One thing that needs to be pointed out is the difference between SAS 70 and the new SSAE 16. Both SAS70 and SSAE 16 focus on the user’s ICFR. Some controls located at SO are key controls, but there is no technical difference. However, it is better to limit the use of SSAE 16 to ICFR. The basis of the evaluated control measures is the prerogative of SO management under the old SAS 70. Under the new standard SSAE 16, management must identify the risks associated with user services and financial reporting, and then determine the controls that can mitigate these risks. This time period is a specific time point under SAS 70, and the system description covers the entire test period under SSAE 60. With regard to assertions, one difference for service auditors is the change from audit to certification. For management, it is required that management must provide a written statement in accordance with the new standard. The last difference is the user of the report. The old one made the report basically into the public domain, while the new one restricts the use of the report to service or user management and user auditors.
What I found very interesting is what is the difference between SOC-1 and SOC-2, because this is one of the questions I missed in the interview. SOC-1 partially replaces the service auditor of SAS 70 and provides internal control of financial reporting (ICFR) in the service organization (SO). At the same time, SOC-2 is reporting controls related to security, availability, processing integrity, confidentiality, or privacy. Organizations dealing with data centers, cloud computing, and overall information security will have great interest in SOC-2.
In this reading material, I will be more interested in the differences and changes between the old and new standards. Because changes in audit standards will affect the development of audit work, learning new reports and standards in a timely manner can prepare for future work. Similarly, as an IT auditor, we must understand the new standards and SOC reports because that provide IT auditors, especially CISA, with the opportunity to perform the required services. And in-depth study of the guidelines and standards behind these reports, as well as the differences between the old and the new, can provide the audited unit with correct IT audit services in an appropriate way.
By reading the SOC report related content, let I am most interested in from management, based on the process of security operations management, more time to reflect is a kind of management mode and management technology, the management mode and type of business organization, business model has considerable relationship and the nature of the organization, and the management way to pass a security platform for integration, there is no doubt that in another set of ERP implementation, the difficulty is very high. Anyway, there is still a certain gap between the current SOC and the user’s expectation. I am very interested in its future development and construction.
SOC-1: Reporting on Controls at a Service Organization.
SOC-2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.
SOC-3: Trust Services Report for Service Organization.
Within the SOC report, the vendor will provide a description of the system in scope. Background information and a description of the software, people, procedures, and data will all be covered in the system description. Due to familiarity with your vendor’s systems and infrastructure, review this description closely to determine what they may have chosen to exclude from the audit. From there, you can determine if it is important to the security of your system and/or data.
Because of the evolving needs for a variety of the objectives of these controls, AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3.
IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner. Because the controls of these SOC reports are so often embedded in IT, IT auditors, especially CISAs, will be needed to perform the attest services.
What I found interesting in the reading is the difference between SAS 70 and the new SSAE 16. Under the new standard SSAE 16, management must identify risks associated with customer service and financial reporting, and then identify controls that can mitigate those risks. This time period is a specific point in time under SAS 70, and the system description covers the entire test period under SSAE 60. Organizations involved in data centers, cloud computing, and overall information security will be of great interest.
As I was reading through the ISACA article on “Understanding the New SOC Reports”, I began to recall covering the topic of how CISA has shifted away from the use of SAS 70 audit reports to SOC audit reports in the last 8 years in my IT Service Delivery and Support course. The acronyms I used in the previous sentence stand for Statement on Auditing Standard (SAS) and Service Organization Controls (SOC), respectively. I began to draw a lot of parallels between what I was reading in the article and what was taught in that course, including the primary reasons that auditors began to shift to SOC audits, those being that the SAS 70 audits were designed primarily for assessing controls for financial reporting. The other primary reason being that it relied on organizations to identify all the controls that were to be tested, which created the risk of organizations either intentionally or unintentionally leaving important controls out that compromises the integrity of the audit reports. The IT Service Delivery and Support course also familiarized us with the purposes of the 3 versions of the SOC audit report that are made: the first having a primary focus on controls over financial reporting, the second focusing on the confidentiality, integrity and availability triangle of their internal controls and information systems, and the third is a more general report accessible to anyone but contains no sensitive information.
