1. Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.
2. This report type is intended to meet the need to understand an SO’s internal controls related to such criteria as confidentiality, availability, processing integrity, security and privacy.
3. SOC-2 should be of great interest to many SOs, including data centers and cloud computing companies. It also applies to any entity subject to HIPAA or the US Gramm-Leach-Bliley Act (GLBA), if nothing else to give owner-managers or board members assurance that they are in compliance with regulations.
Hello professor, here is my answer.
By reading the SOC report, I learned that SOC-1 tells about the reporting of internal controls provided by the service organization. SOC-2 is telling us about the controls in the reporting service organization related to security, availability, processing integrity, confidentiality, or privacy. SOC-3 is an audit report on security and operations that is publicly available and does not contain detailed information.
The New Service Organization Controls Reports: SOC-1, SOC-2, SOC-3.
Recently, the AICPA addressed these evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization.4 Because of the evolving needs for a variety of the objectives of these controls, AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3.
SOC-1: Reporting on Controls at a Service Organization
SOC-2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
SOC-3: Trust Services Report for Service Organization
Hello Professor,
SOC-2: report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy, SOC-2 is intended to meet the need to understand an SO’s internal controls:
-confidentiality
-availability
-processing integrity
-security and privacy
Stakeholders including customers, regulators, business partners, suppliers and directors use this report. There are two types:
Type 1 report on management’s description of a service organization’s system and the suitability of the design of controls.
Type 2 report on management’s descriptions of an SO’s system and the suitability of the design and effectiveness of controls.
Thank you
Dear professor, the following is my answer, please check,thanks
SOC-2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
This report type is intended to meet the need to understand an SO’s internal controls related to such criteria as confidentiality, availability, processing integrity (the conventional information security triangle), security and privacy. The process of performing the attest follows the AICPA guide Reports on Controls at a Service Organization Over Security, Availability, Processing Integrity, Confidentiality or Privacy (to be issued in 2011). It is intended for use by stakeholders such as customers, regulators, business partners, suppliers and directors. Similar to SOC-1, there are two types: type I, report on management’s description of a service organization’s system and the suitability of the design of controls, and type II, report on management’s description of an SO’s system and the suitability of the design and effectiveness of controls. The reports are restricted in use (see figure 1).
SOC-2 should be of great interest to many SOs, including data centers and cloud computing companies. It also applies to any entity subject to HIPAA or the US Gramm-Leach-Bliley Act (GLBA), if nothing else to give owner-managers or board members assurance that they are in compliance with regulations. Banks could also use SOC-2 reports.
AICPA adopted SAS 70 18 years ago to audit internal control of SO related to the financial report. As time goes, business start to use SAS 70 for all sorts of controls assurance to show a good internal control. However, SAS 70 was only for internal controls over financial reporting. To meet these needs, AICPA came up with SOC reports.
SOC has three parts: SOC-1, SOC-2 and SOC-3.
SOC-1 is related to ICFR. SOC-2 and SOC-3 are related to controls over security/systems and privacy.
About 18 years ago, the American Institute of Certified Public Accountants (AICPA) adopted SAS 70. The purpose of a SAS 70 audit was (and is) to gather evidence
on internal controls of a service organization (SO)in which those controls were associated with the delivery of a service that was (and is) related to the financial reports and impacted the financial statement to a material degree.It was not feasible for the user auditors to be able to properly evaluate them on the site of the SO. Recently, the AICPA addressed these evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization. AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3.The period of the controls included in the report was simply a point in time in the old SAS 70. Under SSAE 16,
the report covers the entire period of testing used in the report. This fact changes the service auditor’s service/process considerably, in planning, testing and gathering evidence.
Because of the evolving needs for a variety of the objectives of these controls, AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3
SOC-1: Reporting on Controls at a Service Organization
SOC-2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
SOC-3: Trust Services Report for Service Organization
These new standards and SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.
Under the old SAS 70, the basis of controls evaluated was the prerogative of the SO s management. Management simply decided which controls to test and, as mentioned previously, sometimes was unable to properly identify key controls. There was no accountability or feedback to management about its choice because the auditors were forbidden from choosing them. In the new standard, management has to identify the risks associated with the service and financial reporting by the user and then identify controls that can mitigate those risks. The clarified SAS 70 provides for the user auditor to evaluate the proper choice of controls.
