If a colleague in Finance mentions “sock two,” they’re not referring to clothing that’s been lost in the wash. The “SOC” in SOC 2 stands for System and Organization Controls. The certification process was created by the American Institute of Certified Public Accountants (AICPA) with the goal of ensuring that a company’s customer data is protected from unauthorized access and cyberthreats. Here in Canada, SOC 2 compliance is growing larger each year as more and more Canadian companies are being asked for assurances of their internal control environments regarding services they provide to customers. From data centers to Software as a Service (SaaS) entities – and more – SOC 2 compliance north of the 49th parallel is here to stay.
Ricoh’s DocuWare recently achieved SOC 2 Type 2 compliance – and we’re enormously proud of that accomplishment.
DocuWare, a wholly-owned Ricoh company, is a document management software that automates a wide array of business processes and workflows by electronically managing and sharing documents regardless of their format or source. As a leading provider of Content Services software, DocuWare supports over 14,000 customers in more than 90 countries with cloud and on-premise document management and workflow automation software.
DocuWare had already qualified for SOC 2 Type 1 status which proves compliance at a single point in time. This year, we followed up with a more rigorous Type 2 audit that measures ongoing compliance. The audit verified DocuWare’s eligibility to be upgraded to SOC 2 Type 2 status and will take place annually.
How auditors determine compliance
DocuWare was audited by CohnReznick a leading advisory tax firm that specializes in confirming that companies meet the AICPA’s gold standard Trust Service Criteria. These criteria are used to evaluate the design and operating effectiveness of internal controls connected to:
The protection of data and systems from unauthorized access by using IT infrastructure such as firewalls, two-factor authentication, endpoint protection and network monitoring tools that prevent or detect unauthorized activity.
An assessment of network performance levels and monitoring and minimizing potential external threats as well as delivery of appropriate data backup and disaster recovery plans.
Ensures that systems perform as intended and are free of accidental or unexplained errors or unauthorized activity. This means that data processing operations should be authorized, accurate and reliable.
Refers to a company’s ability to protect confidential information throughout its lifecycle including capture, processing, retention and destruction. It also encompasses restricting access to customer data to authorized personnel and ensuring the security of information that is protected by laws, regulations, contracts or agreements.
An organization’s ability to safeguard personally identifiable information from unauthorized access. Privacy controls include privacy policies and consent management methods.
Teamwork ensured success
Demonstrating that DocuWare fulfilled these criteria was a team effort. The project team included a senior director of corporate services, a product manager and our compliance manager as well as their staff. While preparing for the audit the DocuWare team defined its scope and mapped our controls to the SOC 2 criteria. The audit process included an in-depth review of company policies and procedures for data handling, tests of our security controls, employee interviews and an overview of data center operations.
Because the systems and procedures have been evaluated by an independent auditor our customers and business partners can be assured that their data will be handled securely. DocuWare maintains the most stringent privacy and cybersecurity standards and partners with service providers who meet the same requirements. SOC 2 certification is also recognized globally which is important to us because DocuWare is used by customers in 100+ countries.
For security-conscious businesses like Ricoh, SOC 2 Type 2 compliance is an important business asset that minimizes the risk of data breaches and cyberattacks.
Keep calm and audit on
Knowing submissions are accurate and complete, you can stop fearing audits.
DocuWare provides full and proper documentation of all business transactions. Not just booked records from the period being audited, but email, letters or contracts connected with these records can be collected and submitted in seconds.
Learn more about how DocuWare can start you on your way to your own version of ‘digital transformation’. We’re with you every step of the way.