Huh Chapter 14: SOC engagements categorized, a fajita fanfic

SOC engagement categorizes

Overview:

same benefits as outsourcing, knowledge, what they excel at, etc.

Types of services: outsource payroll processors, cloud service providers, credit card processes organization, enterprise IT outsourcing services, financial technology services (asset management or loan services), customer support

Why we need SOC engagement: user entries and those who depend on the user entity need to understand and have verification that the design, operation, and controls are working properly.

Requires:

•independence since it is an attestation service

Types of SOC engagements:

•SOC 1

Focuses on internal control over financial reporting

restricted to management, user entity of service org, and independent auditors

Not for potential users

•SOC 2

Focused on security, availability, process integrity, confidentiality or privacy (5 defined trust service categories)

Includes complimentary service entity controls and subservice organizations

Designed and intended for the service org (mgmt and auditor should pre-agree on it)

•SOC 3

Also based on trust service criteria but is for general use.

Does not have a description of system or description of service auditors controls and results

•SOC for cyber security

Reporting on cybersecurity risk management and controls

•SOC for supply chain engagements

Controls over the 5 trust service criteria in the supply chain

SOC reports

What the report looks like depends on what kind of engagement it was, and what kind of report you want to issue.

•Type 1:

Is description accurate of the service organization system

Is the control is designed suitable

•Type 2

Is description accurate of the service organization system

Is the control is designed suitable and operating effectiveness

Throughout a specified period

Note: no such thing as a SOC 3 type 2 report

Content of Type 1 and Type 2 SOC reports

Type 1 for SOC 1 or 2:

•management description of service org system

•Written assertion about whether management description is designed and implemented and is suitably designed to meet control objectives as of a certain date

•Gives an opinion as whether it is fairly stated

Type 2 for SOC 1 or 2:

•management description of service org system

•Written assertion about whether management description is designed, implemented and operated effectively and is suitably designed to meet control objectives with results of the test as of a period of time

•Gives an opinion as whether it is fairly stated

SOC: less than SOC 2

Trust service criteria: from ASEC to meet business objectives, designed to be flexible in application and use.

•Security - required since it could effect everything plus the ability of the entity to meet the objectives

•Availability

•Process integrity

•Confidentiality

•(Or) Privacy

CAPPS

The COSO Framework and the Trust criteria are aligned. CRIME

•Control Environment

•Risk Assessment

•Information and communication

•Monitoring

•Existing controls

A1.1 the entity maintains, monitors. And evaluates current processing capacity and use of system components to manage capacity demand and enable the implementation of additional capacity to meet entity objectives.

A1.2 the entity ensures systems are available by identifying, responding, and communicating environmental threats, designing detection measures, implementing protection mechanics and alerts, performing back up's, ensuring off site storages and considering data recoverability.

PI1.1: entity is either obtaining or generating info that is relevant and of quality

PI1.2 entity will implement the appropriate policies and procedures over systems input to result in products, services, and reporting that meet entity objectives

PI1.3 entity implements policies and procedures over system processing to result in products service, and reporting that meet entity standards

PI1.4 entity will implement policies and procedure to make available or deliver output

PI1.5 implement policed and procedures to store inputs

C1.1 the entity identifies and maintains confidential information

C1.2 the entity disposes of confidential information

P: relate to collecting personal data, concent, using data for specific purposes, managing data, disclosure, and maintaining accurate records.

P1 communication of objectives related to privacy

P2: choose and concent

P3 collection

P4 user access, retention and disposal

P5 access

P6: data and notifications

P7:quality

P8: monitoring and enforcement