After reading the article, I was interested in the transition from Statement on Auditing Standard (SAS) No. 70 reports to the new Service Organization Controls (SOC) reports. The purpose of a SAS 70 audit was (and is) to gather evidence on internal controls of a service organization(SO). The AICPA addressed some evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization. They came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3. SOC-1 is the report of the service auditor over ICFR. SOC-2 report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. SOC-3: Trust Services Report for Service Organization. These new standards and SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.
I am interested in the new service organization controls reports: SOC-1, SOC-2, SOC-3.
SOC-1 is the report of the service auditor over ICFR and is associated with a new standard that partially replaces the service auditor side of SAS 70. SSAE 16,9 virtually identical to its international complement. It is important that CISAs and IT auditors in general understand
the differences between SAS 70 and SSAE 16.
SOC-2 should be of great interest to many SOs, including data centers and cloud computing companies. It also applies to any entity subject to HIPAA or the US Gramm-Leach-Bliley Act (GLBA), if nothing else to give owner-managers or board members assurance that they are in compliance with regulations. Banks could also use SOC-2 reports.
SOC-3 will be the proper report if an SO wants to have an assurance service and use the subsequent report as a marketing tool.
The new service organization control report includes SOC-1, SOC-2, and SOC-3. Among them, I am more interested in the changes of SOC-1 compared to SAS70.
SOC-1 is the service auditor for service auditors regarding ICFR and SAS 70 associated with the partial replacement of the new standard. In the SOC-1 report, an obvious difference between service auditors is the change from audit to certification. The American Institute of Certified Public Accountants pointed out that audit services are reserved for financial audits. Therefore, what the service auditors do is proof. One other noteworthy difference is the users of the report. SAS 70 was designed for multiple users and basically went into the public domain. SOC-1 restricts use of the report to service/user management and user auditors; that is, it cannot be used as a marketing tool to prospects.
The new service organization controls reports: SOC-1, SOC-2, SOC-3. Recently, the AICPA addressed these evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization. SOC-1 is the report of the service auditor over ICFR and is associated with a new standard that partially replaces the service auditor side of SAS 70. Because the controls of these SOC reports are so often embedded in IT, IT auditors, especially CISAs, will be needed to perform the attest services.
I’m more interested in the differences between SAS 70 and the new SSAE 16.
SAS 70 audits addressed examinations of controls over subject matter other than financial reporting. SSAE 16 cannot be used legitimately to address these other controls, but they can be addressed in SOC-2 and SOC-3 (AT 101).
The period of the controls included in the report was simply a point in time in the old SAS 70. Under SSAE 16, the report covers the entire period of testing used in the report.
SAS 70 was designed for multiple users and basically went into the public domain, while SOC-1/SSAE 16 restricts use of the report to service/user management and user auditors.
The new service organization control reports include SOC-1, SOC-2, and SOC-3. SOC-1 is the ICFR service auditor’s report. SOC-2 reports on service organization controls related to security, availability, processing integrity, and confidentiality or privacy. SOC-3: Trust service reports for service organizations. These new standards and SOC reports will provide IT auditors, especially CISA, with the opportunity to perform the required services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences between them in order to deliver the right services in the right way.
After reading ISACA’s article on “Understanding the New SOC Report”, I found that this article provides a brief understanding of the certification standards for the inspection of the controls and processes of the inspection service organization. It requires management to provide a written statement about the fairness of the system description, the applicability of the design, and the effectiveness of the controls.
The main reasons for switching from SAS70 to SSAE16 are: 1. SAS70 is mainly used to evaluate control measures for financial reporting. 2. It relies on the organization to determine all the controls to be tested, which will bring risks to the organization and cause the organization to omit certain important control measures, thereby compromising the integrity of the audit report. SSAE covers the entire test period. Managers must identify risks related to user services and financial reports, and take further control measures that can mitigate these risks.
The SSAE16 audit produced 3 different types of reports SOC1, SOC2 and SOC3.
