SOC, SOX & SSAE 18 Flashcards
SOC 1
I test internal controls over financial statements like Access control, Change management and IT operations. I look to ensure that regulatory compliance in terms of employee PII are protected.
I need to understand the number and types of vendors used and what they are supporting? Is it infrastructure as a service, supporting software as a service or application as a service? For example, we were auditing our service providers accounts payable system where we tested ITGC. I tested operation controls for backup and recovery.
SOC 2
I performed an audit on our cloud computing provider (Amazon), where I tested internal controls over user access review. test CIA (confidentiality, integrity and availability) which will generate a system report.
SSAE 18
Replaced SOC 1 Type. Covers both vendors and contractors and the only thing changes is user consideration which is now complementary entity. Include at bottom of narratives.
SOX compliance
I test controls over applications that impact financial statements. I test key controls like Access control, change management and IT operations for design appropriateness and operating effectiveness in order to reduce the amount of vouching and budgeting which allows the financial auditor to rely on the completeness and accuracy of the data housed on the financial application in order to produce accurate and reliable financial statements.
SOC 1 type 2
It’s a report reviewed, that covers venders only. I review the external auditors unqualified opinion, management assertion and under consideration.
What are the 4 types of audit opinions?
Unqualified opinion-clean report.
Qualified opinion-qualified report.
Disclaimer of opinion-disclaimer report.
Adverse opinion-adverse audit report.
How do I know if my SOC is qualified?
If a SOC report is issued with a qualified opinion, it indicates that a control or controls were not designed (Type I) and operating effectively (Type II). A qualified report indicates that issues identified in the report were significant enough to deem one or more controls ineffective.
What is the difference between a SOC 1 and SOC 2 report?
A SOC 1 report is designed to address internal controls over financial reporting while a SOC 2 report addresses a service organization’s controls that are relevant to their operations and compliance. One or both could be right for your organization.
What should I look for in a SOC 2?
The 5 possible covered criteria are: Privacy, Security, Confidentiality, Integrity and Availability. Service provider management is allowed to select which criteria they want included in the report, and once again you should make sure your specific concerns are addressed.
What is the difference between SOC 2 and ISO 27001?
Differences: The main difference between SOC 2 and ISO27001 is that SOC 2 is focused mostly on proving the security controls that protect customer data have been implemented, whereas ISO 27001 also wants you to prove you have an operational Information Security Management System (ISMS) in place to manage your InfoSec ..
What is the difference between SOC 2 Type 1 and SOC 2 Type 2?
SOC 2 Type 1 is different from Type 2 in that a Type 1 assesses the design of security processes at a specific point in time, while a Type 2 report (also commonly written as “Type ii”) assesses how effective those controls are over time by observing operations for six months.
What are SOC 2 Type 2 reports?
A SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those controls are operating. Companies that use cloud service providers use SOC 2 reports to assess and address the risks associated with third party technology services.
