SOC 2SM report replaces the SAS 70 and SSAE 16 certifications and is done to report on management’s description of their service organizations systems and suitability of the design and operating effectiveness of the controls.
The certification involved the auditing of CASO’s controls that are in place relevant to:
- Security – The system is protected against unauthorized access (both physical and logical);
- Availability – The system is available for operation and use as committed or agreed;
- Processing Integrity – System processing is complete, accurate, timely and authorized;
- Confidentiality – Information designated as confidential is protected as committed or agreed;
- Privacy – Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants. [The criteria in GAPP are the same as the criteria for the privacy principle in TSP section 100.] Use of a SOC 2SM
SOC 2SM is the authoritative guidance that allows service organizations, such as CASO, to disclose its control activities and processes related to operations and compliance to its customers and its customers’ auditors in a uniform reporting format.
The SOC 2SM Type 2 Report includes a description of the security and availability processes of the organization and offers comprehensive reviews and tests of CASO’s controls.
Richard Tamaro, CASO’s CEO knows the certification goes a long way into showing CASO’s future and current customers that it provides the best service and security in the industry, “The SOC 2SM certification allows CASO to ensure that its customers are getting the best document management solutions in the industry. CASO has long contended that it takes it’s the responsibility of handling customers data seriously, and this certification only solidifies our dedication to customers first.”
CASO retained the services of The Moore Group to perform the audit.