SOC1 is further divided into Type 1 and Type 2.Type 1 report focuses on the auditor’s opinion on the accuracy and completeness of the data. The central management department’s design of control, system and service, and SOC1 Type 2 which includes Type 1 and review of the effectiveness of control in a specific period. SOC2 focuses on internal control and information systems for the confidentiality, integrity and availability of financial reports. SOC3 trusts Services Report for Service Organization and it also provides basic standards for the security and availability of system information.
I’m interested in the transition from Statement on Auditing Standard (SAS) No. 70 reports to the new Service Organization Controls (SOC) reports. The AICPA addressed some evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization. They came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3.
SOC-1 is the report of the service auditor over ICFR.
SOC-2 report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.
SOC-3: Trust Services Report for Service Organization. These new standards and SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services.
IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.
After reading this article, I gained some interesting things from the content of these article that:
At first, the article mainly described and explained the approaches which are aim to deal with the issues about the protection of the system of organizations from the attacks of outside and dangerous exists in the inside of the organizations.
In addition, the article also tells about how the IT auditor take actions to deal with the problems, and that actions is based on the cooperation with the administrators of the system.
SAS 70 is based on management’s choice, but SSAE 16 is based on a risk basis for controls implemented. In addition, SAS 70 is used at a specific point in time, but the SSAR covers the entire period of testing. Also, the SAS 70 is basically used by the public, but the SSAR is usually used by user auditor, management of SO, and management of user. These new standards and SOC reports help IT auditors to perform needed services. We need to understand these reports and the differences among them.
After reading the title of this paper I was pretty interested in the reason why we need new standards.
A SAS 70 became a valuable marketing tool to show businesses that the user had sufficient controls about which the prospect could be comfortable and could gain an adequate assurance of the level of security being provided. This worked so well that companies began to use a SAS 70 for all sorts of controls assurance for an SO. However, SAS 70 specifically stated that it was for internal controls over financial reporting (ICFR) and, thus, not correctly applied to privacy or security audits.
Another issue with SAS 70 audits was that there was no standard set of controls. Instead, management of each SO determined the controls to be evaluated, and thus, there was the possibility that management might not have been able to identify one or more critical controls and, thereby, could have unintentionally tainted the SAS 70 report. Even the identification of controls was not formalized in writing.
Therefore, These new standards and SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.
I got some interesting things from the content of these articles:
First of all, the article mainly describes and explains the methods designed to solve the problem of protecting the organization’s system from external attacks and the dangers within the organization.
In addition, this article also describes how IT auditors can take measures to solve problems, and these measures are based on cooperation with system administrators.
Cisa will face the ever-changing problem of SOC in the future. The book does not mention the impact of SOC changes on Cisa’s practical work. I will inquire about this problem after class.
AICPA addresses these evolving issues with SAS 70 and provides a more effective framework to ensure control in service organizations. Due to the changing requirements for the various objectives of these controls, AICPA proposed the service organization control (SOC) report, which is referred to as SOC-1, soc-2 and soc-3. SOC-1 is only related to ICFR, soc-2 is related to security / system control and privacy, while soc-3 is related to control. 6 in addition, AICPA has issued a “clarified SAS 70” for user auditors only
SOC-1: report on the control of service organization
Soc-2: report on the control of service organization related to security, availability, processing integrity, confidentiality or privacy
Soc-3: trust service report of service organization
SOC-1: ‘s report on the control of the service organization.
SOC-2: reports on service organization controls related to security, availability, handling integrity, confidentiality, or privacy.
Trust service report for the SOC-3: service organization.
T auditors need to understand these reports, the standards and guidelines behind them, and the differences between them in order to provide the right services in an appropriate manner.
SOC (Service Organization Controls) audit is a report issued by the American Institute of Certified Public Accountants after a strict audit of the system and internal control of the outsourcing service organization, which can fully prove the rationality of the internal control design and the effectiveness of the implementation. The audit for Alibaba Cloud this time involves SOC2 and CCM. Among them, SOC2 audits an enterprise’s security, availability, process integrity, confidentiality or privacy-related service control, and CCM is the current international cloud computing industry’s general cloud security control requirements and control framework.
