SOC 2 Type II: A rigorous standard that reflects Airbase’s commitment to security.
Data protection is essential for everyone. As the threat of a data breach intensifies, companies must be confident that the most up-to-date, secure practices protect their data. This includes not only the security controls implemented internally, but also the security and confidentiality of data residing on third-party systems and applications. SOC 2 Type II ensures that controls are designed and implemented suitably and working effectively. Third-party auditors validate all the controls and verify their effectiveness throughout the year, so a SOC 2 Type II attestation provides reassurance regarding the security measures implemented by vendors.
The risks are evident and rising. Malware attacks rose by an astonishing 358% in the past year. The stakes are also increasing: The average cost of a data breach is $8.46 million in the U.S., according to a report from IBM. Importantly, the report found that it takes an average of 280 days to identify a breach.
Best practices advocate preparation and ongoing third-party audits to provide necessary reassurance that data residing in third-party software is safe and secure. To define a standard, and create the necessary protocols for evaluating security, the Auditing Standards Board of the American Institute of CPAs (AICPA) developed the SOC 2 (Service Organization Control) auditing process, which centers around five trust principles:
- Processing integrity
Businesses choose the primary principles for their audit; however, the largest part of the audit is the Common Criteria section, which examines information security from all angles. The audit itself is conducted by CPAs who issue an attestation report at the end of the audit
SOC 2 reports verify that a company has completed this process and are differentiated as follows:
- SOC 2 Type I represents an attestation of controls at a specific moment in time.
- SOC 2 Type II is an attestation of controls over a period of time (a minimum of six months).
In other words, a SOC 2 Type I report examines a business’s controls and policies. Because a SOC 2 Type II report examines those elements over time, it assesses whether or not they function properly.
The standardized process represented by SOC 2 compliance verifies that security policies and practices have been thoroughly audited. The SOC attestation report process is unique in that it is an evaluation framework specifically tailored to each business, instead of an outline of rigid rules. An audit emphasizes sustainable security policies, and compliance is therefore an ongoing process instead of a destination achieved. That’s important in the rapidly changing world of cyber security.
Knowing that the software you implement in your company is SOC 2 Type II compliant provides reassurance that the security controls are designed and implemented suitably and working effectively. As a sign of our commitment to protecting the data and privacy of our clients and vendors against threats, Airbase is SOC 2 Type II compliant. Our SOC 2 Type II attestation report represents the culmination of a set process as outlined in the timeline below. You can learn more about Airbase’s security practices, and Airbase will share our SOC 2 Type II report on request, following completion of an NDA.
The audit process.
Airbase offers a one platform solution to manage all non-payroll spend. It provides oversight and control over spending with real-time reporting and automatic syncing directly to your general ledger. Control all payments – physical cards, virtual cards, ACH, and checks – from one place. Close faster. Empower employees. Control spend.
Finance & Accounting Slack Group.
Join to connect with other finance professionals building great companies. Ask questions, provide your perspective, join the conversation, find resources.