Professional Documents
Culture Documents
AICPA SOC System and Organization Controls Reporting 1682753669
AICPA SOC System and Organization Controls Reporting 1682753669
of Services
Prepared by:
Rushabh Pinesh Mehta
Disclaimer
• This presentation is made by me as per my knowledge and experience
• This presentation is only for knowledge sharing purpose
• This presentation conveys my personal views and opinions which are in no
manner associated with my current or any of the previous organizations
• Illustrations used in the presentation are only for knowledge sharing
purpose
• I do not promote / endorse any organization, services, products or tools in
any manner
• This presentation is prepared just to give back to the Information Security
Community in these difficult times
Agenda
• History / Evolution
• Basic Key Terminologies
• What is SOC reporting and its benefits
• AICPA SOC Suite of Services
• Attestation Standards
• Difference between SOC 1, SOC 2 and SOC 3
• Type of SOC Reports
• SOC Report Structure / Sections of SOC reporting
• Section on System Description
• Additional Terminologies
• SOC 1 control examples
• Overview of SOC 2 and SOC 3 Trust Services Criteria
• Bridge Letter
History / Evolution
• 1974: SAS 3 - The effects of Electronic Data Processing (EDP) on the auditor’s study
and evaluation of internal control
• 1982: SAS 44 - Special-purpose reports on internal accounting control at service
organizations
• 1992: SAS 70 - Service Organizations
• 1997: WebTrust - Principle and criteria for electronic commerce
• 1999: SysTrust - Principles and criteria for system reliability
• 2003: Trust Services Criteria (TSC) - merger of WebTrust and SysTrust
• 2010: SSAE 16 - Reporting on controls at a service organization
• 2011: SOC 1®, SOC 2® and SOC 3®
• 2018: SOC for Cybersecurity
• 2020: SOC for Supply Chain
Some of the basic key terminologies
• User Entity (UE): Entity / Organization that uses the services provided by
the service organization
• Hence, SOC for Service Organizations reports are internal control reports, which
independent CPAs (Service Auditors) provide, on the services that a service
organization provides to user entities
• Appropriate for understanding how the service organization maintains oversight over
third parties that provide services to customers
• Help reduce compliance burden by providing one report that addresses the shared needs
of multiple users
• Reduces compliance costs and time spent on audits and filling out vendor questionnaires
AICPA SOC Suite of Services
• SOC 1® - SOC for Service Organizations: ICFR
• Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
(ICFR)
• SOC 3® - SOC for Service Organizations: Trust Services Criteria for General Use Report
• These reports are designed to meet the needs of users who need assurance about the controls at a service
organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need
for or the knowledge necessary to make effective use of a SOC 2® Report. Because they are general use reports, SOC
3® reports can be freely distributed
• SOC 1:
• AT-C Section 320: Reporting on an examination of controls at a service
organization relevant to user entities’ internal control over financial reporting
• Mutually Inclusive Method / Carve-In: Obtain the rights to audit SSO in case of absence
of SSO’s SOC reports
Examples of Control categories for SOC 1
• Entity level Controls
• Customer Provisioning
• User Access Management
• Change Management
• Incident and Problem Management
• Physical Security
• Environmental Security
• Systems Availability
• Backup processes
• Network Monitoring
• Information Security
Overview of SOC 2 and SOC 3 Trust Services
Criteria (TSC)
Trust Services Criteria Description
(TSC)
Security The system is protected against unauthorized access, use, or
modification
Availability The system is available for operation and use as committed or agreed
Confidentiality Information designated as confidential is protected as committed or
agreed
Processing Integrity System processing is complete, valid, accurate, timely, and authorized
Privacy Personal information is collected, used, retained, disclosed, and
disposed / destroyed in conformity with the commitments in the
entity’s privacy notice and with criteria set forth in generally accepted
privacy principles (GAPP) issued by the AICPA and CPA Canada
SOC 2 and SOC 3: TSC - Security
• IT Security Policy
• Security awareness, and communication
• Risk assessment
• Logical, and Physical access
• User authentication
• Change management
• Incident, and Problem management
• Asset classification, and management
• Configuration management
• Vulnerability and Patch management
• Security Monitoring, and Compliance
SOC 2 and SOC 3: TSC - Availability
• BCP and IT-DR Policy, and Plan
• Backup, and restoration
• Environmental controls
• Disaster recovery
• Business continuity management
SOC 2 and SOC 3: TSC - Confidentiality
• Confidentiality Policy
• Confidentiality of inputs
• Confidentiality of data processing
• Information disclosures (including third-parties)
• Confidentiality of Information in systems development
SOC 2 and SOC 3: TSC - Processing Integrity
• System processing integrity policies
• Completeness, accuracy, timeliness and authorization of inputs,
system processing, and outputs
• Information tracing from source to disposition
SOC 2 and SOC 3: TSC - Privacy
• Privacy management
• Privacy Notice / Statement
• Choice, and Consent mechanism
• Collection
• Use, and retention
• Access
• Disclosure to third parties
• Quality
• Breach notification
• Monitoring, and enforcement
Concept of Bridge Letter / Gap Letter
• A bridge letter, also known as a gap letter, is simply a letter that
bridges the “gap” between the service organization’s report date (in
layman language: SOC report’s audit period end-date) and the user
organization’s year-end (i.e., calendar or fiscal year-end)
• A statement that the service organization is not aware of any other material changes
outside of what is listed in the bridge letter (if any)
• A reminder that user organizations are responsible for following the complementary user
entity controls / considerations
• A disclaimer that the bridge letter is not a replacement for the actual SOC report
Some additional resources / references
• AICPA SOC Suite of Services -
https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.ht
ml
• Mappings Relevant to the SOC Suite of Services -
https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/mappingsrel
evanttothesocsuiteofservices.html
Questions?
Thank you!