• Home

  • Documents

  • Comparison of SOC 1, SOC 2 and SOC 3 Reports · Comparison of SOC 1, SOC 2 and SOC 3 Reports SOC 1...
2
Comparison of SOC 1, SOC 2 and SOC 3 Reports SOC 1 Reports SOC 2 Reports SOC 3 Report Under what professional standard is the engagement performed? SSAE No. 16, Reporting on Controls at a Service Organization AICPA Guide, Applying SSAE No. 16, Reporting on Controls at a Service Organization AT 101, Attestation Engagements AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy AT 101, Attestation Engagements AICPA Technical Practice Aid, Trust Services Principles, Criteria, and Illustrations What is the subject matter of the engagement? Controls at a service organization relevant to user entities internal control over financial reporting. Controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy. Controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy What is the purpose of the report? To provide information to the auditor of a user entity’s financial statements about controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. It enables the user auditor to perform risk assessment procedures, and if a type 2 report is provided, to assess the risk of material misstatement of financial statement assertions affected by the service organization’s processing. To provide management of a service organization, user entities and other specified parties with information and a CPA’s opinion about controls at the service organization that may affect user entities’ security, availability, processing integrity, confidentiality or privacy. To provide interested parties with a CPA’s opinion about controls at the service organization that may affect user entities’ security, availability, processing integrity, confidentiality, or privacy. What are the components of the report? A description of the service organization’s system. A service auditor’s report that contains an opinion on the fairness of the presentation of the A description of the service organization’s system. A service auditor’s report that contains an opinion on the fairness of the presentation of the description of the service A service auditor’s report on whether the entity maintained effective controls over its system as it relates to the

Comparison of SOC 1, SOC 2 and SOC 3 Reports · Comparison of SOC 1, SOC 2 and SOC 3 Reports SOC 1 Reports SOC 2 Reports SOC 3 Report Under what professional standard is the engagement

Embed Size (px)

Citation preview

Page 1: Comparison of SOC 1, SOC 2 and SOC 3 Reports · Comparison of SOC 1, SOC 2 and SOC 3 Reports SOC 1 Reports SOC 2 Reports SOC 3 Report Under what professional standard is the engagement

Comparison of SOC 1, SOC 2 and SOC 3 Reports

SOC 1 Reports SOC 2 Reports SOC 3 Report

Under what professional standard is the engagement performed?

SSAE No. 16, Reporting on Controls at a Service Organization AICPA Guide, Applying SSAE No. 16, Reporting on Controls at a Service Organization

AT 101, Attestation Engagements AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy

AT 101, Attestation Engagements AICPA Technical Practice Aid, Trust Services Principles, Criteria, and Illustrations

What is the subject matter of the engagement?

Controls at a service organization relevant to user entities internal control over financial reporting.

Controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy.

Controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy

What is the purpose of the report?

To provide information to the auditor of a user entity’s financial statements about controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. It enables the user auditor to perform risk assessment procedures, and if a type 2 report is provided, to assess the risk of material misstatement of financial statement assertions affected by the service organization’s processing.

To provide management of a service organization, user entities and other specified parties with information and a CPA’s opinion about controls at the service organization that may affect user entities’ security, availability, processing integrity, confidentiality or privacy.

To provide interested parties with a CPA’s opinion about controls at the service organization that may affect user entities’ security, availability, processing integrity, confidentiality, or privacy.

What are the components of the report?

A description of the service organization’s system. A service auditor’s report that contains an opinion on the fairness of the presentation of the

A description of the service organization’s system. A service auditor’s report that contains an opinion on the fairness of the presentation of the description of the service

A service auditor’s report on whether the entity maintained effective controls over its system as it relates to the

http://www.webtrust.net/downloads/WT.TrustServices.pdf
http://www.webtrust.net/downloads/WT.TrustServices.pdf
Page 2: Comparison of SOC 1, SOC 2 and SOC 3 Reports · Comparison of SOC 1, SOC 2 and SOC 3 Reports SOC 1 Reports SOC 2 Reports SOC 3 Report Under what professional standard is the engagement

SOC 1 Reports SOC 2 Reports SOC 3 Report

description of the service organization’s system, the suitability of the design of the controls, and in a type 2 report, the operating effectiveness of the controls. In a type 2 report, a description of the service auditor’s tests of the controls and the results of the tests.

organization’s system, the suitability of the design of the controls, and in a type 2 report, the operating effectiveness of the controls. In a type 2 report, a description of the service auditor’s tests of controls and the results of the tests.

principle being reported on i.e., security, availability, processing integrity, confidentiality, or privacy, based on the applicable trust services criteria.

Who are the intended users of the report?

Auditor’s of the user entity’s financial statements, management of the user entities, and management of the service organization.

