System And Organization Controls (SOC) Standard

A System And Organization Controls (SOC) Standard is an audit report standard (for SOC reports).

• Context:
  • It can (typically) be managed by American Institute of Certified Public Accountants.
  • It can (typically) relate to security, availability, processing integrity, confidentiality, or privacy of a system.
  • ...
• Example(s):
  • SOC 1 Standard, also known as SSAE 18, which focuses on controls at a service organization relevant to user entities’ internal control over financial reporting.
  • SOC 2 Standard (for SOC 2 reports), ...
  • SOC 3 Standard, which is similar to SOC 2, but is intended for a general audience and only asserts whether the system achieved the trust services criteria.
  • ...
• Counter-Example(s):
  • ...
• See: SSAE No. 18, American Institute of Certified Public Accountants, Internal Controls, Committee of Sponsoring Organizations of The Treadway Commission, NIST Special Publication 800-53, General Data Protection Regulation, Generally_Accepted_Auditing_Standards.

References

2023

• (Wikipedia, 2023) ⇒ https://en.wikipedia.org/wiki/System_and_Organization_Controls Retrieved:2023-7-27.
  • System and Organization Controls (SOC), (also sometimes referred to as service organizations controls) as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Criteria.^[1] The Trust Services Criteria were established by The AICPA through its Assurance Services Executive Committee (ASEC) in 2017 (2017 TSC). These control criteria are to be used by the practitioner/examiner (Certified Public Accountant, CPA) in attestation or consulting engagements to evaluate and report on controls of information systems offered as a service. The engagements can be done on an entity wide, subsidiary, division, operating unit, product line or functional area basis. The Trust Services Criteria were modeled inconformity to The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework (COSO Framework). In addition, the Trust Services Criteria can be mapped to NIST SP 800 - 53 criteria and to EU General Data Protection Regulation (GDPR) Articles. The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18 (SSAE 18), section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of reporting, type 1 and type 2. Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.