The third-party organization’s data security audit process for Alibaba Cloud involves a total of 217 core control points in the daily process mechanisms of Alibaba Cloud’s products, R&D, security, and service teams, proving that Alibaba Cloud’s internal control level meets information security, The three goals of data confidentiality and system availability. This is also the first time a cloud computing service provider in China has passed this rigorous audit.
There could be a gap (e.g., SOC reports, SOX, PCI DSS, between the security measures provided HIPAA, ISO certification). by the CSP and the requirements of the
• Include in the contract language that enterprise. requires the CSP to be aligned with the enterprise’s security policy and to implement necessary controls to ensure it.
• Request the CSP’s disaster recovery plans and ensure that they contain the necessary countermeasures to protect physical assets during and after a disaster. Data disposal Proper disposal of data is imperative to
• Request CSP’s technical specifications prevent unauthorized disclosure. If and controls that ensure that data are appropriate measures are not taken by properly wiped and backup media are the CSP, information assets could be destroyed when requested. sent (without approval) to countries
• Include terms in the contract that where the data can be legally disclosed require, upon contract expiration or due to different regulations concerning any event ending the contract, a sensitive data. Disks could be replaced, mandatory data wipe carried out under recycled or upgraded without proper the enterprise’s supervision.
The part of the reading material that interests me more is the difference between SAS 70 and the new SSAE 16.
Under the new standard SSAE 16, management must determine the risks associated with customer service and financial reporting, and then determine the control measures that can mitigate these risks.
The basis is replaced with the risk basis of the implemented/selected control measures. During the period, the system description covers the entire test cycle. SSAE16 will improve the management’s written statement, targeting user auditors, SO management and user management. The focus of these two standards is the user’s ICFR. The more important new change is that the management must provide a copy of description of the system and control design (Type I) and effectiveness (Type II)
The suitability of the introduction. The written statement is part of the service auditor’s final report. It can be seen that the financial auditors and the IT audit sector have increasingly clear outputs. Previous experience in the firm is that financial auditors have assumed more responsibilities, but with the widespread application of information systems, IT auditors will play more roles in the attestation business.
One thing that needs to be pointed out is the difference between SAS 70 and the new SSAE 16. Both SAS70 and SSAE 16 focus on the user’s ICFR. Some controls located at SO are key controls, but there is no technical difference. However, it is better to limit the use of SSAE 16 to ICFR. The basis of the evaluated control measures is the prerogative of SO management under the old SAS 70. Under the new standard SSAE 16, management must identify the risks associated with user services and financial reporting, and then determine the controls that can mitigate these risks. This time period is a specific time point under SAS 70, and the system description covers the entire test period under SSAE 60. With regard to assertions, one difference for service auditors is the change from audit to certification. For management, it is required that management must provide a written statement in accordance with the new standard. The last difference is the user of the report. The old one made the report basically into the public domain, while the new one restricts the use of the report to service or user management and user auditors.
What I found very interesting is what is the difference between SOC-1 and SOC-2, because this is one of the questions I missed in the interview. SOC-1 partially replaces the service auditor of SAS 70 and provides internal control of financial reporting (ICFR) in the service organization (SO). At the same time, SOC-2 is reporting controls related to security, availability, processing integrity, confidentiality, or privacy. Organizations dealing with data centers, cloud computing, and overall information security will have great interest in SOC-2.
In this reading material, I will be more interested in the differences and changes between the old and new standards. Because changes in audit standards will affect the development of audit work, learning new reports and standards in a timely manner can prepare for future work. Similarly, as an IT auditor, we must understand the new standards and SOC reports because that provide IT auditors, especially CISA, with the opportunity to perform the required services. And in-depth study of the guidelines and standards behind these reports, as well as the differences between the old and the new, can provide the audited unit with correct IT audit services in an appropriate way.
By reading the SOC report related content, let I am most interested in from management, based on the process of security operations management, more time to reflect is a kind of management mode and management technology, the management mode and type of business organization, business model has considerable relationship and the nature of the organization, and the management way to pass a security platform for integration, there is no doubt that in another set of ERP implementation, the difficulty is very high. Anyway, there is still a certain gap between the current SOC and the user’s expectation. I am very interested in its future development and construction.
