SOC, SOX & SSAE 18 Flashcards
SOC 1
I test internal controls over financial statements like Access control, Change management and IT operations. I look to ensure that regulatory compliance in terms of employee PII are protected.
I need to understand the number and types of vendors used and what they are supporting? Is it infrastructure as a service, supporting software as a service or application as a service? For example, we were auditing our service providers accounts payable system where we tested ITGC. I tested operation controls for backup and recovery.
SOC 2
I performed an audit on our cloud computing provider (Amazon), where I tested internal controls over user access review. test CIA (confidentiality, integrity and availability) which will generate a system report.
SSAE 18
Replaced SOC 1 Type. Covers both vendors and contractors and the only thing changes is user consideration which is now complementary entity. Include at bottom of narratives.
SOX compliance
I test controls over applications that impact financial statements. I test key controls like Access control, change management and IT operations for design appropriateness and operating effectiveness in order to reduce the amount of vouching and budgeting which allows the financial auditor to rely on the completeness and accuracy of the data housed on the financial application in order to produce accurate and reliable financial statements.
SOC 1 type 2
It’s a report reviewed, that covers venders only. I review the external auditors unqualified opinion, management assertion and under consideration.