System and Organization Controls (SOC) Report
Jump to navigation
Jump to search
A System and Organization Controls (SOC) Report is an internal controls audit report that follows a SOC standard.
- Context:
- It can (typically) be used by a Service Organization.
- It can (typically) relate to security, availability, processing integrity, confidentiality, or privacy of a system.
- ...
- Example(s):
- SOC 1 Report, such as:
- A cloud service provider’s SOC 1 report evaluating controls relevant to user entities’ financial reporting.
- SOC 2 Report, such as:
- A data center’s SOC 2 report to provide assurance to its clients on the controls related to security and availability of the data center.
- Anthropic’s SOC 2 Type 1 Report.
- SOC 3 Report, such as:
- ...
- SOC 1 Report, such as:
- Counter-Example(s):
- ...
- See: Internal Controls, Generally Accepted Auditing Standards.
References
2023
- (Wikipedia, 2023) ⇒ https://en.wikipedia.org/wiki/System_and_Organization_Controls Retrieved:2023-6-16.
- System and Organization Controls (SOC), (also sometimes referred to as service organizations controls) as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Criteria.[1] The Trust Services Criteria were established by The AICPA through its Assurance Services Executive Committee (ASEC) in 2017 (2017 TSC). These control criteria are to be used by the practitioner/examiner (Certified Public Accountant, CPA) in attestation or consulting engagements to evaluate and report on controls of information systems offered as a service. The engagements can be done on an entity wide, subsidiary, division, operating unit, product line or functional area basis. The Trust Services Criteria were modeled inconformity to The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework (COSO Framework). In addition, the Trust Services Criteria can be mapped to NIST SP 800 - 53 criteria and to EU General Data Protection Regulation (GDPR) Articles. The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18 (SSAE 18), section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of reporting, type 1 and type 2. Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.
- ↑ Cite error: Invalid
<ref>
tag; no text was provided for refs namedImperva