Service Organization Controls

Service Organization Controls are a series of accounting standards that measure the control of financial information for a service organization. They are covered under both the SSAE 16 and the ISAE 3402 professional standards.

SOC 1 reports are examination engagements undertaken by a service auditor to report on controls at an organization that provides services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.

SOC 1 overview

SOC 1 reports, which have effectively replaced SAS 70 reports as of June 15, 2011, will be prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SOC 1 reports retain the original purpose of SAS 70 by providing a means of reporting on the system of internal control for purposes of complying with internal control over financial reporting. SOC 1 reports are restricted use reports, which mean use of the reports is restricted to:

For reports that are not specifically focused on internal controls over financial reporting, SOC 2 and SOC 3 reports should be used. These reports will focus on controls at a service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy. In the past, SAS 70 reports often encompassed financial reporting controls, operational controls, and compliance controls.[1]

SOC 1 type I and type II Reports

As with SAS 70 reports, both SOC 1 type I and type II reports can be issued:[2]

SOC 2 overview

In January 2014, the AICPA Assurance Services Executive Committee (ASEC) released the revised version of the Trust Services Principles and Criteria (TSP). The new 2014 version of the TSP, now referenced as TSP Section 100, supersedes the 2009 version and is mandatory for examination periods ending on or after December 15, 2014. With these new modifications enacted, the AICPA offers significant changes for auditors, partners, customers, and regulators to bring confidentiality and security measures in line with current security concerns worldwide. While no specific changes have been finalized for the Privacy Principle criteria, major changes to the non-privacy principles include changes in definitions, an all-encompassing Security principle, and updated risk definitions. By compartmentalizing the security principle into seven unique categories, the AICPA increases the relevance of these documents for stakeholders by providing increased organizational oversight and corporate governance, a comprehensive risk management processes, and increased regulatory oversight. BrightLine reviewed the changes and below is a synopsis of the major changes:[3]

The new security principle

One major difference is that the Security Principle now consists of “Criteria Common to All Principles.” The Common Criteria are applicable to four of the five TSPs, known as non-privacy principles, and are addressed only once in the report, rather than each principle addressing portions of common criteria, allowing for greater efficiency in the report. As a result, all SOC 2 examinations performed under the new standards must couple the Security Principle with any non-privacy principle. For instance, a SOC 2 that includes the Availability Principle must also include the Security Principle. Prior to the 2014 updated TSP Section 100, just one of the four non-privacy principles could be included in scope.


The Security Principle was restructured into the following seven categories:

The other non-privacy principles, Availability, Processing Integrity, and Confidentiality, have also been modified to include criteria that are only applicable to the specific principle. This greatly reduces the redundancies found in the old TSPs when more than one non-privacy principle was in scope for the SOC 2 examination.

New definitions

TSP Section 100 now includes modifications, or clarifications, to the definitions of the four non-privacy principles. The definitions listed below include these modifications:

SOC 3

A SOC 3 report is intended for any interested party. [4]

References

This article is issued from Wikipedia - version of the Saturday, February 20, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.