Evaluate, Test and Report 1(b)-1(d) - SOC Flashcards
What is a SOC1 report?
- SOC1 (Service Org Controls) or SSAE 16
- AUP Report, provides on info on assurance of relevant controls (ICFR)
User auditors:
- Looking for controls related to assessed level of risk in RMM
- Decide if SOC1 report properly addressed all controls, and impact of results of procedures of CPA performing AUP, and as described in written SOC1 report about assurance over service provided and associated data
What does a type II SOC2 report provide?
- A type II SOC2 report express opinion on operating effectiveness of controls evaluated by user auditor
What is a SOC2 report?
- SOC2 (Service Org Controls) or AT 101
- AUP Report, provides assurance over IT controls, Security/Systems, Privacy
- A restricted report and cannot be released to the public
- User of SOC2 report is looking for CPA firm, correct application of SOC2 (like users and relevant controls), and relevant info (about user’s relevant controls)
What is a SOC3 report?
- SOC3 (Service Org Controls) or AT 101
- Demonstrate sufficiency of SO’s controls, and basic mgmt, of service related to customer’s service being provided, and ID’d controls related to it
- User of SOC3 report is looking for reliable provider (CPA firm), correct application of SOC3 (like users and relevant controls), and relevant info (about user’s relevant controls)
- Same report as SOC2 but SOC3 report is ONLY SOC report avail to the public (posted on web sites, distributed to prospects, or used as marketing piece)
What does a SOC report discuss?
- Discusses design effectiveness, implementation, and operating effectiveness of the identified controls being examined at a Service Org
What are the 3 Types of SOC reports?
(1) SOC-1 - Type I report only addresses
first 2 aspects of controls
(2) SOC-2 - Addresses all three
(3) SOC-3 - Only type that is publicly available
What does a SOC2 report provide assurance over?
- SOC2 (Service Org Controls) report provides assurance over IT controls related to:
- Security of data and processes
- Avail of data, systems, and automated processes
- Processing integrity; confidentiality of data
- Privacy issues related to personal info (Trust Services principles)
Name the AICPA’s Trust Services 5 basic principles:
(1) Security - System is protected against unauth access, both physical and logical
(2) Availability - System is avail for operation and use as committed or agreed
(3) Processing integrity - System processing is complete, accurate, timely, and authorized
(4) Confidentiality - Info designated as confidential is protected as committed or agreed
(5) Privacy - Personal info is collected, used, retained, disclosed, and destroyed in conformity w/ commitments in entity’s privacy notice and w/ “Generally Accepted Privacy Principles” (GAPP)
What is “Generally Accepted Privacy Principles” (GAPP)?
- An international set of principles related to 5th element of Trust Services.
- GAPP is made up of 10 criteria, each is expanded to provide details on characteristics and nature of each criterion as an effective control by outlining details and illustrative controls for each
What are the 10 Criterias under “Generally Accepted Privacy Principles” (GAPP) Attest Framework?
(1) Management
(2) Notice
(3) Choice and Consent
(4) Collection
(5) Use, Retention, and Disposal
(6) Access
(7) Disclosure to 3rd Parties
(8) Security for Privacy
(9) Quality
(10) Monitoring and enforcement
What is Payment Card Industry (PCI)?
- Covers credit cards, debit cards, prepaid cards, e-purse, ATMs, and Point of Sale cards
- A specialty IT compliance assurance service
- PCI Security Standards Council (PCI SSC) developed body of security standards for these financial services known as PCI Data Security Standards (PCI DSS)
- PCI SSC even provides its own certification for auditors, key one being qualified security assessor (QSA)