Does your core system provider meticulously protect the safety and integrity of your data? When it comes to policyholder information and insurance financials, you can’t just assume that they are watching out for you. You need to verify. Verification is simple and easy to do – simply request a System and Organization Controls (SOC) report.
Background on the SOC-1 Audit
The American Institute of Certified Public Accountants (AICPA) publishes the Statement on Standards for Attestation Engagements no. 18, or the SSAE 18 standard. One part of this standard is the SOC-1 report. Other reports include SOC-2 and SOC-3, as well as SOC for Cybersecurity and SOC for Supply Chain.
SOC reports are performed by Certified Public Accountants (CPAs). The Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting guide provides detailed information on SOC-1 reports.
The Two Types of SOC-1 Reports
There are two distinct types of SOC-1 reports:
- Type 1, according to the AICPA, is a “report on the fairness of the presentation of management’s description of the service organization’s system.” The report also includes information on “the suitability of the design of the controls to achieve the related control objectives included in the description.” The report focuses on this information as of a specified date.
- Type 2 is similar, but it focuses on the “effectiveness of these controls to achieve the related control objections included in the description.” This report focuses on the effectiveness over a specified period.
Why SOC Reports Matter
According to the AICPA, SOC reports provide valuable information used to assess and address the risks associated with outsourced services.
SOC reports help establish the ethics and trustworthiness of the vendor, thereby benefiting all parties involved. With a recent SOC report, you can know both what controls are in place and whether these controls are working effectively to protect you and your clients.
The criticality of this information cannot be understated or underestimated. In our business, both insurance carriers and managing general agents, need to know that their partners are taking sufficient action to protect their most important assets – their policyholders.
Verifying that your internal data and your policyholder data are held to the highest security standards is essential in a core system partnership. Before signing a contract with a new vendor, trust, but verify.
Regular audits are essential, and the regularity of the audits will show a partner’s commitment to your security and privacy for your data. Without this regularity, you may not have the comfort of knowing if a vendor’s long-term security plan will provide security risk mitigation for you.
Trust but Verify
You should be able to trust your core system provider – but trust comes more easily when your provider’s controls have been verified by a reputable and independent third-party.
At Insuresoft, we take this responsibility seriously.