NDNB provides industry leading SOC 2, SOC 3, and PCI DSS assessments and reporting for call centers all throughout North America. As one of the nation’s leading boutique CPA and consulting firms specializing in call center compliance, we offer highly competitive pricing based on our fixed fee philosophy.
NDNB. North America’s SOC 2 Call Center Auditing Experts
Call centers are falling under the regulatory compliance microscope due largely to the massive amounts of information they store, process, and/or transmit. From healthcare data to other forms of Personally Identifiable Information (PII), call centers are being asked to implement robust information security controls for ensuring the safety and security of such data.
NDNB has been performing a wide-range of regulatory compliance audits on call centers since 2005, starting with the historical SAS 70 auditing standard to the now SOC 2 auditing framework. Additionally, we also provide PCI DSS assessments for call centers, both onsite Level 1 Repot on Compliance (RoC) assessing, along with help with the ever-growing list of Self-Assessment Questionnaires (SAQ). NDNB knows how call centers function, what challenges they have in terms of compliance, and what security best practices need to be in place.
NDNB also offers comprehensive SOC 1 and SOC 2 audits for businesses using Amazon AWS, Microsoft Azure, and Google GCP. And if you're using AWS for hosting of your production environment, here's what you need to know NOW about SOC 2 audits.
5 Essential Auditing Best Practices for Call Centers
It’s important to understand the following core principles and best practices regarding SOC 2 compliance for call centers:
(1). Pick the Correct SOC Assessment: It’s important to understand the differences between SOC 1 and SOC 2. Specifically, SOC 1 utilizes the SSAE 18 professional standard, while SOC 2 utilizes the AT 101 framework. Additionally, SOC 1 is aimed primarily at service organizations that conduct activities for their clients that have the ability to impact the actual client’s financial reporting (ICFR), while SOC 2 is generally used for technology driven service organizations. These are clear differences that call centers need to be aware of when deciding on SOC 1 or SOC 2 audit reporting.
There’s also politics at play here – more specifically – some clients may be requesting one audit based on internal corporate initiative, while another client make choose a different audit based on their own specific thought and criteria about regulatory compliance. Just remember that the request often comes from clients, and they’ve been educated on SOC compliance from any number of channels, such as Internet searches, conferences, seminars, webinars and more.
(2). Conduct a Readiness Assessment: Don’t look upon a readiness assessment for SOC 2 as an extra cost – rather – a proactive assessment for unearthing and identifying critical issues and gaps within one’s control environment. A readiness assessment – when conducted by professionals with years of industry experience – properly examines one’s internal controls relating to information security and daily operational policies, procedures and processes for call centers. It’s essential for determining what gaps and deficiencies are causing long-term roadblocks and obstacles for SOC 2 compliance, no question about it.
(3). Know that Scope is Important: Nobody wants to run into scope creep – especially for a compliance audit for call centers – so it’s important to understand what business processes are included within the assessment, along with all physical locations, the supporting personnel, and any other crucial scope topics. Working with a well-qualified CPA firm will help ensure scope is accurately assessed from day one. For SOC 2, it’s critical to pick the right Trust Services Criteria (TSP) – of which there are five (5) – Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Most call centers would be fine in choosing the “Security” TSP, and possibly the “Availability” TSP as a baseline for SOC 2 reporting for year one, thus adding on any additional TSP’s if compelled to by clients or prospects. Again, it all comes down to communicating effectively with all parties – your clients, your auditors, and whomever else – regarding scope for call centers.
(4). Asses Call Center Control “Pressure Points”: Call centers are unique in their own right, and with that comes certain challenges relating to security and internal control best practices. Here’s a list of what we call “Pressure Points” – security challenges – that call centers need to be aware of (after all, competent auditors will more than likely assess these areas during a SOC 2 audit):
- Provisioning and De-Provisioning: Call centers unfortunately have an extremely high turnover rate for employees (many time edging up to the 100% mark), which makes provisioning and de-provisioning of employees critical. It means performing background checks on new hires, while also ensuring that terminated employees have been completely removed from any type of physical access and logical system access.
- Clean Desk Policy: The ability to record, screenshot – and ultimately capture – sensitive information is enticing for employees who don’t value their job or the company they work for. As a result, call centers need to implement strict clean desk policy measures for helping ensure the safety and security of confidential information.
- Training Documentation: Employees need to be trained on security, operational and work-related guidelines and roles & responsibilities. Because of this, call centers would be wise to invest in well-written documentation that speaks to the depth and breadth of their operations. Shor on time and manpower – no problem – NDNB can assist in developing all types of call center specific materials with our years of industry expertise.
(5). Welcome to the World of Compliance: It’s probably not the welcome you were looking for, but it’s the sign of times as regulatory compliance is here to stay, continuing to evolve as the new norm with the digital economy progressing even further. It also means that annual compliance is here to stay for call centers, so finding and working with a well-skilled, highly professional CPA firm for issuing your SOC 2 report is a must. NDNB offers scalable SOC 2 solutions and competitively priced, fixed-fees, so let’s work together in slaying the annual SOC 2 regulatory compliance dragon for your business.
Fixed-Fees. Superior Service. Nationwide Coverage