Why a SOC 2 Type 2 Report is Important

By Mitch Taube posted 10-25-2014 16:09


Many large organizations, and some forward-thinking smaller ones, require their document scanning service provider have a SOC 2 Type 2 Report.

The SOC 2 Report is the best way to gain information and assurance about a scanning company’s controls and processes that effect the security, availability and processing integrity of the systems used to process your documents and data and the confidentiality and privacy of the information processed by the systems. Working with an imaging company that has received its SOC 2 Type 2 Report helps ensure that you have satisfactorily conducted due diligence and taken the steps necessary to meet compliance requirements that are internally and externally mandated in your company.

What Exactly Is a SOC 2 Report?

The American Institute of Certified Public Accountants (AICPA) created Service Organization Control 2 Type 2, or “SOC 2 Type 2,” as standards governing how service providers protect client information, including those who provide document scanning services and cloud document management. Many recognize SOC 2 as the worldwide standard for secure and confidential information handling.

SOC 2 audits are conducted by third-party service providers that employ certified CPAs and are members of the AICPA.A report is presented following the audit, which includes all findings.

What Are Key Components of SOC 2 for Document Scanning?

A SOC 2 audit is extensive, based on multiple principles and criteria testing of up to five controls in place at a document scanning company. The five controls are categorized as follows:

  1. Security: this ensures the physical and logical systems are protected against unauthorized access
  2. Confidentiality: information designated as confidential is protected as committed or agreed
  3. Availability: the system is available for operation and use as committed or agreed
  4. Processing Integrity: image processing is complete, accurate, timely and authorized
  5. Privacy: personal information is collected, used, retained, disclosed, and disposed of according to the existing privacy notice

Trust but Verify

We recommend you request to see the company’s SOC 2 Type 2 Report to ensure that your document scanning provider has been audited within the last year by an authorized third party. If you work with them over a multi-year period, we also recommend that you revisit this annually as a document scanning service company must pass a SOC 2 Type 2 audit every year. Doing so represents the best protection of your information when having your documents scanned and processed by an outsourced document scanning company, helping your entire C-suite and compliance officers sleep soundly at night

#SOCII #EnterpriseContentManagement #compliance #documentmanagement #ScanningandCapture #duediligence #BusinessProcessManagement #DocumentScanning #governance