Dwolla has recently completed its SSAE18 SOC 2 Type II audit for January 1 through June 30 of 2021. This report covers the entire production environment, including ACH, Push-to-Debit and Real-Time Payments. SOC reports are important to service provider clients because they provide an independent, outside opinion on the effectiveness of an information security program, giving you a high level of assurance that the providers of services you’re using are taking these concerns seriously.
One of Dwolla’s guiding principles is “We Are Never Done” and our information security program is no exception.
Since Dwolla’s first SOC 2 Type II in 2018, there has been significant growth and change in the business. Today, Dwolla is a fast-growing, leading provider of secure and reliable payment technologies. A rapidly-growing base of clients large and small entrust Dwolla with their business, including many who have rigorous information security programs and hold us to a high standard.
Dwolla is committed to meeting these expectations and today we’re excited to announce three changes to our SOC program starting with the current reporting cycle:
- Dwolla has engaged Coalfire, an industry-leading audit firm, to conduct its SOC audits. Dwolla previously engaged Coalfire for its PCI DSS Service Provider Level 1 audits.
- Dwolla’s SOC 2 Type II now includes the Availability Principle in addition to the Common Criteria (Security Principle).
- Dwolla now maintains a SOC 3 report, which attests to our successful completion of an unqualified SOC 2 Type II report. This can be released without a non-disclosure agreement, and allows us to share this report more freely and widely.
What is a SOC 3 Report?
A SOC 2 Type II can only be shared for the purposes of providing assurance to clients of Dwolla, and requires a non-disclosure agreement per AICPA direction given the level of detail and its proprietary nature. A SOC 3, however, is an attestation by the auditing firm that the client has successfully completed an unqualified SOC 2 Type II report. Since a SOC 3 does not contain the level of detail of a SOC 2 Type II, a SOC 3 can be shared without a non-disclosure agreement.
Dwolla clients can obtain this document from their designated Dwolla Account Manager.
What is the Availability Principle?
In addition to the mandatory controls included as part of the Common Criteria (Security Principle), SOC 2 reports optionally contain additional criteria as well. These can provide additional assurance to readers regarding areas of control that are not part of the base SOC 2 report. Dwolla has adopted the Availability Principle as we understand the importance of our platform being available to our clients when they need it, ensuring their data will not be lost.
Specifically, the additional controls for the availability principle cover the topics of capacity management, backups & recovery, business continuity and disaster recovery.
What should I look for when reading a SOC 2 report?
SOC reports, by their nature, are not certifications. The purpose of SOC reports is to provide a detailed accounting of all the controls in place and the auditors opinion as to their operation.
Because of that, reading these reports is critical.
Here are five things you should pay attention to when reading a SOC 1 or SOC 2 report:
- Is the firm that conducted the audit accredited by the AICPA? If not, the level of assurance the report provides is significantly lower as it might lack the level of rigor or quality assurance it would otherwise have.
- Was the report conducted within the last 12 months? These reports are typically issued on an annual basis and look back 12 months. If you’re reading a report more than 12 months old, you could be looking at data that’s up to two years old! A lot can change in two years.
- Does the scope of the report include the services you’re using? Especially with large firms, you need to be careful that you aren’t just checking the “SOC 2 Type II” box without ensuring it’s relevant to you!
- Are there any Complementary User Entity Controls (CUECs)? These are aspects of the SOC control framework that the auditee has delegated to you, the user of their service. Typically these include things such as user management or reporting of incidents. You want to make sure you’ve accounted for these in your own processes and internal audits.
- Are there any exceptions in the report or was it a qualified report? Exceptions are instances where auditors have noted a control was not operating at 100% effectiveness. It’s up to the auditors to determine whether an exception is worth “qualifying” in the overall report or not, but you should ensure you look for any exceptions that cause you concern and get your questions answered. Dwolla places responses to any identified exceptions in Section 5 of our report, along with other information not attested to by the audit firm but potentially useful to readers.
Other Common Questions About SOC Reports
There are two other distinctions that often arise when discussing SOC reports.
The first is Type I versus Type II. This applies for SOC 1 and SOC 2 reports.
A Type I report expresses an opinion on the design of the controls, but does not assess their operation. It’s common for companies to complete a Type I report as an “on-ramp” to a Type II for the next cycle, as it ensures the controls are sufficient as written and then allows for follow-up on putting them into practice and monitoring them with internal audits.
A Type II report, like Dwolla’s, is a report that has completed rigorous testing of the implemented controls and determines whether or not they are operating effectively. Only with a Type II report can you determine the extent to which an information security program is actually protecting your data—versus just being designed appropriately.
The second distinction is between SOC 1, SOC 2 and SOC 3. We have already discussed the purpose of a SOC 3, but what’s the difference between a SOC 1 and SOC 2?
SOC 1 assessments are focused entirely on financial reporting objectives. SOC 1 reports cannot be used to cover broader objectives, such as those related to data confidentiality, availability or privacy. These are commonly seen from financial institutions, and often used as a part of Sarbanes-Oxley 404 compliance. A SOC 2 has a similar look and feel to SOC 1, but unlike SOC 1, SOC 2 assessments focus on controls aligned with the principles developed by the AICPA to manage and protect customer data.
To date, Dwolla has found a SOC 2 Type II to be the most appropriate report for our clients given the services we provide and has not pursued a SOC 1. If this is something you would like to see, please let your designated account manager know so we can register your interest!
What about PCI DSS?
Dwolla continues to undergo annual audits as a PCI DSS Level 1 Service Provider, covering our Push-to-Debit offering.
Given the scope of PCI DSS, and Dwolla’s strategy of compartmentalizing and tokenizing card-related operations, this report does not cover the ACH or Real-Time Payment products, or corporate networks. Dwolla is able to provide the Attestation of Compliance (AoC) upon request to clients who are using or considering adopting our Push-to-Debit offering.