures but are also following them. The audit period included both our internal review and time for the auditors to review our policies and test our procedures.
Future audits could potentially be as time consuming: “Every year we have to make sure we have reports and systems to tell us when something is wrong,” Jason said. “We have to supply evidence to show the auditors that we are following the policies we made and fixing any vulnerabilities we discover.”
We are glad that there is a process for verifying that OMTI is handling our clients’ important data in a secure manner. Cloud computing offers a lot of benefits, but no one wants to risk their data. Security was a top concern when we moved RB and MR to the cloud, and this audit proves that we are successfully meeting that concern.