adam's notes

System Organization Control (SOC)

System Organization Control (SOC) audits review a service organization’s control activities related to the services that it provides to its customers.

  • fka service organization controls
  • review the IT controls
  • part of the SSAE reporting format created by the American Institute of Certified Public Accountants (AICPA)
  • recognized as being acceptable for regulatory purposes in many industries
    • specifically designed for ensuring compliance with SOX Act

Categories of SOC Reports

  • each category is designed for a specific purpose
    • have subclasses called types
  • 3 levels of SOC report:
    • SOC 1
      • Report on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting
      • used by auditors to assess the ICFR at one entity that does business with another entity
      • Two subclasses:
        • Type 1
        • Type 2
      • strictly for auditing the financial reporting instruments of a corporation
        • not a focus in most cloud audits
    • SOC 2
      • Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
      • used by an entity to demonstrate to potential customers that it has good information security practices
      • specifically address security, availability, processing integrity, confidentiality, and privacy
      • two types of SOC 2 reports:
        • Type 1
          • only reviews the design of controls
          • not how they are implemented, maintained, or function
          • very useful for determining the security and trust of an organization
          • focuses at a single point in time
        • Type 2
          • Covers everything in Type 1
          • Also tests and verifies operating effectiveness of controls over time
          • most commonly referenced by security practitioners
    • SOC 3
      • Trust Services Report for Service Organizations
      • contain the auditor’s assessment of whether or not the outsourced functions meet certain control objectives
      • similar to SOC 2 reports but do not contain the same level of detail
      • designed to be shared with the public
        • don’t contain actual data about security controls
        • only an assertion that the audit was conducted and passed
      • less useful for verifying trustworthiness

SOC Standards

  • Statement on Standards for Attestation Engagements 18 (SSAE 18)
    • published by American Institute of Certified Accountants (AICA)
    • guides SOC audits in the US
  • International Standard on Assurance Engagements 3402 (ISAE 3402)
    • published by International Auditing and Assurance Standards Board
    • guides SOC audits internationally

Graph View

Backlinks