NDNB provides high-quality, fixed-fee SOC 2 audit reports for mail/print/order fulfillment organizations requiring such annual reporting. With a long track record of working within the fulfillment industry, there’s no “on the job” training needed for NDNB auditors – not at all – as we’ve actually developed a proprietary audit solution that saves thousands of dollars on annual SOC 2 compliance audits.
NDNB. North America’s SOC 2 Mail/Print/Fulfillment Auditing Experts
Order fulfillment services and centers providing critical outsourcing functions for other businesses are often being asked to become SOC 1 SSAE 18 and/or SOC 2 compliant each year. Additionally, with such a fragmented industry – as of 2018, the four largest industry players are expected to account for just 21% of industry revenues – it means hundreds of companies could be subject to annual compliance reporting.
6 Essential Auditing Best Practices for Mail/Print/Fulfillment Organizations
It’s important to properly plan and prepare for annual SOC 2 audits, so take note of the following best practices for ensuring an efficient and cost-effective audit process from day one:
Choose the Correct Trust Services Criteria. More technically known as the Trust Services Criteria (TSC), the TSC are a core element of SOC 2 Type 1 & Type 2 reporting, and consist of the following:
- The security of a service organization's system.
- The availability of a service organization's system.
- The processing integrity of a service organization's system.
- The confidentiality of the information that the service organization's system processes or maintains for user entities.
- The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.
While there is generally great debate as to which of the TSC’s should be included within the scope of a SOC 2 audit, the criteria for each of the TSC’s has been defined in a prescriptive manner by the AICPA (SOC 2 governing body), ultimately providing auditors with a flexible roadmap for helping ensure a successful audit. As for the choosing the correct TSC’s, most mail/print/order fulfillment organizations would include the Security TSC as a baseline minimum, adding other TSC’s if necessary.
Remember that SOC 1 SSAE 18 is an Option: Mail/print/order fulfillment organizations may very well find themselves having to perform a SOC 1 SSAE 18 audit due to the fact that their services can directly impact financial reporting for their clients. After all, if you’re involved in shipping goods, collecting revenues, confirming inventory, transferring funds and other financial activities, then SOC 1 SSAE 18 may be the more viable option. We’ve seen our fair share of mail/print/order fulfillment organizations that opt for SOC 1 SSAE 18 over SOC 2.
If that’s the case, then you’ll need to develop control objectives that can test for a wide-range of operational and ICFR (“Internal Controls Over Financial Reporting) controls.
Here’s some great example of SOC 1 SSAE 18 control objectives for mail/print/order fulfillment organizations:
- Controls provide reasonable assurance that fulfillment services are designed and implemented according to various business and technical specifications, and carried out in a timely, accurate, complete manner by the use of a documented project management framework.
- Controls provide reasonable assurance that general work instruction manuals, work orders and supporting documents are utilized for aiding and facilitating daily operational activities for all fulfillment services.
- Controls provide reasonable assurance that Standard Operating Procedures (SOP) and supporting documents are utilized for aiding and facilitating daily operational activities and ensuring customer compliance for fulfillment services.
- Controls provide reasonable assurance that for client specific sales order processing activities, critical consumer financial data is captured, reconciliation activities are undertaken for confirming the accuracy of financial data, and appropriate reports are generated and sent to clients on a timely and consistent basis for all fulfillment services.
- Controls provide reasonable assurance that for client specific inventory, reconciliation activities are undertaken on a regular basis along with physical counts, and other supporting processes and procedures for confirming the accuracy of the inventory for all fulfillment services.
Understand Scope: Regardless of which of the five (5) Trust Services Criteria (TSC) an organization decides to include for a SOC 2 assessment, understanding what’s included from a business process is even more important. Specifically, is the entire mail/print/order fulfillment process lifecycle included in the scope, or is it just a specific business function? Scope creep can be a real danger, so it’s important to understand exactly what is being covered – thus discuss this with your SOC 2 auditing firm.
Documentation is Paramount: That’s right, documentation is extremely critical when it comes to SOC 2 compliance for order fulfillment centers as auditors are on the lookout for formalized and well-established information security processes and procedures. It means now’s the time to start authoring comprehensive documentation for access control, change management, data backup, and many other areas within the broader domain of information security.
Follow your Policies. Policies that aren’t followed are nothing more than documents with no merit, so keep this in mind as auditors will be testing for compliance against such documentation. Have an access control policy in place – one that defines password requirements – great, then you better be following them for ensuring compliance and a successful audit.
Fixed-Fees. Superior Service. Nationwide Coverage