What is SOC 1
SOC 1 is designed to review a vendor’s internal controls as they relate to financial reporting.SOC 1 audit reports are best for your non-information system based products and services.
Two types of SOC 1 report
- SOC 1 Type 1 report
- SOC 1 Type 2 report
It covers controls that were in place and operating for a
period of time. A Type 2 report includes a description of any significant
changes. Type 2 assessments are more rigorous, and controls are reviewed for
operational effectiveness over a period of time.
When to use SOC 1 report
Examples may include:
- Insurance products
(where there is no consumer private info)
- Internal Accounting Software
- Back office administrative products
Benefits of SOC 1
A SOC 1 report provides information about control at a service organization that may be relevant to the user entity's internal control over financial reporting.
This report helps user entities to determine if the control objectives are operating effectively.
What is SOC 2
A SOC 2 report is an examination on the vendor's controls over one or more of the following 5 Trust service criteria
- Security
- Process Integrity
- Privacy
- Availability
- Confidentiality
Read in detail about principles of SOC 2 here:- 5 Trust service criteria
A SOC 2 is all about protecting private information (or, in some cases, funds transfers) and ensuring that the controls in place adequately protect information.
A SOC 2 report may cover one or all of these TSCs. TSCs determine the scope of what controls to monitor and what changes to make with the products or services offered. For example, if you are reviewing a data center or cloud service provider, at a minimum, you should be looking at availability and security TScs.
Two types of SOC 2 Report
SOC 2 Type 1 Report : Audit controls as of point in time (single date)
SOC 2 Type 2 Report : Covers control that were in place and operating for a period of time. A type 2 report include any significant changes. Type 2 assessments are more rigorous and controls are reviewed for operational effectiveness over a period of time.
Read in detail : SOC 2 type 1 and type 2
When to use SOC 2 Report
if you want a measure of how your vendor provides a secure available, confidential and private solution, ask for a copy of their independently audited SOC 2 report
A SOC 2 report an audit that defines a consistent set of criteria specifically around the product services that an organization provides to you. However, keep in mind as you review the control are created by the vendor or tested by an auditor or CPA firm.
Examples may include:
- Internet banking
- Mobile banking
- Bill payment
Any vendor that stores or accesses consumer private information.
Benefits of SOC 2 Report
SOC 2 report are specifically targeted towards information security and information system availability.
What is SOC 3
A SOC 3 is a high-level summary of SOC 2 audit that comes with a seal of approval a vendor can publicly share.
While the SOC 3 has some of the components of the SOC 2, it's not as comprehensive as it's designed to be made available publicly without the requirement of an NDA. Therefore, keep in mind following
- It's less detailed
- It's less technical
- It won't contain the same level of otherwise critical information that a SOC 2 contains.
When To Use SOC 3
A SOC 3 can be used for the initial early upfront due diligence phase of vendor until you have determined if they're a serious prospect. If you've determined they're serious prospect, it's best practice to obtain a SOC 1 or SOC 2 report.
Benefits Of SOC 3
A SOC 3 is a good tool to use in the initial vetting period of new vendors. Keep in mind that it shouldn't be used in place of SOC 1 or SOC 2.
.png)
No comments:
Post a Comment