There is no doubt the new report SOC-2 and SOC-3 give IT auditors more options for using audit methods in different scenarios.2 and 3 give IT auditors more options to use audit methods in different scenarios, which not only makes the audit work more efficient, also resolves the communication fault in the previous three-party relationship
Hello, professor
Here is my answer:
The thing of interest I took away from ISACA “Understanding the New SOC Reports” is that I know SAS 70 and the need for SOC. From this article, the purpose of a SAS 70 audit is to gather evidence on internal controls of a service organization. And SAS 70 addressed some questions by creating an audit of the controls at SOs, to be performed by auditors who were not the user’s auditors, and a report written on the results of that audit. Understanding these new SOC reports helped me better understand auditing and apply what I learned to my future work.
(1)A SAS 70 audit is to gather evidence on internal controls of a service organization (SO).
Due to these controls were associated with the delivery of a service that was (and is) related to the financial reports and impacted the financial statement to a material degree, it is more suitable for financial auditors instead of user auditors.
(2) SAS 70 specifically stated that it was for internal controls over financial reporting (ICFR) and, thus, not correctly applied to privacy or security audits.
(3)SAS 70 audits has no standard set of controls.
Differences between SOC-1, SOC-2, SOC-3:
SOC-1 is the report of the service auditor over ICFR and is associated with a new standard that partially replaces the service auditor side of SAS 70.
SOC-2 is intended to meet the need to understand an SO’s internal controls related to such criteria as confidentiality, availability, processing integrity, security and privacy.
SOC-3 is intended to meet the needs of users who want assurance on the controls at an SO such as confidentiality, availability, processing integrity, security and privacy, but who do not have the need for or the knowledge necessary to make effective use of a SOC-2 report.
The AICPA addressed evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization. Because of the evolving needs for a variety of the objectives of these controls, AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3.
SOC-1 is related only to ICFR, SOC-2 is related to controls over security/systems and privacy, and SOC-3 is related to controls over the same.
These SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.
HI professor,
here is my answer:
What interest me in ISACA “Understanding the New SOC Reports”is the SOC reports and
new standards. This article introduces these new reports and explains the differences and analysis between the reports. The understanding of these reports is very important for IT auditors. These guidelines and SOC reports provide guidelines and guidelines for auditing, and the controls in them are often embedded in IT, so it is possible for IT auditors to attest against them. Moreover, from the perspective of efficiency and effectiveness, user auditors can also rely on IT audit reports to meet their obligations. Because many types of services involve information technology, and there are more and more controls in information technology, more and more auditors need to rely on these reports, and the business community is beginning to value and appreciate, sometimes even exceeding the needs of enterprises.
Hello professor
Here is my answer
It was not feasible for the user auditors to be able to properly evaluate them on the site of the SO. Thus, there was a need for some assurance over the controls of the SO that are relevant to the financial audit of the service user to be provided by someone other than the user auditor.
Thus, a SAS 70 became a valuable marketing tool to show businesses that the user had sufficient controls about which the prospect could be comfortable and could gain an adequate assurance of the level of security being provided. This worked so well that companies began to use a SAS 70 for all sorts of controls assurance for an SO.Another issue with SAS 70 audits was that there was no standard set of controls. Instead, management of each SO determined the controls to be evaluated.
These new standards and SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.
Because the controls of these SOC reports are so often embedded in IT, IT auditors, especially CISAs, will be needed to perform the attest services.
SOC-1: Controls Reporting in a Service Organization
SOC-2: Report on Security, Availability, Processing Integrity, Confidentiality, and Privacy Controls of a Service Organization.
SOC-3: Service Organization Trust Services Report
As we are planning to do SOC-2 report audit this year, I now have understand about the fields taht it covers. The vendor will offer a description of the system under scope in the SOC report. The system description will include background information as well as a description of the software, people, procedures, and data. Due to your expertise with your vendor’s systems and infrastructure, carefully examine this description to see what they may have decided to leave out of the audit. You can then decide whether it is critical to the security of your system and/or data.
