随着萨班斯-奥克斯利法案(SOX)的出台, 透明度的其他要求, 日益全球化和外包, SSAE 18的使用呈指数级增长. Service organizations that provide key third-party outsourcing services often need to be accountable to the clients that they serve. 这些组织包括索赔处理机构, 应用程序服务提供商, 福利管理员, 工资的公司, 数据中心, 还有很多其他的.
此外，的创造 系统和组织控制报告(SOC 1, SOC 2, SOC 3报告) provide three new reporting vehicles developed for service organizations to respond to demands for uniform reporting and review—expanding service organizations’ ability to report on financial controls, 非财务控制及, SOC 3, 成为认证可信的系统服务组织.
注册会计师执行 SSAE 18认证 to provide assurance to the service organization’s 客户 and their auditors that the organization has certain, 适当及有效的控制措施.
- 第一类审计 考虑控件在特定时间点的设计有效性
- 第二类审核 在特定时期检查控制的设计和操作效果, 通常是6到12个月.
SOC 1、SOC 2和SOC 3业务涉及当今环境:
金沙乐娱app下载 信息安全’s audit professionals operate as part of 金沙乐娱app下载, PC—a Top 50 US CPA firm. We provide SOC services to clients across the country and maintain appropriate licensure in the states in which we provide attest work. 结果是, we have in-depth industry knowledge to help service providers in a variety of industries, 包括医疗保健和索赔处理, 金融服务, 云服务提供商, 以及商业整理和托管提供商.
SOC 1 requires management to provide written descriptions of its systems and assert that the system descriptions are fairly presented, 适当设计控制目标并有效运行, 并确定他们用来做出这些断言的标准.
While SOC 1 examines service organizations’ controls related to financial reporting, SOC 2和SOC 3检查安全性, 可用性, 处理完整性, 保密, and privacy reporting controls that align to the AICPA Trust 服务 Criteria (TSC).
The key difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report contains a detailed description of the service auditor’s tests of controls and results of those tests as well as the service auditor’s opinion on the description of the service organization’s system. A SOC 3 report can be distributed freely while a SOC 2 is meant for a service organization’s 客户.
SOC 2 engagements use the TSC as well as the requirements and guidance in AT Section 101, 证明活动, (美国注册会计师协会), 专业标准, 卷. 1). SOC 2报告与SOC 1报告类似. Either a type 1 or type 2 report may be issued and the report provides a description of the service organization’s system. 二类报告, it also includes a description of the tests performed by the service auditor and the results of those tests.
SOC 3 engagements use the predefined criteria in trust services criteria that are used in SOC 2 engagements. A SOC 3 report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results). 它还允许服务机构在其网站上使用SOC 3印章. SOC 3报告可以根据一个或多个信任服务标准(security, 可用性, 处理完整性, 保密, 和隐私).
The 网络安全SOC examination is designed to provide report users with information to help them understand management’s process for handling enterprise-wide cyber risks. 它可以适用于任何类型的组织，无论其规模或行业, 报告用户不一定是当前客户或客户审核员.
- A standard, consistent, way to report on an entity’s cybersecurity risk management program (CRMP).
- An effective way to communicate cybersecurity control effectiveness to stakeholders, 董事会, 委员会, 客户, 和合作伙伴通过全面的网络安全审计.
与SOC 2报告不同，SOC for网络安全报告涉及以下内容:
- The baseline against which an entity is assessed in 网络安全SOC is the Description Criteria for management’s description of the entity’s cybersecurity risk management program.
- An organization pursuing a 网络安全SOC may utilize the Trust 服务 Criteria, but may also use another generally accepted security framework when designing or assessing its control requirements.
- 网络安全SOC报告是通用报告, 报告的目的往往是由公司管理层决定的. These reports are meant for a broader audience than SOC 2 reports and may be shared with anyone inside or outside an organization.
- In a 网络安全SOC, the controls matrix will not be included in the report.
The 金沙乐娱app下载 信息安全 team was instrumental in working with the AICPA to create and release this assessment to help you achieve compliance and provide the insights you need to make better business decisions.
SOC报告可以帮助您的企业留住和吸引新客户. Every business that shares critical data with a service provider wants to be sure that the business partner is doing all it can to protect its vital information assets. 你怎么证明你是?
Will the report be used by your 客户 and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements?
Will the report be used by your 客户 as part of their compliance with the Sarbanes-Oxley Act or similar law/regulation?
Will the report be used by your 客户 or stakeholders to gain confidence and place trust in a service organization’s IT systems?
如果你回答YES，你需要SOC 2或SOC 3.
Do your 客户 have the need for and the ability to understand the details of the processing and controls at a service organization, 服务审计人员执行的测试以及这些测试的结果?
如果你回答是，你需要一个SOC 2. 然而，如果你回答“否”，你需要一个SOC 3.