The importance of SOC 2 Type II certifications in vendor sourcing

Vendors with the certification have been through rigorous audit processes to ensure information security

The importance of SOC 2 Type II certifications in vendor sourcing

by Scott Roller

If you are serious about not becoming the next news headline about an information security breach, then start putting a premium on SOC 2 Type II certifications.  Your certified vendors have paid a premium for the certification, granted by an independent authority, saving you sizable time and money, while mitigating risk.

An ever-increasing number of vendors across mortgage and credit union ecosystems are proudly displaying their SOC 2 Type II “badge of honor.”  Here’s the rub.  It is, in fact, a huge achievement, yet so few of us know why.  That is a travesty, especially for those of you with any role to play in vendor sourcing. 

Companies moving their data to the cloud, your vendors included, often have legitimate concerns about the security of their sensitive information.  Certifications like SOC 2 Type II provide an independent assurance that the cloud platform they select is safe and secure.

Developed by the American Institute of CPAs (AICPA), SOC 2 is specifically designed for service providers using the cloud to store customer data, inclusive of nearly every SaaS company.  Before 2014, cloud storage vendors only had to meet SOC 1 (SSAE 16) compliance requirements.   

The Service Organization Control (SOC) 2 Type II certification is among the most coveted and hard to obtain information-security certification.  It demonstrates that an expertly trained independent accounting and auditing firm has examined an organization’s non-financial reporting control objectives and activities, and has actually tested those controls over time to ensure that they are operating effectively.  The classic audit process – say what you do, then do what you say – InfoSec style.

Differences:  Type I vs. Type II
The Type I report is preliminary to the Type II report and is based on the ability to test and report on the design suitability only. Type I reports are issued to organizations that have controls in place, but have not yet audited them.  So seek out vendors with the Type II reports.  Whereas other security mandates simply require you to pass the design test, SOC 2 requires long-lasting internal practices that will ensure the security of customer data and the longevity of your business.  SOC 2 Type II certification provides you with rational assurance and peace of mind that the controls are properly designed, in place, and effectively protecting sensitive client data.

As more companies leverage the cloud to store customer data, SOC 2 Type II compliance is becoming compulsory, especially within financial services.  Albeit a “technical” audit, the exam requires companies to establish and adhere to strict information security policies and procedures, encompassing the security, availability, processing, integrity, and confidentiality of customer data.

Time and Cost – Quite the Commitment
This SOC 2 Type II certification process is neither fast, nor cheap.  It can easily take six to 12 months, and can cost $30,000 to over $100,000, depending upon the complexity of the infrastructure.  Vendors with that time, money and patience are clearly differentiating themselves when it comes to information security.

We found the following examples of vendors with SOC 2 Type II certifications on the industry’s vendor search engine: (alphabetical order, not all-inclusive

Commonwealth USA Settlements 

Title Vendor

InHouseUSA

Appraisal Platform; AMC

LendingQB

Loan Origination System

Mortech

Product, Pricing, Eligibility

RES/TITLE

Title Vendor

TENA Companies

Audit, Analytics, QC, Due Diligence

United States Appraisals

Appraisal Vendor

Shanon Lake-Catello, CTO/CMO at Commonwealth USA Settlements, said, “Having gone through the American Land Title Association (ALTA) Best Practices review with an independent CPA, versus a self-audit conducted by most title companies, really prepared our team for the SOC2 audit in the sense that it was a good practice run.  We had a strong outline of what would be considered and looked at when developing our controls for the SOC2.  However, nothing prepared us for what occurred during the initial audit.”

Lake-Catello recalled the first audit as being quite grueling, feeling like auditors had become permanent fixture in the office.  She said when the auditors were not physically on premises, phones and email inboxes were always “blowing up” with ongoing questions and meeting requests.  Apparently, it does not get easier with time.  These are annual audits.  Lake-Catello said, “Each year the audit gets better, but not necessarily easier.  Your staff adapts to non-stop audits.  Our second-year audit was a bit tougher than the first, with auditors scrutinizing more than ever. Just when you finish one auditing cycle, the next begins.  There is no breather.”

Doug Foral, GM, Mortech, a Zillow Group Business, advised that the SOC2 controls need to be managed and tested on a daily, weekly, monthly, quarterly and annual basis by a vendor’s internal team.  He said, “SOC compliance never sleeps.”

So, the real question is: Who in their right mind would willingly subject themselves to this expensive and never-ending agony?  The answer – vendors serious about earning and keeping your business, understanding that you cannot afford to be that next news headline. 

Mortech now has 12 internal control owners working full-time to maintain and test these controls. These owners dissect the entire organization, not just operations and IT, but developers, managers and the business decisions as a whole.

When asked what surprised him most about the certification process, Foral said, “The additional criteria and controls that needed to be put in to place with the new SSAE-18 regulation. It virtually doubled our controls across the environment. The enormous emphasis on risk and the risk assessment and evidence that business decisions are made based on the risk approach. The broad scope of SOC2 certification truly makes it an ‘all company’ initiative for Mortech. All areas of the business need to be invested and understand the value of the audit to be successful. I am proud of how well our company has taken ownership of their respective areas and made it a part of day to day processes.”

SOC2 Value in Vendor Sourcing and Management
Lenders are now being held responsible for their third-party vendors’ actions, inactions and mistakes.  Having a vendor that has been thoroughly audited by an independent CPA firm offers peace of mind.  A SOC 2 Type II vendor has every component in place needed to be compliant and has been tested on those controls.

For those of you issuing Requests for Proposals (RFPs), there is huge benefit here for you.  Stop including your information security questionnaires as RFP attachments.  The novel War and Peace can seem shorter than many security questionnaires, which often contain 300+ mundane and repetitive questions to be answered by the pool of vendors, and later become required reading for you.  These questionnaires are not needed in their current form.  Simply read the SOC 2 Type II reports, and cobble together any subsequent questions you may have, expecting there to be very few.  

In all likelihood, anyone auditing you will be thrilled to know you are doing business with SOC 2 Type II suppliers, giving auditors confidence, as well as making their lives easier by already being familiar with SOC2 reports.  As a result of the certification standards, you will show that you have comprehensive audit trails as well as actionable forensics built into your information security plan.

The net messages in all of this –

  • A vendor that takes information security this serious probably deserves to be instantly added to your short-list, provided they have the requisite skill and experience in the products and services you seek. 
  • There are likely substantial vendor due diligence and annual re-certification expenses you can save as well.  If a vendor can pass the SOC 2 Type II audit, there is little you will review that will trip them up.  They have endured far worse.  Just ask for their SOC 2 Type II report and certification documentation, review it to ensure your own comfort, then check the “Exceeds Requirements” box, and move on to the next vendor to review.

Yes, we are essentially saying that SOC 2 Type II vendors should be given a “free pass” (of sorts).  Give them an explicit opportunity to strut their stuff in your RFP process.  And, by no means was it FREE.  It has cost them dearly, but they think earning your business and peace of mind is worth it.

If you are a vendor contemplating SOC 2 Type II certification, here are two pieces of advice from Lake-Catello:

  1. Use a CPA firm that is reputable and experienced
  2. Be prepared – you must have processes, policies, procedures and controls for every department, and most importantly, a strong infrastructure in place.

Scott Roller founded 3W Partners and is co-founder of VendorSurf, with each company dedicated to revolutionizing the sourcing of vendors in the mortgage and credit union ecosystems.