Dear professor, Here is my answer:
Recently, the AICPA addressed these evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization.4 Because of the evolving needs for a variety of the objectives of these controls, AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3
SOC-1: Reporting on Controls at a Service Organization
SOC-2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
SOC-3: Trust Services Report for Service Organization
These new standards and SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.Because the controls of these SOC reports are so often embedded in IT, IT auditors, especially CISAs, will be needed to perform the attest services.
BR
Yidi Xu
About 18 years ago, the American Institute of Certified Public Accountants (AICPA) adopted SAS 70, “Service Organizations.”1 The purpose of a SAS 70 audit was (and is) to gather evidence on internal controls of a service organization (SO) in which those controls were associated with the delivery of a service that was (and is) related to the financial reports and impacted the financial statement to a material degree. Obviously, it was put in place because the financial auditors of the user entity needed to have sufficient assurance on controls over accounts, transactions, or disclosures that were material, and some of those events occurred at a SO.2
a SAS 70 became a valuable marketing tool to show businesses that the user had sufficient controls about which the prospect could be comfortable and could gain an adequate assurance of the level of security being provided.
Issues: 1. SAS 70 specifically stated that it was for internal controls over financial reporting (ICFR) and, thus, not correctly applied to privacy or security audits.
2. There was no standard set of controls.
SOC-1 is related only to ICFR (internal controls over financial reports);
SOC-2 is related to controls over security/systems and privacy; To meet the need to understand an SO’s internal controls related to such criteria as confidentiality, availability, processing integrity, security and privacy.
SOC-3 is related to controls over the same. To meet the needs of users who want assurance on the controls at an SO such as confidentiality, availability, processing integrity, security and privacy, but who do not have the need for or the knowledge necessary to make effective use of a SOC-2 report.
1. Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.
2. This report type is intended to meet the need to understand an SO’s internal controls related to such criteria as confidentiality, availability, processing integrity, security and privacy.
3. SOC-2 should be of great interest to many SOs, including data centers and cloud computing companies. It also applies to any entity subject to HIPAA or the US Gramm-Leach-Bliley Act (GLBA), if nothing else to give owner-managers or board members assurance that they are in compliance with regulations.
Hello professor, here is my answer.
By reading the SOC report, I learned that SOC-1 tells about the reporting of internal controls provided by the service organization. SOC-2 is telling us about the controls in the reporting service organization related to security, availability, processing integrity, confidentiality, or privacy. SOC-3 is an audit report on security and operations that is publicly available and does not contain detailed information.
Dear professor,
Here is my answer:
The New Service Organization Controls Reports: SOC-1, SOC-2, SOC-3.
Recently, the AICPA addressed these evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization.4 Because of the evolving needs for a variety of the objectives of these controls, AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3.
SOC-1: Reporting on Controls at a Service Organization
SOC-2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
SOC-3: Trust Services Report for Service Organization
Hello Professor,
SOC-2: report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy, SOC-2 is intended to meet the need to understand an SO’s internal controls:
-confidentiality
-availability
-processing integrity
-security and privacy
Stakeholders including customers, regulators, business partners, suppliers and directors use this report. There are two types:
Type 1 report on management’s description of a service organization’s system and the suitability of the design of controls.
Type 2 report on management’s descriptions of an SO’s system and the suitability of the design and effectiveness of controls.
Thank you
Dear professor, the following is my answer, please check,thanks
SOC-2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
This report type is intended to meet the need to understand an SO’s internal controls related to such criteria as confidentiality, availability, processing integrity (the conventional information security triangle), security and privacy. The process of performing the attest follows the AICPA guide Reports on Controls at a Service Organization Over Security, Availability, Processing Integrity, Confidentiality or Privacy (to be issued in 2011). It is intended for use by stakeholders such as customers, regulators, business partners, suppliers and directors. Similar to SOC-1, there are two types: type I, report on management’s description of a service organization’s system and the suitability of the design of controls, and type II, report on management’s description of an SO’s system and the suitability of the design and effectiveness of controls. The reports are restricted in use (see figure 1).
