系统 & Organization Control (SOC) 审计s
With the advent of the Sarbanes-Oxley Act (SOX), other demands for transparency, increasing globalization and outsourcing, the use of SSAE 18 has grown exponentially. 提供关键第三方外包服务的服务组织通常需要对他们所服务的客户负责. These organizations include claims processors, application service providers, 福利管理员, 工资的公司, 数据中心, 还有很多其他的.
SOC报告
的创造 系统 and Organization Control (SOC) 审计为服务组织提供了三种报告选择,以响应统一报告和审查的要求,扩大服务组织报告财务控制的能力, non-financial controls and, SOC 3, become certified trusted system service organizations.
注册会计师执行 SSAE 18认证 向服务机构的客户及其审核员提供保证,使其确信, adequate and effective controls in place.
- 第一类审计 consider the controls’ design effectiveness at a certain point in time
- 第二类审计 examine the controls’ design and operating effectiveness over a specific period, typically six to 12 months.
SOC 1, SOC 2 and SOC 3 engagements address today’s environment that:
- Requires greater international consistency
- Addresses newer technologies such as cloud computing, mobile, and virtualization
- Demands more widely recognized and understood reporting options
我们为全国各地的客户提供SOC审计,并在我们提供证明工作的州保持适当的执照. 结果是, 我们拥有深入的行业知识,可以帮助各个行业的服务提供商, including healthcare and claims processing, 金融服务, 云服务提供商, and commercial collation and hosting providers.
What Type of SOC Report is Best for You? (SOC 1, SOC 2或SOC 3)
SOC reports help your business retain and attract new 客户. 每个与服务提供商共享关键数据的企业都希望确保业务合作伙伴尽其所能保护其重要信息资产. 你怎么证明你是?
你们的客户和他们的审计师是否会使用该报告来计划和执行对客户财务报表的审计或综合审计?
If you answer YES, you need a SOC 1.
您的客户将使用该报告作为他们遵守萨班斯-奥克斯利法案或类似法律/法规的一部分吗?
If you answer YES, you need a SOC 1.
您的客户或涉众是否会使用该报告来获得对服务组织IT系统的信心和信任?
If you answer YES, you need a SOC 2或3.
SOC 1审计
SOC 1要求管理层提供其系统的书面描述,并断言系统描述是公平呈现的, control objectives suitably designed and operate effectively, and identify the criteria they used to make those assertions.
While SOC 1 examines service organizations’ controls related to financial reporting, SOC 2 and SOC 3 reviews security, 可用性, 处理完整性, 保密, and privacy reporting controls that align to the AICPA Trust 服务 Criteria (TSC).
Executive Team for SOC 1审计
如果您对SOC 1审计的更多信息感兴趣,请联系保罗和雅各.
There is a key difference between SOC 2 reports and SOC 3 reports. 区别在于,SOC 2报告包含服务审核员对控制措施的测试和测试结果的详细描述,以及服务审核员对服务组织系统描述的意见,SOC 3报告可以自由分发,而SOC 2是针对服务组织的客户.
SOC 2 and SOC 3业务
SOC 2业务
SOC 2业务使用TSC以及AT Section 101中的要求和指导, 证明活动, ssae (AICPA), 专业标准, 卷. 1). A SOC 2 report is similar to a SOC 1 report. 可以出具类型1或类型2的报告,该报告提供服务组织系统的描述. 对于二类报告, 它还包括服务审计员执行的测试和测试结果的说明.
SOC 3业务
SOC 3约定使用SOC 2约定中使用的信任服务标准中的预定义标准. SOC 3报告是一种通用报告,仅提供审计人员关于系统是否达到信托服务标准的报告(不描述测试和结果)。. It also permits the service organization to use the SOC 3 seal on its website. SOC 3 reports can be issued on one or multiple Trust 服务 Criteria (security, 可用性, 处理完整性, 保密, 和隐私).
Executive Team for SOC 2 and SOC 3 审计s
如果您对SOC 2或SOC 3审计的更多信息感兴趣,请联系画了和罗宾.
客户证明
面向网络安全的SOC
网络安全SOC考试旨在为报告用户提供信息,帮助他们了解管理部门处理企业范围网络风险的流程. It can be performed for any type of organization regardless of size or industry, and report users aren’t necessarily current 客户 or customer auditors.
面向网络安全的SOC provides the following:
- 报告实体网络安全风险管理计划(CRMP)的标准、一致的方式.
- An effective way to communicate cybersecurity control effectiveness to stakeholders, 董事会, 委员会, 客户, and partners through a comprehensive cybersecurity audit.
Differing from SOC 2 reports, 面向网络安全的SOC reports address the following:
- 在网络安全SOC中对实体进行评估的基准是管理层对实体网络安全风险管理计划的描述标准.
- 追求网络安全SOC的组织可以使用信任服务标准, 但在设计或评估其控制需求时,也可以使用另一种普遍接受的安全框架.
- 面向网络安全的SOC reports are general use reports, and the objectives of the report are often determined by company management. 这些报告适用于比SOC 2报告更广泛的受众,可以与组织内外的任何人共享.
- In a 面向网络安全的SOC, the controls matrix will not be included in the report.
LBMC SOC审计团队在与AICPA合作创建和发布该评估时发挥了重要作用,帮助您实现合规性,并为您提供做出更好业务决策所需的见解.
Webinar: What should be in my SOC description?
LBMC的Richard Beard分享了SOC系统描述的概述,以及组织的SOC 1和SOC 2报告中应该包含的内容.
