- SOC stands for System and Organizational Controls
- Governed by AICPA (American Institute of Certified Public Accountants)
- Reports must be signed off by a technically adept individual with the CPA (Certified Public Account) designation
-
Due Diligence A huge demand for independent third party assurance in the industry validates conducting SOC audits. -- Customer Demand -- Audits -- Vendor Questionnaires -- Fiduciary Duty
-
Audit Once, Report Many Customization of the control sets audited, in order to satisfy requirements of multiple parties even while conducting a single audit. Setting up the audit report as an internal resource for your GRC team to utilize. -- Minimize audit fatigue -- Minimize aggregate time spent on auditing
-
Corporate Governance Ensuring associated customers and key stake holders that you are taking things seriously, and portraying maturity.
- User entities and user auditors For instance, your organization hosts a proprietary application, the people reviewing the SOC report would be the users of the application, who have purchased it, and the auditors they may employ to assess their environment.
- Well educated audience, with prior experience reviewing reports.
- Anyone you share the SOC report with should have an NDA in place, and list their information.
- Reports should not be made freely available.
- Attestation: SOC is an attestation, not a certification. (Attestation by itself means an opinion, in contrast to a certification which is definite in its terms.)
- Independence: The person going in to implement the controls, cannot provide an independent third party opinion on the controls in place. The entity doing the report, should be independent from the organization and the control environment set in place.
- Trust Service Categories & Corresponding Criteria: The Trust Service Categories & Corresponding Criteria are governed by the AICPA.
- Controls: Your organization maintains the controls, which need to be in line with the intent of the criteria set by the AICPA. Your auditor can help assess if your controls are suitably designed to meet the intent of the criteria.
- Service Auditor Test: This test is defined by your auditor, it helps ascertain assurance that the controls are set in place.
- Exceptions: The deficiencies identified through the process of reporting. Something you are supposed to do, but is not actually in place can lead to an exception in your report. For example, you stated that you conduct vulnerability assessment scans quarterly, but have failed to perform them in action.
- Sample Testing: Is in reference to Type II reports. It is a part of SOC audits, and is meant to ensure that the controls are operating over a period of time.
- Completeness and Accuracy: Auditors need completeness and accuracy in order to gain assurance that the evidence being looked upon is proper.
- Vendor vs Sub-service Organizations: