• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Sys & Infrast Lifecycle Mngt 1

MIS5203

Sys & Infrast Lifecycle Mngt 1

MIS 5203.951 ■ Spring 2022 ■ William Bailey
  • Home
  • Instructor
  • Syllabus
  • Schedule
    • Unit 1 Introduction
    • Unit 2 IS Development Lifecycle (SDLC)
    • Unit 3 Project Initiation and Selection
    • Unit 4 Project Planning and Management
    • Unit 5 Requirements Analysis – Processes
    • Unit 6 Requirements Analysis – Data
    • Unit 8 – Case Study 2 and Design – Database
    • Unit 9: Design – User Experience
    • Unit 10: Development
    • Unit 11: Implementation and Testing
    • Unit 12: Application Certification / Accreditation
    • Unit 13: Maintaining Information Systems
  • Deliverables
    • Assignments
      • Answers to Questions
      • Case Studies
    • Team Project – Option #1
    • Team Project – Option #2

Write about one thing of interest you took away from: ISACA “Understanding the New SOC Reports”

January 4, 2020 by William Bailey 18 Comments

Filed Under: Unit 12: Post Implementation and Maintenance Tagged With:

Reader Interactions

Comments

  1. Peixuan Dou says

    March 4, 2022 at 11:14 am

    1. Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.
    2. This report type is intended to meet the need to understand an SO’s internal controls related to such criteria as confidentiality, availability, processing integrity, security and privacy.
    3. SOC-2 should be of great interest to many SOs, including data centers and cloud computing companies. It also applies to any entity subject to HIPAA or the US Gramm-Leach-Bliley Act (GLBA), if nothing else to give owner-managers or board members assurance that they are in compliance with regulations.

    Log in to Reply
  2. Xiaoyu Shi says

    March 5, 2022 at 3:45 am

    Hello professor, here is my answer.
    By reading the SOC report, I learned that SOC-1 tells about the reporting of internal controls provided by the service organization. SOC-2 is telling us about the controls in the reporting service organization related to security, availability, processing integrity, confidentiality, or privacy. SOC-3 is an audit report on security and operations that is publicly available and does not contain detailed information.

    Log in to Reply
  3. Chaoqun Song says

    March 5, 2022 at 3:50 am

    Dear professor,
    Here is my answer:

    The New Service Organization Controls Reports: SOC-1, SOC-2, SOC-3.
    Recently, the AICPA addressed these evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization.4 Because of the evolving needs for a variety of the objectives of these controls, AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3.
    SOC-1: Reporting on Controls at a Service Organization
    SOC-2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
    SOC-3: Trust Services Report for Service Organization

    Log in to Reply
  4. Shan Qiao says

    March 5, 2022 at 4:15 am

    Hello Professor,
    SOC-2: report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy, SOC-2 is intended to meet the need to understand an SO’s internal controls:
    -confidentiality
    -availability
    -processing integrity
    -security and privacy
    Stakeholders including customers, regulators, business partners, suppliers and directors use this report. There are two types:
    Type 1 report on management’s description of a service organization’s system and the suitability of the design of controls.
    Type 2 report on management’s descriptions of an SO’s system and the suitability of the design and effectiveness of controls.
    Thank you

    Log in to Reply
  5. Yushu Feng says

    March 5, 2022 at 4:20 am

    Dear professor, the following is my answer, please check,thanks
    SOC-2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
    This report type is intended to meet the need to understand an SO’s internal controls related to such criteria as confidentiality, availability, processing integrity (the conventional information security triangle), security and privacy. The process of performing the attest follows the AICPA guide Reports on Controls at a Service Organization Over Security, Availability, Processing Integrity, Confidentiality or Privacy (to be issued in 2011). It is intended for use by stakeholders such as customers, regulators, business partners, suppliers and directors. Similar to SOC-1, there are two types: type I, report on management’s description of a service organization’s system and the suitability of the design of controls, and type II, report on management’s description of an SO’s system and the suitability of the design and effectiveness of controls. The reports are restricted in use (see figure 1).

    SOC-2 should be of great interest to many SOs, including data centers and cloud computing companies. It also applies to any entity subject to HIPAA or the US Gramm-Leach-Bliley Act (GLBA), if nothing else to give owner-managers or board members assurance that they are in compliance with regulations. Banks could also use SOC-2 reports.

    Log in to Reply
  6. Hongyi Bi says

    March 5, 2022 at 10:33 am

    AICPA adopted SAS 70 18 years ago to audit internal control of SO related to the financial report. As time goes, business start to use SAS 70 for all sorts of controls assurance to show a good internal control. However, SAS 70 was only for internal controls over financial reporting. To meet these needs, AICPA came up with SOC reports.
    SOC has three parts: SOC-1, SOC-2 and SOC-3.
    SOC-1 is related to ICFR. SOC-2 and SOC-3 are related to controls over security/systems and privacy.