SOC-1: Reporting on Controls at a Service Organization.
SOC-2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.
SOC-3: Trust Services Report for Service Organization.
Within the SOC report, the vendor will provide a description of the system in scope. Background information and a description of the software, people, procedures, and data will all be covered in the system description. Due to familiarity with your vendor’s systems and infrastructure, review this description closely to determine what they may have chosen to exclude from the audit. From there, you can determine if it is important to the security of your system and/or data.
Because of the evolving needs for a variety of the objectives of these controls, AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3.
IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner. Because the controls of these SOC reports are so often embedded in IT, IT auditors, especially CISAs, will be needed to perform the attest services.
What I found interesting in the reading is the difference between SAS 70 and the new SSAE 16. Under the new standard SSAE 16, management must identify risks associated with customer service and financial reporting, and then identify controls that can mitigate those risks. This time period is a specific point in time under SAS 70, and the system description covers the entire test period under SSAE 60. Organizations involved in data centers, cloud computing, and overall information security will be of great interest.
As I was reading through the ISACA article on “Understanding the New SOC Reports”, I began to recall covering the topic of how CISA has shifted away from the use of SAS 70 audit reports to SOC audit reports in the last 8 years in my IT Service Delivery and Support course. The acronyms I used in the previous sentence stand for Statement on Auditing Standard (SAS) and Service Organization Controls (SOC), respectively. I began to draw a lot of parallels between what I was reading in the article and what was taught in that course, including the primary reasons that auditors began to shift to SOC audits, those being that the SAS 70 audits were designed primarily for assessing controls for financial reporting. The other primary reason being that it relied on organizations to identify all the controls that were to be tested, which created the risk of organizations either intentionally or unintentionally leaving important controls out that compromises the integrity of the audit reports. The IT Service Delivery and Support course also familiarized us with the purposes of the 3 versions of the SOC audit report that are made: the first having a primary focus on controls over financial reporting, the second focusing on the confidentiality, integrity and availability triangle of their internal controls and information systems, and the third is a more general report accessible to anyone but contains no sensitive information.
After reading the article, I was interested in the transition from Statement on Auditing Standard (SAS) No. 70 reports to the new Service Organization Controls (SOC) reports. The purpose of a SAS 70 audit was (and is) to gather evidence on internal controls of a service organization(SO). The AICPA addressed some evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization. They came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3. SOC-1 is the report of the service auditor over ICFR. SOC-2 report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. SOC-3: Trust Services Report for Service Organization. These new standards and SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.
I am interested in the new service organization controls reports: SOC-1, SOC-2, SOC-3.
SOC-1 is the report of the service auditor over ICFR and is associated with a new standard that partially replaces the service auditor side of SAS 70. SSAE 16,9 virtually identical to its international complement. It is important that CISAs and IT auditors in general understand
the differences between SAS 70 and SSAE 16.
SOC-2 should be of great interest to many SOs, including data centers and cloud computing companies. It also applies to any entity subject to HIPAA or the US Gramm-Leach-Bliley Act (GLBA), if nothing else to give owner-managers or board members assurance that they are in compliance with regulations. Banks could also use SOC-2 reports.
SOC-3 will be the proper report if an SO wants to have an assurance service and use the subsequent report as a marketing tool.
The new service organization control report includes SOC-1, SOC-2, and SOC-3. Among them, I am more interested in the changes of SOC-1 compared to SAS70.
SOC-1 is the service auditor for service auditors regarding ICFR and SAS 70 associated with the partial replacement of the new standard. In the SOC-1 report, an obvious difference between service auditors is the change from audit to certification. The American Institute of Certified Public Accountants pointed out that audit services are reserved for financial audits. Therefore, what the service auditors do is proof. One other noteworthy difference is the users of the report. SAS 70 was designed for multiple users and basically went into the public domain. SOC-1 restricts use of the report to service/user management and user auditors; that is, it cannot be used as a marketing tool to prospects.
