Scribd
Upload
871 views12 pages

Soc 2 Ssae 18

This document provides an overview of Service Organization Controls (SOC) compliance. It discusses the history and evolution of SOC standards, including SAS 70, SSAE 16, and SSAE 18. It describes the three types of SOC reports - SOC 1, SOC 2, and SOC 3 - and explains that SOC 1 focuses on controls over financial reporting, SOC 2 focuses on security, availability, processing integrity, confidentiality, and privacy, and SOC 3 is a general public report. The document outlines the Trust Services Criteria used for SOC 2 reporting and provides details on preparing for a SOC audit, including required documentation and testing methods.

Uploaded by

Chandan Chourasiya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
871 views12 pages

Soc 2 Ssae 18

This document provides an overview of Service Organization Controls (SOC) compliance. It discusses the history and evolution of SOC standards, including SAS 70, SSAE 16, and SSAE 18. It describes the three types of SOC reports - SOC 1, SOC 2, and SOC 3 - and explains that SOC 1 focuses on controls over financial reporting, SOC 2 focuses on security, availability, processing integrity, confidentiality, and privacy, and SOC 3 is a general public report. The document outlines the Trust Services Criteria used for SOC 2 reporting and provides details on preparing for a SOC audit, including required documentation and testing methods.

Uploaded by

Chandan Chourasiya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Overview of Service

Organization Controls
SSAE 18 SOC 1 & 2 Compliance
ISACA Pune Chapter
19th Oct 2019
History of SOC
• SAS 70- First introduced in 1992 for Service
Organizations
• Revised as SSAE 16 in 2010 to bring in line
with International ISAE 3402 as Reporting
on Controls at a Service Organization
• Revised to SSAE 18 in 2017 to include
monitoring subservice organization controls
Why was SOC Required?
• SAS 70 reports were required by auditors specially
after SOX
• Auditors required assurance on internal controls
over financial reporting for outsourced services
such as payroll, general ledger, AP, AR, etc
• Subsequently SAS 70 was aligned to ISAE 3402 to
include trust service criteria
• TSC of Security, Availability, Confidentiality,
Processing Integrity and Privacy
SOC Types
SOC Type

SOC 1 SOC 2 SOC 3

Security, Availability, General report for


Reporting of public utility
Processing Integrity,
controls over normally based on
Confidentiality &
financial reporting TSC
Privacy
SOC Types
Type 1 – Test
of design
SOC 1
Type 2- Test of
effectiveness
SOC
Type 1 – Test
of design
SOC 2
Type 2- Test of
effectiveness
TRUST SERVICES CRITERIA

Security
Availability
Processing Integrity
Confidentiality
Privacy
Trust Service Criteria

CC1.1-1.5 Control Environment


CC 2.1-2.3 Communication & Environment
CC 3.1-3.4 Risk Assessment
CC 4.1- 4.2 Monitoring Activities
CC 5.1-5.3 Control Activities
CC 6.1- 6.8 Logical & Physical Access Controls
CC 7.1- 7.5 System Operations
CC 8.1 Change Management
CC 9.1- 9.2 Risk Mitigation
Trust Service Criteria

A 1.1- 1.3 Additional Criteria for Availability


C 1.1- 1.2 Additional Criteria for Confidentiality
PI 1.1-1.5 Additional Criteria for Processing Integrity
P 1.0-8.1 Additional Criteria for Privacy
Audit Report Structure
Part 1- Independent auditors report
Part 2- Management Assertion
Part 3- System Description
Part 4- Testing Results
Preparation for SOC
• Policies & Procedures for Information Security
• Management Description of Controls containing details
of business, systems, processes, control environment,
control activities, etc
• Risk Assessment register for criteria
• Organization Chart
• HR Policies & Procedures
• Admin Procedures
• VAPT
• Non disclosure agreements
• Privacy Applicability
Testing Methods
Email: [email protected]
Mob: 9890078785
Partner: S R Chourasiya & Co

THANK YOU

You might also like