    Log in to Reply
  7. Qi Mao says

    March 5, 2022 at 10:46 am

    About 18 years ago, the American Institute of Certified Public Accountants (AICPA) adopted SAS 70. The purpose of a SAS 70 audit was (and is) to gather evidence
    on internal controls of a service organization (SO)in which those controls were associated with the delivery of a service that was (and is) related to the financial reports and impacted the financial statement to a material degree.It was not feasible for the user auditors to be able to properly evaluate them on the site of the SO. Recently, the AICPA addressed these evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization. AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3.The period of the controls included in the report was simply a point in time in the old SAS 70. Under SSAE 16,
    the report covers the entire period of testing used in the report. This fact changes the service auditor’s service/process considerably, in planning, testing and gathering evidence.

    Log in to Reply
  8. Qian Xiao says

    March 5, 2022 at 12:35 pm

    Because of the evolving needs for a variety of the objectives of these controls, AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3
    SOC-1: Reporting on Controls at a Service Organization
    SOC-2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
    SOC-3: Trust Services Report for Service Organization
    These new standards and SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.

    Log in to Reply
  9. Yuguo Qian says

    March 5, 2022 at 12:58 pm

    Under the old SAS 70, the basis of controls evaluated was the prerogative of the SO s management. Management simply decided which controls to test and, as mentioned previously, sometimes was unable to properly identify key controls. There was no accountability or feedback to management about its choice because the auditors were forbidden from choosing them. In the new standard, management has to identify the risks associated with the service and financial reporting by the user and then identify controls that can mitigate those risks. The clarified SAS 70 provides for the user auditor to evaluate the proper choice of controls.
    There is no doubt the new report SOC-2 and SOC-3 give IT auditors more options for using audit methods in different scenarios.2 and 3 give IT auditors more options to use audit methods in different scenarios, which not only makes the audit work more efficient, also resolves the communication fault in the previous three-party relationship

    Log in to Reply
  10. Qingzheng Sun says

    March 5, 2022 at 9:29 pm

    Hello, professor
    Here is my answer:
    The thing of interest I took away from ISACA “Understanding the New SOC Reports” is that I know SAS 70 and the need for SOC. From this article, the purpose of a SAS 70 audit is to gather evidence on internal controls of a service organization. And SAS 70 addressed some questions by creating an audit of the controls at SOs, to be performed by auditors who were not the user’s auditors, and a report written on the results of that audit. Understanding these new SOC reports helped me better understand auditing and apply what I learned to my future work.

    Log in to Reply
  11. Xiaotian Wang says

    March 5, 2022 at 10:11 pm

    I am interested in 2 aspects in the article.

    Why transition is needed?

    (1)A SAS 70 audit is to gather evidence on internal controls of a service organization (SO).
    Due to these controls were associated with the delivery of a service that was (and is) related to the financial reports and impacted the financial statement to a material degree, it is more suitable for financial auditors instead of user auditors.

    (2) SAS 70 specifically stated that it was for internal controls over financial reporting (ICFR) and, thus, not correctly applied to privacy or security audits.

    (3)SAS 70 audits has no standard set of controls.

    Differences between SOC-1, SOC-2, SOC-3:

    SOC-1 is the report of the service auditor over ICFR and is associated with a new standard that partially replaces the service auditor side of SAS 70.
    SOC-2 is intended to meet the need to understand an SO’s internal controls related to such criteria as confidentiality, availability, processing integrity, security and privacy.
    SOC-3 is intended to meet the needs of users who want assurance on the controls at an SO such as confidentiality, availability, processing integrity, security and privacy, but who do not have the need for or the knowledge necessary to make effective use of a SOC-2 report.

    Log in to Reply
  12. Qiaohang Zhang says

    March 6, 2022 at 2:12 am

    The AICPA addressed evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization. Because of the evolving needs for a variety of the objectives of these controls, AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3.
    SOC-1 is related only to ICFR, SOC-2 is related to controls over security/systems and privacy, and SOC-3 is related to controls over the same.
    These SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.

    Log in to Reply
  13. Tingting Li says

    March 6, 2022 at 3:53 am

    HI professor,
    here is my answer:
    What interest me in ISACA “Understanding the New SOC Reports”is the SOC reports and
    new standards. This article introduces these new reports and explains the differences and analysis between the reports. The understanding of these reports is very important for IT auditors. These guidelines and SOC reports provide guidelines and guidelines for auditing, and the controls in them are often embedded in IT, so it is possible for IT auditors to attest against them. Moreover, from the perspective of efficiency and effectiveness, user auditors can also rely on IT audit reports to meet their obligations. Because many types of services involve information technology, and there are more and more controls in information technology, more and more auditors need to rely on these reports, and the business community is beginning to value and appreciate, sometimes even exceeding the needs of enterprises.

