SOC - System and Organization Controls
SOC stands for Controls and represents a group System Organization of compliance standards developed by the American Institute of CPAs (AICPA) – a network of professionals across the globe. SOC Audits aim to examine all the policies, procedures, and internal controls of an organization. SOC reports are designed to help organizations, that deal with information systems and share their information with other organizations.
Types of SOC Audits and Reports
| SOC 1 (Financial Controls) | SOC 2 (IT Controls) | SOC 3 (Publicly Shareable) | |
|---|---|---|---|
| ABOUT | A SOC 1 may be a report on Controls at a Service Organization which are relevant to user entities control over financial reporting. | A SOC 2 report is predicated on the prevailing SysTrust and WebTrust principles. The aim of the SOC 2 report is to gauge an organization’s information systems relevant to security, availability, processing integrity, confidentiality, or privacy. | SOC 3 is analogous to SOC 2 is predicated on the prevailing Systrust and WebTrust principles. The difference being, the report doesn't detail the testing performed and is supposed to be used as marketing material |
| PURPOSE | Audits of financial Statements | GRC Programs, Oversight, Due Diligence | Marketing or General Purpose |
| INTENDED USERS | Financial Statement Auditors, Customers, Related third parties | Management, Regulators, Related third parties | Anyone with a need for confidence in service organization’s controls |
| FOCUS ON | Internal controls relevant to Financial Reporting | Operational controls regarding security, availability, processing integrity, confidentiality or privacy | Easy to read report on Controls |
| REPORT TYPE | Type I Type II | Type I Type II | General |
| EVALUATES | Design of Internal Control Operation Effectiveness of Internal Control during review period | Design of Internal Control Operation Effectiveness of Internal Control during review period | Design of Controls related to SOC2 objectives |
| Report Types | SOC 1 | SOC 2 |
|---|---|---|
| TYPE 1 |
|
|
| TYPE 2 |
|
|
Trust Services Principles
- Security
- Processing Integrity
- Privacy
- Confidentiality
- Availability
Compliance Roadmap
Phase -1: Audit Preparation
- Define audit scope and overall project timeline
- Identify existing or required controls through discussion with management and review of available documents
- Perform readiness review to identify gaps requiring management attestation
- Communicate prioritized recommendations to address any identified gaps
- Hold working sessions to discuss alternatives and remediation plans
- Verify that gaps have been closed before beginning the formal audit phase
- Determine the most effective audit and reporting approach to address the service provider’s external requirements
Phase -2: Audit Planning
- Complete advance data collection before on-site work to accelerate the audit process
- Conduct, on-site meetings and testing
- Complete off-site analysis of collected information
- Conduct weekly reporting of project status and identified issues
- Provide a draft report for management review of the final report
- Provide an internal report for management containing any overall observations and recommendations for considerations.
Phase -3: Audit Reporting & Attestation
- Description of your controls and results of our tests
- Confirmation from client on the report
- CPA Attestation (Seal and Sign)
- Project Closure
Visit following sections for more information’s on next step for getting certified from INTERCERT