Parties that are knowledgeable about •the nature of the service provided by the service organization •how the service organization’s system interacts with user entities, subservice organizations, and other parties • internal control and its limitations • the criteria and how controls address those criteria

Anyone


Custom Reports: SCGs and VCGs. Standard Comparison Group (SCG)

Custom Reports: SCGs and VCGs. Standard Comparison Group (SCG)

Documents
Evaluating SOC Reports and NEW Reporting Requirements SOC Reports and New... · Evaluating SOC Reports and NEW Reporting Requirements ISACA Kris Lonborg, EY Partner Maria Avedissian,

Evaluating SOC Reports and NEW Reporting Requirements SOC Reports and New... · Evaluating SOC Reports and NEW Reporting Requirements ISACA Kris Lonborg, EY Partner Maria Avedissian,

Documents
Storage system comparison: IBM System Storage …principledtechnologies.com/clients/reports/IBM/...of_IBM...Systems.pdf · commissioned by storage system comparison: ibm system storage

Storage system comparison: IBM System Storage …principledtechnologies.com/clients/reports/IBM/...of_IBM...Systems.pdf · commissioned by storage system comparison: ibm system storage

Documents
UNDERSTANDING SOC REPORTS - ESD

UNDERSTANDING SOC REPORTS - ESD

Documents
2018 Standard Occupational Classification User Guide s new in the 2018 SOC Return to contents In comparison with the 2010 SOC, the 2018 SOC had a net gain of 27 detailed occupations

2018 Standard Occupational Classification User Guide s new in the 2018 SOC Return to contents In comparison with the 2010 SOC, the 2018 SOC had a net gain of 27 detailed occupations

Documents
CASE REPORTS Comparison of Osteosynthesis Using Plates and

CASE REPORTS Comparison of Osteosynthesis Using Plates and

Documents
Amazon Recommendation Systems: Comparison Analysis …cs229.stanford.edu/proj2017/final-reports/5230053.pdfAmazon Recommendation Systems: Comparison Analysis between Traditional Techniques

Amazon Recommendation Systems: Comparison Analysis …cs229.stanford.edu/proj2017/final-reports/5230053.pdfAmazon Recommendation Systems: Comparison Analysis between Traditional Techniques

Documents
Round Table ISACA NL April 4 Tables/2011/2… · SOC 1 Reports Quick note on terminology ISAE 3402 SSAE 16 CSAE 3416 Service Organization Controls (SOC) 1 Reports Why SOC 1? •Many

Round Table ISACA NL April 4 Tables/2011/2… · SOC 1 Reports Quick note on terminology ISAE 3402 SSAE 16 CSAE 3416 Service Organization Controls (SOC) 1 Reports Why SOC 1? •Many

Documents
Presentation - Effectively using SOC1, SOC2, and SOC3 ... · — SOC 1 and SOC 2 reports each can be issued as a Type 1 or Type 2 — SOC reports most commonly cover the presentation,

Presentation - Effectively using SOC1, SOC2, and SOC3 ... · — SOC 1 and SOC 2 reports each can be issued as a Type 1 or Type 2 — SOC reports most commonly cover the presentation,

Documents
SOC 2 Reports – A Third Party Risk Management Tool for Cloud Providers

SOC 2 Reports – A Third Party Risk Management Tool for Cloud Providers

Documents
Aronson's Technology Risk Services SOC Reports Overview

Aronson's Technology Risk Services SOC Reports Overview

Technology
Evolving Business Practices Spur Transition from SAS 70 to SOC Reports

Evolving Business Practices Spur Transition from SAS 70 to SOC Reports

Economy & Finance
SUSTAINABILITY REPORTS COMPARISON BETWEEN PT HOLCIM

SUSTAINABILITY REPORTS COMPARISON BETWEEN PT HOLCIM

Documents
Spring 2005chris uggen – soc 41411 Lecture 4: Extent and Nature: Self-Reports

Spring 2005chris uggen – soc 41411 Lecture 4: Extent and Nature: Self-Reports

Documents
Effectively using SOC 1, SOC 2, and SOC 3 reports ... - KPMG · Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com

Effectively using SOC 1, SOC 2, and SOC 3 reports ... - KPMG · Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com

Documents
Virtual Security Operations Center (VSOC) Portal Reports ... · © Copyright IBM Corporation 2010-2016 Virtual SOC Portal Reports User Guide

Virtual Security Operations Center (VSOC) Portal Reports ... · © Copyright IBM Corporation 2010-2016 Virtual SOC Portal Reports User Guide

Documents
COMPARISON OF DIFFERENT IMAGE INTERPOLATION ALGORITHMSwvuscholar.wvu.edu/reports/Doma_Divya.pdf · COMPARISON OF DIFFERENT IMAGE INTERPOLATION ALGORITHMS By Divya Doma Problem Report

