Because most of our clients rely on our systems to process or store sensitive data, Shape Software takes considerable care in designing its systems for the highest levels of security, reliability and scalability.
That also includes developing a comprehensive set of security measures and practices to keep our customers’ data protected and safe. In accordance with our efforts to deliver the highest quality services to our clients, we have completed the Service Organization Control (SOC) Type II audit, a semi-annual certification.
The SOC 1 Type II certification verifies that Shape Software has the proper internal controls and processes in place around security and availability. This helps to mitigate risks and ensure that our clients’ data are highly secure.
The SOC 1 is most appropriate for companies that are required to meet regulatory financial reporting requirements such as Sarbanes-Oxley (SOX), especially those that provide financial services, so that they may demonstrate their compliance with internal financial reporting controls. In addition, federal regulations such as Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLBA) and the Health Insurance Profitability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services.
Because Shape Software serves financial services companies and others subject to these regulations, the SOC 1 is highly applicable to the services that we provide. Use of the Type II report is restricted by the AICPA but current Shape customers can request a copy of the report using an appropriate non-disclosure agreement.
The old SAS 70 audit was designed to help CPAs reporting on controls at a service organization — controls that impacted user entities’ financial statements. It was insufficient for reporting on a cloud hosting provider’s controls and how they impacted the privacy of customer data. Nevertheless, SAS 70 was the de facto standard up until 2011, and it was always subject to a measure of confusion. Consequently, the American Institute of Certified Public Accountants (AICPA) updated the SAS 70 with the development of the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the SOC framework; together, these served as a new benchmark for service organizations and replaced the SAS 70.
SOC reports are administered in compliance with the SSAE 16 auditing standards, which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. To address the various needs of service organizations previously using the SAS 70, the AICPA developed three different reports: SOC 1, SOC 2 and SOC 3. All are conducted via a third party independent auditor.
Shape Software currently holds a SOC 1 Type II report. According to the AICPA, “SOC 1 reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting: SOC 1 reports are examination engagements performed by a service auditor (CPA) in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization to report on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements. Use of a SOC 1 report is restricted to existing user entities (not potential customers) and their auditors.