Don’t Be Fooled by Phony SOC Reports

A credit union guide to cloud provider due diligence. Part III

In this 4-part series we dig into what credit unions should be looking for in SOC reports. As credit unions research Loan Origination Systems and other cloud-based solutions we point out the value of working with a provider that has done detailed work to earn their SOC Certifications.

The Importance of the SOC 2 Type 2 Evaluation

The SOC 2 Type 2 is by far the most relevant type of audit for a software provider that a) delivers its products or services via the cloud and b) handles consumer PII/NPI. It proves that the vendor’s systems and controls adhere to the latest standards for the protection of client data. Therefore, any credit union considering cloud-delivered products or services, such as a loan origination system or LOS platform for example, should insist on the availability of a  SOC 2 Type 2, as well as the resultant SOC 3 report. Furthermore, these assessments must be current.

The process of maintaining a current SOC 2 Type 2 certification is a continual cycle of data collection and analysis. When one audit period ends, the next audit period begins. It then falls on the credit union to ensure that all of its cloud-based vendors are performing SOC 2 Type 2 evaluations on a regular, ongoing basis. Anything less should be considered unacceptable by the credit union.

Due Diligence Red Flags

Although the NCUA does not specifically require SOC evaluations from cloud providers, every credit union should. This is the current, industry-standard means to ensure that a cloud provider is living up to its commitment to safeguard your operations and your data.

Even worse than a company without a SOC 2/3 is a company that attempts to pass off another firm’s SOC evaluations as their own.

This is unfortunately more common than one might think. For example, a cloud-based LOS software vendor might use Microsoft Azure as it’s cloud hosting provider. It’s not uncommon for a cloud vendor to, in this situation, present Microsoft’s Azure SOC 3 report to satisfy the credit union’s request for a SOC 3.

Be clear on this one point: A third-party cloud hosting provider’s SOC evaluations, while extremely important in their own right, do little to ensure the safety, security and stability of a cloud software vendor’s product. Knowing that the host company has invested in SOC assessments is helpful, but it’s absolutely no substitute for a vendor performing its own SOC assessments.

About Sync1 Systems

Sync 1 Systems, a fully SOC-certified technology CUSO, is the developer of the industry’s first 100% cloud-based Loan Origination System (LOS). The Sync1 product is not an on-premise product that was repurposed for cloud deployment; it was designed from the ground up to take full advantage of the features and benefits of a true cloud deployment. A copy of Sync1’s current SOC 3 report is available on request.

For additional information about Sync1 Systems or any information presented in this paper, please feel free to contact us at or (888) 200-7801

Pin It on Pinterest

Share This