The new service organization controls reports: SOC-1, SOC-2, SOC-3. Recently, the AICPA addressed these evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization. SOC-1 is the report of the service auditor over ICFR and is associated with a new standard that partially replaces the service auditor side of SAS 70. Because the controls of these SOC reports are so often embedded in IT, IT auditors, especially CISAs, will be needed to perform the attest services.
I’m more interested in the differences between SAS 70 and the new SSAE 16.
SAS 70 audits addressed examinations of controls over subject matter other than financial reporting. SSAE 16 cannot be used legitimately to address these other controls, but they can be addressed in SOC-2 and SOC-3 (AT 101).
The period of the controls included in the report was simply a point in time in the old SAS 70. Under SSAE 16, the report covers the entire period of testing used in the report.
SAS 70 was designed for multiple users and basically went into the public domain, while SOC-1/SSAE 16 restricts use of the report to service/user management and user auditors.
The new service organization control reports include SOC-1, SOC-2, and SOC-3. SOC-1 is the ICFR service auditor’s report. SOC-2 reports on service organization controls related to security, availability, processing integrity, and confidentiality or privacy. SOC-3: Trust service reports for service organizations. These new standards and SOC reports will provide IT auditors, especially CISA, with the opportunity to perform the required services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences between them in order to deliver the right services in the right way.
After reading ISACA’s article on “Understanding the New SOC Report”, I found that this article provides a brief understanding of the certification standards for the inspection of the controls and processes of the inspection service organization. It requires management to provide a written statement about the fairness of the system description, the applicability of the design, and the effectiveness of the controls.
The main reasons for switching from SAS70 to SSAE16 are: 1. SAS70 is mainly used to evaluate control measures for financial reporting. 2. It relies on the organization to determine all the controls to be tested, which will bring risks to the organization and cause the organization to omit certain important control measures, thereby compromising the integrity of the audit report. SSAE covers the entire test period. Managers must identify risks related to user services and financial reports, and take further control measures that can mitigate these risks.
The SSAE16 audit produced 3 different types of reports SOC1, SOC2 and SOC3.
SOC1 is further divided into Type 1 and Type 2.Type 1 report focuses on the auditor’s opinion on the accuracy and completeness of the data. The central management department’s design of control, system and service, and SOC1 Type 2 which includes Type 1 and review of the effectiveness of control in a specific period. SOC2 focuses on internal control and information systems for the confidentiality, integrity and availability of financial reports. SOC3 trusts Services Report for Service Organization and it also provides basic standards for the security and availability of system information.
I’m interested in the transition from Statement on Auditing Standard (SAS) No. 70 reports to the new Service Organization Controls (SOC) reports. The AICPA addressed some evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization. They came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3.
SOC-1 is the report of the service auditor over ICFR.
SOC-2 report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.
SOC-3: Trust Services Report for Service Organization. These new standards and SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services.
IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.
After reading this article, I gained some interesting things from the content of these article that:
At first, the article mainly described and explained the approaches which are aim to deal with the issues about the protection of the system of organizations from the attacks of outside and dangerous exists in the inside of the organizations.
In addition, the article also tells about how the IT auditor take actions to deal with the problems, and that actions is based on the cooperation with the administrators of the system.
SAS 70 is based on management’s choice, but SSAE 16 is based on a risk basis for controls implemented. In addition, SAS 70 is used at a specific point in time, but the SSAR covers the entire period of testing. Also, the SAS 70 is basically used by the public, but the SSAR is usually used by user auditor, management of SO, and management of user. These new standards and SOC reports help IT auditors to perform needed services. We need to understand these reports and the differences among them.
After reading the title of this paper I was pretty interested in the reason why we need new standards.
A SAS 70 became a valuable marketing tool to show businesses that the user had sufficient controls about which the prospect could be comfortable and could gain an adequate assurance of the level of security being provided. This worked so well that companies began to use a SAS 70 for all sorts of controls assurance for an SO. However, SAS 70 specifically stated that it was for internal controls over financial reporting (ICFR) and, thus, not correctly applied to privacy or security audits.
Another issue with SAS 70 audits was that there was no standard set of controls. Instead, management of each SO determined the controls to be evaluated, and thus, there was the possibility that management might not have been able to identify one or more critical controls and, thereby, could have unintentionally tainted the SAS 70 report. Even the identification of controls was not formalized in writing.
