Over the last decade, adoption of Cloud Computing, and SaaS in particular, has become a mainstream IT strategy for large corporations. The benefits of SaaS is well known and can readily be quantified. The risks, however, are more difficult to quantify and measure. Compound that with multiple SaaS vendors employed by a typical large corporation, this presents a real challenge. Corporations are increasingly demanding proof that SaaS providers are doing things properly, that they have the appropriate processes and controls in place. One of the ways corporations can seek that assurance is through a SOC report from the vendor, and this is a prevailing trend that has been on the increase over the last several years.
A System and Organization Controls (SOC) report, is a standardized audit report by a 3rd party Service Auditor. It provides assurance to the Service Users (clients) that the Service Organization (service provider) has in place appropriate controls to meet service level agreement to Service Users. A SOC report can be issued under a number of similar standards. SSAE 18 is the latest American standard issued by the American Institute of Certified Public Accountants. It is arguably the most stringent of all such standards (ex. the International Standard ISAE 3402, or the Canadian Standard CSAE 3416), and is widely accepted by corporations around the world.
In response to our clients’ increasing requests for information and assurances, we decided to engage Ernst & Young as a 3rd party auditor at the beginning of 2018, thus began our year long journey to obtain our first SOC 1 Type 2 report. We chose to do our SOC 1 Type 2 under the SSAE 18 standard because it is widely accepted by corporations around the world.
Our SOC report journey began with the definition of project scope, and project phases. A risk assessment for the ZEMA system was performed to determine what control objectives and controls are the most important. Input from our clients, as well as discovery sessions with internal stakeholders were invaluable in this portion of the project. At the same time, we began drafting the description of the ZEMA system in five categories (Infrastructure, Software, People, Policies & Procedures, and Data), and entity level controls. Based on the results of the risk assessment, we drafted the system control objectives and corresponding controls. We also identified complementary user entity controls, and complementary sub-service organization controls.
The next step was the readiness assessment where our 3rd party auditor, Ernst & Young, came on site and audited each and every one of our controls. We learned a great deal through this assessment process. We learned that it is sometimes tough to prove that a control is in place, and sometimes, making the control easier to audit actually improves the control and processes. The readiness assessment also identified where the gaps were, and allowed us to remediate those gaps before the beginning of the performance period for our SOC 1 Type 2 report.
The performance period is the span of time the audit team audits for the SOC 1 Type 2 report. After remediation of the gaps, we went back to business as usual during the performance period, and waited for our auditors to return towards the end of this period. Finally, the auditors returned. This final phase involved our auditors asking for all sorts of evidences, random samples of our artifacts, and answering any questions our auditors have. It was an intense process due to the volume of information we had to gather throughout our organization, and the unmovable target to release the report by the end of the 2018. It was at times exhausting, but exciting at the same time as we march closer and closer to the deadline. When the requests from the auditors began to taper down, and focus shifted to fine tuning of the report wording, we knew the finish line was within reach.
In the end, we are proud to announce that ZE PowerGroup Inc. has successfully obtained our first SOC 1 Type 2 report on Dec. 14, 2018. It was a great learning experience for ZE. It involved many teams across the organization working together. It was a lot of hard work, but in the process, it afforded us a deep look into every aspect of our work and how that contributes to serving our customers. With this SOC 1 Type 2 report, we can now provide unbiased, independently verified assurance to our clients that appropriate controls are in place and perform as designed. This SOC 1 Type 2 report will be a key component to help our client fulfill their compliance requirements with respect to the ZEMA system. This report can also help prospective clients understand the ZEMA system’s controls and processes when making their decision. We believe there is tremendous value in this report, and it clearly demonstrates how committed ZE staff are when delivering our state-of-the-art technology and high quality services.