Presentation is loading. Please wait.

Presentation is loading. Please wait.

Service Organization Control (SOC)

Published byTyrone Palmer Modified over 7 years ago

Similar presentations

Presentation on theme: "Service Organization Control (SOC)"— Presentation transcript:

1 Service Organization Control (SOC)
SOC 2 Type 2

2 What is SOC? System and Organization Controls (SOC):
System and Organization Controls (SOC) is a suite of service offerings CPAs (Certified Public Accountant) may provide in connection with system-level controls of a service organization or entity-level controls of other organizations.

3 SOC for Service Organizations
Internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service SOC 1: report on controls at a service organization that may be relevant to user entities, inter control over financial reporting. SOC 2: Trust Services Criteria: report is based on existing System Trust and Web Trust principals. The purpose of a SOC2 report is to evaluate an organization’s information systems relevant to security availability, processing integrity and confidentiality or privacy. SOC 3: Trust Services Criteria for General Use Report: report is like SOC2 which is based on existing system trust and web trust principals. However SOC3 report does not detail the testing performed and is meant to be used as marketing material.

4 SOC 1, 2 and 3 are audit reports awarded to service providers demonstrating a defined level of security controls. SOC 1, 2 and 3 do not provide certification to any international standard. They are audits developed by the American Institute of Certified Public Accountants (AICPA) primarily to meet the needs of American companies. They have not been through the rigorous international review process common to international standards, and as such may disregard regional issues that tend not to exist in America. SOC 1, 2 and 3 audits can only be conducted by a Certified Public Accountant (CPA) registered with the American Institute of Certified Public Accountants.

5

6

7

8 Comparison of SOC 1, SOC 2 and SOC 3 Reports
Under what professional standard is the engagement performed? SSAE No. 16, Reporting on Controls at a Service Organization AICPA Guide, Applying SSAE No. 16, Reporting on Controls at a Service AT 101, Attestation Engagements AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy AICPA Technical Practice Aid, Trust Services Principles, Criteria, and Illustrations What is the subject matter of the engagement? Controls at a service organization relevant to user entities internal control over financial reporting. Controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy. Controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy

9 SOC 1 Reports SOC 2 Reports SOC 3 Report What is the purpose of the report? To provide information to the auditor of a user entity’s financial statements about controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. It enables the user auditor to perform risk assessment procedures, and if a type 2 report is provided, to assess the risk of material misstatement of financial statement assertions affected by the service organization’s processing. To provide management of a service organization, user entities and other specified parties with information and a CPA’s opinion about controls at the service organization that may affect user entities’ security, availability, processing integrity, confidentiality or privacy. To provide interested parties with a CPA’s opinion about controls at the service organization that may affect user entities’ security, availability, processing integrity, confidentiality, or privacy.

10 SOC 1 Reports SOC 2 Reports SOC 3 Report What are the components of the report? A description of the service organization’s system. A service auditor’s report that contains an opinion on the fairness of the presentation of the description of the service organization’s system, the suitability of the design of the controls, and in a type 2 report, the operating effectiveness of the controls. In a type 2 report, a description of the service auditor’s tests of controls and the results of the tests. A service auditor’s report on whether the entity maintained effective controls over its system as it relates to the principle being reported on i.e., security, availability, processing integrity, confidentiality, or privacy, based on the applicable trust services criteria.

11 SOC 1 Reports SOC 2 Reports SOC 3 Report Who are the intended users of the report? Auditor’s of the user entity’s financial statements, management of the user entities, and management of the service organization. Parties that are knowledgeable about •the nature of the service provided by the service organization •how the service organization’s system interacts with user entities, subservice organizations, and other parties internal control and its limitations the criteria and how controls address those criteria Anyone

12 SOC 2® - SOC for Service Organizations: Trust Services Criteria
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in: Oversight of the organization Vendor management programs Internal corporate governance and risk management processes Regulatory oversight For a SOC 2 report, there are two types of reports: A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports are restricted.

13 SOC 2 concerns the internal controls in place at the third-party service organization. For a company to receive SOC 2 certification, it must have sufficient policies and strategies that satisfactorily protect the client’s data. SOC 2 is designed for more advanced IT service providers. These can include IT managed service providers, cloud computing vendors, data centers, Software-as-a-Service companies and more. The SOC 2 framework includes five key sections, forming a set of criteria called the Trust Services Principles. These include: The security of the service provider’s system. The availability of this system. The processing integrity of this system. The confidentiality of the information that the service provider’s system processes or maintains for user entities. The privacy of personal information that the service provider collects, retains, uses, discloses and disposes of for user entities.

14 The SOC 2 report focuses on a business's non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1which is focused on the financial reporting controls.

15 The Trust Service Principles which SOC 2 is based upon are modeled around four broad areas:
Policies Communications Procedures Monitoring Each of the principles have defined criteria (controls) which must be met to demonstrate adherence to the principles and produce an unqualified opinion (no significant exceptions found during the audit).

16 The Trust Services Principles in SOC 2/3 Reports:
Technology necessitates data security – particularly for information systems customers. The Trust Services Principles (TSP) and Criteria –the basis for SOC 2 and SOC 3 reports –target the control areas most important to customers of services organizations that provide outsourced IT services. The TSP is comprised of five principles: Principle Area Principle Objectives Security System protected against unauthorized physical and logical access. Availability System available for operating and use as committed or agreed. Confidentiality Information designated “confidential” is protected as committed or agreed. Processing Integrity System processing is complete, accurate, timely, and authorized. Privacy Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP).

17 SOC 2 type II SOC 2 reports come in two forms
SOC 2 type II SOC 2 reports come in two forms. Type I reports concern policies and procedures that were placed in operation at a specific moment in time. Type II reports, on the other hand, concern policies and procedures over a period of at least – systems must be evaluated for a minimum of six months. This generally makes SOC 2 type II reports more comprehensive and useful than type I reports when considering a possible service provider’s credentials. A company that has achieved SOC 2 type II certification has therefore proven that its system is designed to keep its clients’ sensitive data secure. When it comes to working with the cloud and related IT services, such performance and reliability is absolutely essential and increasing required by regulators, examiners and auditors.

18 SOC 2 in 140 characters: SOC 2 assures clients we use systems to protect their data. It audits security, availability, process integrity, privacy and confidentiality.

Download ppt "Service Organization Control (SOC)"

Similar presentations

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Additional Assurance Services: Other Information

Additional Assurance Services: Other Information
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 2 - 1 The CPA Profession Chapter 2.

©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The CPA Profession Chapter 2.
Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.

Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.

SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?

March 6, 2012 SOC Reporting: What is New in the Audit Guides?
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
Chapter 21 Assurance, Attestation, and Internal Auditing Services Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.

Chapter 21 Assurance, Attestation, and Internal Auditing Services Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Other Assurance & Attestation Services By David N. Ricchiute

Other Assurance & Attestation Services By David N. Ricchiute
Assurance, Attestation, and Internal Auditing Services

Assurance, Attestation, and Internal Auditing Services
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Module A1 Other Public Accounting Services ACCT 4080.

Module A1 Other Public Accounting Services ACCT 4080.
25 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.

©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 24 - 1 Other Assurance Services Chapter 24.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Other Assurance Services Chapter 24.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
The CPA Profession Chapter 2.

The CPA Profession Chapter 2.

Similar presentations

Ads by Google