Flywire CISO: SOC 2 Type II Audits' Silver Lining

May 16, 2018

Controls are everything in business and in data security.

Against that backdrop, SOC 2 — shorthand for Service Organization Control, originating from 2011 — is gaining in popularity, according to Flywire chief information security officer Barbara Cousins.

SOC 2 was developed by the American Institute of Certified Public Accountants (also known as AICPA) and exists as an auditing process aimed at ensuring that service providers maintain and manage customer data in a safe manner.

It considers five guiding principles governing “trust service,” which are security, processing integrity, confidentiality, availability and privacy. Data providers are expected to design internal controls that comply with at least one of those principles, as appropriate. Certification comes via outside auditors, who, in turn, give an assessment of compliance with those principles, or singularly, principle.

In an interview with PYMNTS’ Karen Webster, Cousins said certifications like SOC 2 help firms take the extra steps they might not otherwise take in ensuring that proper control procedures are in place.

She noted that there are certifications an organization can receive where the audit process validates controls via the review of process, procedures and documentation. A SOC 2 Type II review will include the testing of these controls.

“The difference with SOC 2 Type II is that they ask you to run a report right there in the room and make sure that what you wrote [before the audit] in terms of practices is what you follow — in real time,” Cousins told Webster. The onus is on the firm to produce proof that such procedures were followed.

For Flywire’s clients across healthcare and education, she added, they find the information documented in the reports important because they disclose whether there was a deficiency and then detail those findings in the report. Clients view the information to be more valuable than the ISO 27001 reports that were previously used to manage information security.

“Almost every client contract or security addendum that crosses my desk will request that we have a SOC 2 certification, and that we will produce it on an annual basis,” Cousins told Webster.

Webster asked what was hard and what was easy in bringing SOC 2 to the firm and its clients. With smaller companies, Cousins noted, documentation is always a heavy lift; procedures are usually in place, and job responsibilities may be followed, but not defined. Audits such as those performed via SOC 2 may uncover discrepancies in the process or access to internal information that should or should not be allowed. After all, said Cousins, the biggest threat to a firm can come from within.

As for what’s next, Cousins told Webster: “My next big adventure would be to move forward with HITRUST, which is associated with the healthcare industry.” She termed HITRUST a difficult certification to get as well (HITRUST is an organization that maintains the common security framework, which knits together HIPAA, PCI, ISO and other standards).

“If I’m going to go down the path of reviewing all of our processes, procedures, our policies, our controls … I should take into account all the regulations we are subject [to] and make sure we’re covering everything that we possibly look at or have in place,” she said.