Therefore, These new standards and SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.
I got some interesting things from the content of these articles:
First of all, the article mainly describes and explains the methods designed to solve the problem of protecting the organization’s system from external attacks and the dangers within the organization.
In addition, this article also describes how IT auditors can take measures to solve problems, and these measures are based on cooperation with system administrators.
Cisa will face the ever-changing problem of SOC in the future. The book does not mention the impact of SOC changes on Cisa’s practical work. I will inquire about this problem after class.
AICPA addresses these evolving issues with SAS 70 and provides a more effective framework to ensure control in service organizations. Due to the changing requirements for the various objectives of these controls, AICPA proposed the service organization control (SOC) report, which is referred to as SOC-1, soc-2 and soc-3. SOC-1 is only related to ICFR, soc-2 is related to security / system control and privacy, while soc-3 is related to control. 6 in addition, AICPA has issued a “clarified SAS 70” for user auditors only
SOC-1: report on the control of service organization
Soc-2: report on the control of service organization related to security, availability, processing integrity, confidentiality or privacy
Soc-3: trust service report of service organization
SOC-1: ‘s report on the control of the service organization.
SOC-2: reports on service organization controls related to security, availability, handling integrity, confidentiality, or privacy.
Trust service report for the SOC-3: service organization.
T auditors need to understand these reports, the standards and guidelines behind them, and the differences between them in order to provide the right services in an appropriate manner.
SOC (Service Organization Controls) audit is a report issued by the American Institute of Certified Public Accountants after a strict audit of the system and internal control of the outsourcing service organization, which can fully prove the rationality of the internal control design and the effectiveness of the implementation. The audit for Alibaba Cloud this time involves SOC2 and CCM. Among them, SOC2 audits an enterprise’s security, availability, process integrity, confidentiality or privacy-related service control, and CCM is the current international cloud computing industry’s general cloud security control requirements and control framework.
The third-party organization’s data security audit process for Alibaba Cloud involves a total of 217 core control points in the daily process mechanisms of Alibaba Cloud’s products, R&D, security, and service teams, proving that Alibaba Cloud’s internal control level meets information security, The three goals of data confidentiality and system availability. This is also the first time a cloud computing service provider in China has passed this rigorous audit.
There could be a gap (e.g., SOC reports, SOX, PCI DSS, between the security measures provided HIPAA, ISO certification). by the CSP and the requirements of the
• Include in the contract language that enterprise. requires the CSP to be aligned with the enterprise’s security policy and to implement necessary controls to ensure it.
• Request the CSP’s disaster recovery plans and ensure that they contain the necessary countermeasures to protect physical assets during and after a disaster. Data disposal Proper disposal of data is imperative to
• Request CSP’s technical specifications prevent unauthorized disclosure. If and controls that ensure that data are appropriate measures are not taken by properly wiped and backup media are the CSP, information assets could be destroyed when requested. sent (without approval) to countries
• Include terms in the contract that where the data can be legally disclosed require, upon contract expiration or due to different regulations concerning any event ending the contract, a sensitive data. Disks could be replaced, mandatory data wipe carried out under recycled or upgraded without proper the enterprise’s supervision.
The part of the reading material that interests me more is the difference between SAS 70 and the new SSAE 16.
Under the new standard SSAE 16, management must determine the risks associated with customer service and financial reporting, and then determine the control measures that can mitigate these risks.
The basis is replaced with the risk basis of the implemented/selected control measures. During the period, the system description covers the entire test cycle. SSAE16 will improve the management’s written statement, targeting user auditors, SO management and user management. The focus of these two standards is the user’s ICFR. The more important new change is that the management must provide a copy of description of the system and control design (Type I) and effectiveness (Type II)
The suitability of the introduction. The written statement is part of the service auditor’s final report. It can be seen that the financial auditors and the IT audit sector have increasingly clear outputs. Previous experience in the firm is that financial auditors have assumed more responsibilities, but with the widespread application of information systems, IT auditors will play more roles in the attestation business.