SOC-2 should be of great interest to many SOs, including data centers and cloud computing companies. It also applies to any entity subject to HIPAA or the US Gramm-Leach-Bliley Act (GLBA), if nothing else to give owner-managers or board members assurance that they are in compliance with regulations. Banks could also use SOC-2 reports.
AICPA adopted SAS 70 18 years ago to audit internal control of SO related to the financial report. As time goes, business start to use SAS 70 for all sorts of controls assurance to show a good internal control. However, SAS 70 was only for internal controls over financial reporting. To meet these needs, AICPA came up with SOC reports.
SOC has three parts: SOC-1, SOC-2 and SOC-3.
SOC-1 is related to ICFR. SOC-2 and SOC-3 are related to controls over security/systems and privacy.
About 18 years ago, the American Institute of Certified Public Accountants (AICPA) adopted SAS 70. The purpose of a SAS 70 audit was (and is) to gather evidence
on internal controls of a service organization (SO)in which those controls were associated with the delivery of a service that was (and is) related to the financial reports and impacted the financial statement to a material degree.It was not feasible for the user auditors to be able to properly evaluate them on the site of the SO. Recently, the AICPA addressed these evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization. AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3.The period of the controls included in the report was simply a point in time in the old SAS 70. Under SSAE 16,
the report covers the entire period of testing used in the report. This fact changes the service auditor’s service/process considerably, in planning, testing and gathering evidence.
Because of the evolving needs for a variety of the objectives of these controls, AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3
SOC-1: Reporting on Controls at a Service Organization
SOC-2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
SOC-3: Trust Services Report for Service Organization
These new standards and SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.
Under the old SAS 70, the basis of controls evaluated was the prerogative of the SO s management. Management simply decided which controls to test and, as mentioned previously, sometimes was unable to properly identify key controls. There was no accountability or feedback to management about its choice because the auditors were forbidden from choosing them. In the new standard, management has to identify the risks associated with the service and financial reporting by the user and then identify controls that can mitigate those risks. The clarified SAS 70 provides for the user auditor to evaluate the proper choice of controls.
There is no doubt the new report SOC-2 and SOC-3 give IT auditors more options for using audit methods in different scenarios.2 and 3 give IT auditors more options to use audit methods in different scenarios, which not only makes the audit work more efficient, also resolves the communication fault in the previous three-party relationship
Hello, professor
Here is my answer:
The thing of interest I took away from ISACA “Understanding the New SOC Reports” is that I know SAS 70 and the need for SOC. From this article, the purpose of a SAS 70 audit is to gather evidence on internal controls of a service organization. And SAS 70 addressed some questions by creating an audit of the controls at SOs, to be performed by auditors who were not the user’s auditors, and a report written on the results of that audit. Understanding these new SOC reports helped me better understand auditing and apply what I learned to my future work.
I am interested in 2 aspects in the article.
Why transition is needed?
(1)A SAS 70 audit is to gather evidence on internal controls of a service organization (SO).
Due to these controls were associated with the delivery of a service that was (and is) related to the financial reports and impacted the financial statement to a material degree, it is more suitable for financial auditors instead of user auditors.
(2) SAS 70 specifically stated that it was for internal controls over financial reporting (ICFR) and, thus, not correctly applied to privacy or security audits.
(3)SAS 70 audits has no standard set of controls.
Differences between SOC-1, SOC-2, SOC-3:
SOC-1 is the report of the service auditor over ICFR and is associated with a new standard that partially replaces the service auditor side of SAS 70.
SOC-2 is intended to meet the need to understand an SO’s internal controls related to such criteria as confidentiality, availability, processing integrity, security and privacy.
SOC-3 is intended to meet the needs of users who want assurance on the controls at an SO such as confidentiality, availability, processing integrity, security and privacy, but who do not have the need for or the knowledge necessary to make effective use of a SOC-2 report.
The AICPA addressed evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization. Because of the evolving needs for a variety of the objectives of these controls, AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3.
SOC-1 is related only to ICFR, SOC-2 is related to controls over security/systems and privacy, and SOC-3 is related to controls over the same.
These SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.
