System and Organization Controls

System and Organization Controls (SOC), defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Principles.[1] The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18 (SSAE 18), section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of reporting, type 1 and type 2. Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.

Trust Service Principles

The SOC reports focus on controls addressed by five semi-overlapping categories called Trust Service Principles which also support the CIA triad of information security:[1]

  1. Privacy
    • Access Control
    • Multi-factor authentication
    • Encryption
  2. Security
    • Firewalls
    • Intrusion detection
    • Multi-factor authentication
  3. Availability
    • Performance monitoring
    • Disaster recovery
    • Incident handling
  4. Processing Integrity
    • Quality assurance
    • Process monitoring
  5. Confidentiality
    • Encryption
    • Access controls
    • Firewalls

Reporting

Levels

There are two levels of SOC reports which are also specified by SSAE no. 18:[1]

  • Type I, which describes a service organization's systems and whether the design of specified controls meet the relevant trust principles.
  • Type II, which also addresses the operational effectiveness of the specified controls.

Types

There are three types of SOC reports.[2]

  • SOC 1 — Internal Control over Financial Reporting (ICFR)[3]
  • SOC 2 — Trust Services Criteria[4]
  • SOC 3 — Trust Services Criteria for General Use Report[5]
gollark: microG, I mean.
gollark: I got it working without that.
gollark: Compiled it? Why?
gollark: Basically, it uses Bucklescript (OCaml -> JS) and Rollup (JS -> slightly different JS) and getting them to cooperate is horrible, and also everything else is aargh.
gollark: I've been configuring a project which relies on JS build systems.

References

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.