Scribd
Upload
847 views

SOC Training

This document provides an overview of SOC reports for service providers and consumers of these reports. It explains the different types of SOC reports including SOC 1, SOC 2, and SOC 3. SOC 1 reports on controls related to financial reporting, SOC 2 reports on security, availability, processing integrity, confidentiality, or privacy, and SOC 3 provides a general overview. The document outlines the key considerations and process for preparing for and obtaining a SOC report, including defining the scope, identifying controls, documenting descriptions, and undergoing testing and reporting. It also describes what a SOC report contains and how to assess one for the relevant services.

Uploaded by

durgasainath
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
847 views

SOC Training

This document provides an overview of SOC reports for service providers and consumers of these reports. It explains the different types of SOC reports including SOC 1, SOC 2, and SOC 3. SOC 1 reports on controls related to financial reporting, SOC 2 reports on security, availability, processing integrity, confidentiality, or privacy, and SOC 3 provides a general overview. The document outlines the key considerations and process for preparing for and obtaining a SOC report, including defining the scope, identifying controls, documenting descriptions, and undergoing testing and reporting. It also describes what a SOC report contains and how to assess one for the relevant services.

Uploaded by

durgasainath
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

SOC REPORTS: WHAT YOU NEED TO KNOW AS A

SERVICE PROVIDER OR A CONSUMER OF THESE


REPORTS
How did we all get
HERE?
SOC Reports Matter in Today’s
Service-Oriented World

SaaS

+ PaaS
IaaS
SaaS – PaaS - IaaS

Customer
Responsibility
IaaS – Infrastructure as a Service (AWS, Rackspace)
Cloud Provider PaaS – Platform as a Service (Engine Yard, Heroku)
Responsibility
SaaS – Software as a Service (SalesForce.com, Zendesk)
What is SOC Reporting?

• Not SOX!
• SOC – Service Organization Control reporting
• Attestation standards issued by the AICPA for service providers
• Replaced the old SAS 70 standards in 2011.
• Three report versions:
 SOC1 (SSAE16)
 SOC2
 SOC3
What is the Catalyst for doing a SOC Report??
SOC Reporting Participants

Service Organization Service User / User Entity

Service Auditor User Auditor

Potential Customer
What is a SOC 1 Report?

• Reports on Controls at a Service Organization Relevant to User Entities’ Internal


Control Over Financial Reporting.

• Previously known as SAS70 Reports

• Also known as SSAE16


What is a SOC 2 Report?

Reports on Controls at a Service Organization Relevant to Security,


Availability, Processing Integrity, Confidentiality or Privacy

SOC 2 engagements use the predefined criteria in Trust Services


Principles, Criteria and Illustrations, as well as the requirements and
guidance in AT section 101, Attest Engagements (AICPA, Professional
Standards).
SOC2 Principles
A SOC2 Report is based upon the below five Trust Principles. A report may include any or all principles. Each principle contains
criteria which must be met as part of the SOC2 audit.

Security Availability Confidentiality Processing Integrity Privacy

The system is protected The system is available for Information designated as System processing is This principle addresses the
against unauthorized access, operation and use as confidential is protected as complete, valid, accurate, system’s collection, use,
use, or modification. committed or agreed. committed or agreed. timely, and authorized retention, disclosure, and
disposal of PII in accordance
28 common criteria with commitments and system
(required) 3 additional criteria 8 additional criteria 6 additional criteria requirements.

20 additional criteria

Common Criteria Framework


SOC 2+ Report

SOC 2 Reports may be • HITRUST


extended and customized to
also include other subject
matter:
• CSA CCM

• COBIT5

• NIST 800-53
What is a SOC 3 Report?

• A SOC 3 report is a general use report that provides only the service auditor’s
report on whether the system achieved the trust services criteria (no description of
tests and results or opinion on the description of the system).

• SOC 3 reports can be issued on one or multiple Trust Services Principles (security,
availability, processing integrity, confidentiality or privacy).
SOC Reports
Type I vs. Type II

Type I Report
Report of the design of the controls at a point in time. Typically utilized for first-time issuers,
at the conclusion of the readiness phase, and as a pre-cursor to the Type II report.

Type II Report
Report of the design and operating effectiveness of the controls over a specific period of
time (minimum of six months, maximum of twelve months). A Type II report is what is
expected by business partners, enterprise customers, and their auditors as the procedures
are sufficient to replace the due diligence and security assessment they would otherwise
have had to perform.
How to Prepare for a SOC Report
SOC Report Key Considerations

• Understand why your customers are requesting a SOC report

• Which SOC Report is most appropriate for the service being


provided:
• Does my organization process transactions?
• Do I have customers that are publically traded?
• Does my organization need to comply with HIPAA?
• Does my organization want to provide some level of assurance to
potential customers?
Project Steps
1. Initial Consultation / Define Expectations
• Gain an understanding of the business
• Define roles and responsibilities, project plan, and timeline
Assistance
Readiness

2. Control & Process Advisory


• Gain understanding of key processes and systems
• Draft control objectives and document individual controls
3. Review Framework
• Assist with management’s descriptions of controls
• Evaluate the suitability of control design
• Prepare Audit evidence request list
• Control Walkthroughs
• Perform and document control walkthroughs
• Provide guidance on areas of potential deficiency and remediation
4. REMEDIATION
Attestation

5. On-site Testing fieldwork


Audit

• Perform one-time final control design evaluation as of a point in time (Type I)


• Perform annual control testing of the sample over the period of review (Type II)
6. Reporting
• Provide final opinion on control design (Type I) or operating effectiveness (Type II)
• Issue final report
Project Timeline

Readiness / Type I Type II


Remediation Type II Audit Period
Gap Analysis Audit Audit

Oct. 1, 2016 – Sept. 30, 3017

June July Aug As of Nov.


1 1 31 Sept 15
30,
2016
Identify Controls
Define Scope of
and Control
the service /
owners
System:
Key Service
Organization
Activities
Document the
Identify Sub-
System
service providers
Description
How to Assess a SOC Report
Contents of a SOC Report
SOC 1 and SOC 2 reports include the following sections:

Section I Section II Section III Section IV Section V

Service Management’s System Control Other


Auditor’s Assertion Description Objectives / Information
Report Criteria
Controls and
Testing
Section I: Service Auditor’s Report

• Kind of Report: SOC1 / SOC2/3 (Trust Service Principles)


• Report Type: Type I / Type II
• Auditor Opinion: Unqualified / Qualified / Scope Limitation
• Subservice Providers: Carve-out / Inclusive Method
• Auditor Credentials: Reputable CPA firm
Section II: Management’s Assertion

• The assertion should echo the opinion


• Note: Management’s assertions do not vary much from
service provider to service provider.
Section III: System Description

• Gain an understanding of the environment


• Ensure the description matches the service you receive
• Ensure the system boundaries are properly set (SOC2)
• Assess the complimentary user entity controls (CUECs)
Control Objectives: Controls:
(SOC1 Specific): Do they cover Are there specific controls that
the areas for the service your should be included (e.g.
Section IV receive, including underlying IT developers with access to
general controls? production)?
Controls
Section III includes the control
objectives (SOC1), applicable
trust service principle criteria TSP Criteria Testing / Results:
(SOC2) controls, test of controls
and the results.
(SOC2 Specific): The criteria for What are the failures? How
these principles are static. Are significant are they considering
the principles appropriate? the service you receive?
Section V: Other Information

• Management responses to control exceptions.


• Additional items (not audited)
• Disaster recovery planning
• Compliance efforts (HIPAA, PCI, GLBA, etc.)
Contact Us

www.theCadenceGroup.com

http://www.linkedin.com/company/the-cadence-group

801.349.1360

[email protected]
[email protected]
[email protected]

You might also like