4 Steps Payment Facilitators Should Take to Create a SOC 2 Report

March 25, 2021

30-Second Summary:

  • The Main Takeaway: The SOC 2 report is an essential component for helping payment facilitators build a solid compliance framework.
  • Impact on Your Business: The SOC 2 report enhances your credibility in the eyes of current and future customers and demonstrating your compliance can help grow your business.
  • Next Steps: There are four, preliminary steps you should take to initiate the SOC 2 compliance process and appropriately prepare yourself for an audit.

Need professional help navigating your SOC 2 compliance audit and the steps to satisfy requirements? Contact Aprio’s Information Assurance team today.

The full story:

The SOC 2 report is essential to building a solid compliance framework for technology-centric companies — including payment facilitators.

Are your customers asking you for a SOC 2 report? Have you avoided creating a report because you’re worried the compliance process will be tedious and expensive?

Here are the preliminary steps to consider as you start the SOC 2 compliance process.

1. What are the gaps in your compliance framework?

First, you need to determine the scope of your SOC 2 compliance project and what internal controls are missing. Doing this legwork at the outset will give you and your stakeholders a better understanding of how big an undertaking the project will be and whether you need to enlist the help of a third-party professional.

2. Should you leverage software or take a DIY approach

When it comes to SOC 2 readiness, the compliance landscape is evolving, and depending on your circumstances, you may use software to streamline your remediation efforts and SOC 2 audit.

Each solution has its pros and cons, and the right option depends on many variables, including the size and complexity of your company. You also need to consider future use cases: for instance, will you invest in software solely for SOC 2 purposes, or will you use it for compliance efforts down the road? Are you looking for a tool to simultaneously manage your IT security and compliance efforts? Based on your needs, you may select a simple software solution or an all-in-one system that comes with multiple integrations.

3. What type of report do you need?

There are two types of SOC 2 reports. The Type I report is like a balance-sheet audit, with an “as of” date for the establishment of controls. The Type II report is like an income statement, covering a specific period. In most cases, a SOC 2, Type I report is for short-term purposes — such as a situation in which a company must quickly produce a report to fulfill a contract or sales opportunity — whereas a SOC 2, Type II report is usually required for long-term compliance purposes.

Keep in mind you will probably need to wait approximately four to five months after you remediate your last gap before you can hand a SOC 2, Type II report to your customers. Therefore, your time horizon will be the primary driver behind the type of report you choose.

4. Are the right controls in place?

The next step is to ensure that you have implemented the controls needed to pass a SOC 2 audit. It’s one thing to be performing the controls, and it’s another to prove to an auditor that you’re following through on them, which makes documentation critical. This is where the help of a professional partner comes into play; your team can provide insight into what types of documentation are usually requested by auditors, so you’re prepared before your audit happens.

The bottom line

The final step in the SOC 2 compliance process is starting your audit, whether you have a Type I or Type II report. If you need professional help navigating your SOC 2 compliance audit, rely on Aprio. We can guide you through the process, as well as the steps above, to satisfy requirements and ultimately meet your customers’ needs.

Related Resources:

Disclaimer for services provided relative to SBA programs and the CARES Act

Aprio’s goal is to provide the most up-to-date information, along with our insights and current understanding of these programs and regulations to help you navigate your business response to COVID-19.

The rules regarding SBA programs are constantly being refined and clarified by the SBA and other agencies In certain instances, the guidance being provided by the agencies and/or the financial institutions is in direct conflict with other competing guidance, regulations and/or existing laws.

Due to the evolving nature of the situation and the lack of final published rules, Aprio cannot guarantee that additional changes or updates won’t be needed or forthcoming and the original advice given by Aprio may be affected by the evolving nature of the situation.

You need to evaluate and draw your own conclusions and determine your Company’s best approach relative to participation within these programs based on your Company’s specific circumstances, cash flow forecast and business strategy.

In situations where resources are provided by third parties, those services should be covered under a separate agreement directly with that service provider. Aprio is not responsible for the actions of any other third party.

Aprio encourages you to contact your legal counsel to address the legal implications of the impact of the CARES Act and specifically your participation in any of the SBA programs.