    Log in to Reply
  14. Xue Fang says

    March 6, 2022 at 5:20 am

    Hello professor
    Here is my answer
    It was not feasible for the user auditors to be able to properly evaluate them on the site of the SO. Thus, there was a need for some assurance over the controls of the SO that are relevant to the financial audit of the service user to be provided by someone other than the user auditor. 
    Thus, a SAS 70 became a valuable marketing tool to show businesses that the user had sufficient controls about which the prospect could be comfortable and could gain an adequate assurance of the level of security being provided. This worked so well that companies began to use a SAS 70 for all sorts of controls assurance for an SO.Another issue with SAS 70 audits was that there was no standard set of controls. Instead, management of each SO determined the controls to be evaluated.
    These new standards and SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.
    Because the controls of these SOC reports are so often embedded in IT, IT auditors, especially CISAs, will be needed to perform the attest services.

    Log in to Reply
  15. Zhuoran Ouyang says

    March 6, 2022 at 7:52 am

    SOC-1: Controls Reporting in a Service Organization
    SOC-2: Report on Security, Availability, Processing Integrity, Confidentiality, and Privacy Controls of a Service Organization.
    SOC-3: Service Organization Trust Services Report

    As we are planning to do SOC-2 report audit this year, I now have understand about the fields taht it covers. The vendor will offer a description of the system under scope in the SOC report. The system description will include background information as well as a description of the software, people, procedures, and data. Due to your expertise with your vendor’s systems and infrastructure, carefully examine this description to see what they may have decided to leave out of the audit. You can then decide whether it is critical to the security of your system and/or data.

    Log in to Reply
  16. Yidi Xu says

    March 6, 2022 at 8:27 am

    Dear professor, Here is my answer:
    Recently, the AICPA addressed these evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization.4 Because of the evolving needs for a variety of the objectives of these controls, AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3
    SOC-1: Reporting on Controls at a Service Organization
    SOC-2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
    SOC-3: Trust Services Report for Service Organization
    These new standards and SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.Because the controls of these SOC reports are so often embedded in IT, IT auditors, especially CISAs, will be needed to perform the attest services.
    BR
    Yidi Xu

    Log in to Reply
  17. Bowei Zhu says

    March 6, 2022 at 10:02 am

    About 18 years ago, the American Institute of Certified Public Accountants (AICPA) adopted SAS 70, “Service Organizations.”1 The purpose of a SAS 70 audit was (and is) to gather evidence on internal controls of a service organization (SO) in which those controls were associated with the delivery of a service that was (and is) related to the financial reports and impacted the financial statement to a material degree. Obviously, it was put in place because the financial auditors of the user entity needed to have sufficient assurance on controls over accounts, transactions, or disclosures that were material, and some of those events occurred at a SO.2

    Log in to Reply
  18. Qixiang Fu says

    March 8, 2022 at 8:01 am

    a SAS 70 became a valuable marketing tool to show businesses that the user had sufficient controls about which the prospect could be comfortable and could gain an adequate assurance of the level of security being provided.
    Issues: 1. SAS 70 specifically stated that it was for internal controls over financial reporting (ICFR) and, thus, not correctly applied to privacy or security audits.
    2. There was no standard set of controls.
    SOC-1 is related only to ICFR (internal controls over financial reports);
    SOC-2 is related to controls over security/systems and privacy; To meet the need to understand an SO’s internal controls related to such criteria as confidentiality, availability, processing integrity, security and privacy.
    SOC-3 is related to controls over the same. To meet the needs of users who want assurance on the controls at an SO such as confidentiality, availability, processing integrity, security and privacy, but who do not have the need for or the knowledge necessary to make effective use of a SOC-2 report.

    Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Primary Sidebar

Unit Assignments & Questions

  • Unit 01: Introduction (1)
  • Unit 02: IS Development Lifecycle (SDLC) (4)
  • Unit 03: Project Initiation and Selection (2)
  • Unit 04: Project Planning and Management (4)
  • Unit 05: Requirements Analysis – Processes (1)
  • Unit 08: Database Design (2)
  • Unit 09: Design – User Experience (2)
  • Unit 10: System Development (1)
  • Unit 11: Implementation Testing (2)
  • Unit 12: Post Implementation and Maintenance (3)
  • Unit 13: Maintenance and Course Review (2)

Copyright © 2025 · Course News Pro on Genesis Framework · WordPress · Log in