HI professor,
here is my answer:
What interest me in ISACA “Understanding the New SOC Reports”is the SOC reports and
new standards. This article introduces these new reports and explains the differences and analysis between the reports. The understanding of these reports is very important for IT auditors. These guidelines and SOC reports provide guidelines and guidelines for auditing, and the controls in them are often embedded in IT, so it is possible for IT auditors to attest against them. Moreover, from the perspective of efficiency and effectiveness, user auditors can also rely on IT audit reports to meet their obligations. Because many types of services involve information technology, and there are more and more controls in information technology, more and more auditors need to rely on these reports, and the business community is beginning to value and appreciate, sometimes even exceeding the needs of enterprises.
Hello professor
Here is my answer
It was not feasible for the user auditors to be able to properly evaluate them on the site of the SO. Thus, there was a need for some assurance over the controls of the SO that are relevant to the financial audit of the service user to be provided by someone other than the user auditor.
Thus, a SAS 70 became a valuable marketing tool to show businesses that the user had sufficient controls about which the prospect could be comfortable and could gain an adequate assurance of the level of security being provided. This worked so well that companies began to use a SAS 70 for all sorts of controls assurance for an SO.Another issue with SAS 70 audits was that there was no standard set of controls. Instead, management of each SO determined the controls to be evaluated.
These new standards and SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.
Because the controls of these SOC reports are so often embedded in IT, IT auditors, especially CISAs, will be needed to perform the attest services.
SOC-1: Controls Reporting in a Service Organization
SOC-2: Report on Security, Availability, Processing Integrity, Confidentiality, and Privacy Controls of a Service Organization.
SOC-3: Service Organization Trust Services Report
As we are planning to do SOC-2 report audit this year, I now have understand about the fields taht it covers. The vendor will offer a description of the system under scope in the SOC report. The system description will include background information as well as a description of the software, people, procedures, and data. Due to your expertise with your vendor’s systems and infrastructure, carefully examine this description to see what they may have decided to leave out of the audit. You can then decide whether it is critical to the security of your system and/or data.
Dear professor, Here is my answer:
Recently, the AICPA addressed these evolving issues about SAS 70 and provided a more effective framework for providing assurance of controls in a service organization.4 Because of the evolving needs for a variety of the objectives of these controls, AICPA came up with Service Organization Controls (SOC) reports, identified simply as SOC-1, SOC-2 and SOC-3
SOC-1: Reporting on Controls at a Service Organization
SOC-2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
SOC-3: Trust Services Report for Service Organization
These new standards and SOC reports will provide the opportunity for IT auditors, especially CISAs, to perform needed services. IT auditors need to understand these reports, the standards and guidelines behind them, and the differences among them to provide the right service in the proper manner.Because the controls of these SOC reports are so often embedded in IT, IT auditors, especially CISAs, will be needed to perform the attest services.
BR
Yidi Xu
About 18 years ago, the American Institute of Certified Public Accountants (AICPA) adopted SAS 70, “Service Organizations.”1 The purpose of a SAS 70 audit was (and is) to gather evidence on internal controls of a service organization (SO) in which those controls were associated with the delivery of a service that was (and is) related to the financial reports and impacted the financial statement to a material degree. Obviously, it was put in place because the financial auditors of the user entity needed to have sufficient assurance on controls over accounts, transactions, or disclosures that were material, and some of those events occurred at a SO.2
a SAS 70 became a valuable marketing tool to show businesses that the user had sufficient controls about which the prospect could be comfortable and could gain an adequate assurance of the level of security being provided.
Issues: 1. SAS 70 specifically stated that it was for internal controls over financial reporting (ICFR) and, thus, not correctly applied to privacy or security audits.
2. There was no standard set of controls.
SOC-1 is related only to ICFR (internal controls over financial reports);
SOC-2 is related to controls over security/systems and privacy; To meet the need to understand an SO’s internal controls related to such criteria as confidentiality, availability, processing integrity, security and privacy.
SOC-3 is related to controls over the same. To meet the needs of users who want assurance on the controls at an SO such as confidentiality, availability, processing integrity, security and privacy, but who do not have the need for or the knowledge necessary to make effective use of a SOC-2 report.