COMPARISON OF DIFFERENT IMAGE INTERPOLATION ALGORITHMSwvuscholar.wvu.edu/reports/Doma_Divya.pdf · COMPARISON OF DIFFERENT IMAGE INTERPOLATION ALGORITHMS By Divya Doma Problem Report

Documents
Using DoD SSAE 16/18 Service Organization Control (SOC ... · Discussion Topics 2 Using DoD SSAE 16/18 Service Organization Control (SOC) Reports 1) Service Organization Relationships

Using DoD SSAE 16/18 Service Organization Control (SOC ... · Discussion Topics 2 Using DoD SSAE 16/18 Service Organization Control (SOC) Reports 1) Service Organization Relationships

Documents
Service Organization Control (SOC) Reports and Cyber … Reports... · Service Organization Control (SOC) Reports and Cyber Security Maturity Model IIA Lunch and Learn Session 23rd

Service Organization Control (SOC) Reports and Cyber … Reports... · Service Organization Control (SOC) Reports and Cyber Security Maturity Model IIA Lunch and Learn Session 23rd

Documents
Leveraging SSAE 16 Reports Presentation_IASA.ppt… · •User Control Considerations (“UCCs”) –Review the UCCs within the SOC report –For reliance on SOC report, must ensure

Leveraging SSAE 16 Reports Presentation_IASA.ppt… · •User Control Considerations (“UCCs”) –Review the UCCs within the SOC report –For reliance on SOC report, must ensure

Documents
I reports In M (M , L for the BrazILIan fLora · 221 Bol. Soc. Argent. Bot. 50 (2) 2015 M. Morales ISSN 0373-580 X.. - Increasing reports in M for the Brazilian Flora Bol. Soc. Argent

I reports In M (M , L for the BrazILIan fLora · 221 Bol. Soc. Argent. Bot. 50 (2) 2015 M. Morales ISSN 0373-580 X.. - Increasing reports in M for the Brazilian Flora Bol. Soc. Argent

Documents
SOC Reports – The 2017 Update - What’s new-What’s not …m.isaca.org/chapters1/Northeast-Ohio/events/Documents/NEO ISACA... · SOC Reports – The 2017 Update: What’s new,

SOC Reports – The 2017 Update - What’s new-What’s not …m.isaca.org/chapters1/Northeast-Ohio/events/Documents/NEO ISACA... · SOC Reports – The 2017 Update: What’s new,

Documents
CLINICAL SCIENCE RADIOLOGICAL REPORTS: A COMPARISON

CLINICAL SCIENCE RADIOLOGICAL REPORTS: A COMPARISON

Documents
The Death of SAS 70(SOC) Reports Replace SAS 70 • With the retirement of the SAS 70 standard, traditional SAS 70 reports are being replaced by Service Organization Control Reports

The Death of SAS 70(SOC) Reports Replace SAS 70 • With the retirement of the SAS 70 standard, traditional SAS 70 reports are being replaced by Service Organization Control Reports

Documents
Service Organization Controls (SOC) Reportssfisaca.org/images/FC15_Presentations/C33.pdf · SOC 2 Reports PwC 6 SOC 2 reports are appropriate for engagements to report on controls

Service Organization Controls (SOC) Reportssfisaca.org/images/FC15_Presentations/C33.pdf · SOC 2 Reports PwC 6 SOC 2 reports are appropriate for engagements to report on controls

Documents
Letter and Comparison of EMC Buffer Reports April 2016

Letter and Comparison of EMC Buffer Reports April 2016

Documents
Presenting a live minute teleconference with …media.straffordpub.com/...1-soc-2-or-soc-3-reports.../presentation.pdf · There will be no sound over the web ... Best Practices Seminar

Presenting a live minute teleconference with …media.straffordpub.com/...1-soc-2-or-soc-3-reports.../presentation.pdf · There will be no sound over the web ... Best Practices Seminar

Documents
Reports-WSO2-PaaS Provider Comparison Guide

Reports-WSO2-PaaS Provider Comparison Guide

Documents
SOC Reporting / SSAE 18 Update July, 2017 · 2018. 3. 30. · • SOC 3 —SOC for Service Organizations: ... Reporting • SSAE 18 governs both SOC 1 and SOC 2 Reports. SSAE 18 Changes

SOC Reporting / SSAE 18 Update July, 2017 · 2018. 3. 30. · • SOC 3 —SOC for Service Organizations: ... Reporting • SSAE 18 governs both SOC 1 and SOC 2 Reports. SSAE 18 Changes

Documents
Information Systems Audit and Controls Association · PDF fileInformation Systems Audit and Controls Association Service Organization Control (SOC ) Reports — Focus on SOC 2 Reporting

Information Systems Audit and Controls Association · PDF fileInformation Systems Audit and Controls Association Service Organization Control (SOC ) Reports — Focus on SOC 2 Reporting

Documents