系统和组织控制报告(SOC)

随着对贵公司m88体育需求的增加, 客户对保证的要求也是如此. 保证, that you’ve taken the steps necessary to protect the privacy and confidentiality of their data as well as the security, 系统的可用性和处理完整性. 你并不孤单.  希望降低基础设施成本, 许多组织正在利用外包和云计算解决方案. 同样,对 保证 这些外包应用程序和功能的完整性也得到了扩展.SOC会计师协会

作为一个提供外包或云计算的m88体育组织, you are an extension of your customers’ system of internal control and your customers rely upon you to protect them from the risk of fraud, 未经授权使用资料, 丢失数据和侵犯隐私.

The American Institute of Certified Public Accountants (AICPA) has provided the solution to demonstrate the reliability of your system of controls and to provide 保证 to your customers by providing three System and Organization Control (SOC) reporting options, SOC 1, SOC 2和SOC 3.

确定哪个系统和组织(SOC)报告适合您

Will the report be 使用 by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements?

SOC 1报告

不是这一次.

Will the report be 使用 by your customers or stakeholders to gain confidence and place trust in a service organization’s systems?

SOC 2或SOC 3报告

这次没有SOC.

你需要把报告提供给一般人吗?

SOC 3报告

不是这一次.

Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, m88体育审核员执行的测试以及这些测试的结果?

SOC 2报告

SOC 3报告

SOC 1

SOC 1报告 address controls at a service organization that are likely to be relevant to an audit of a customer’s financial statements.

系统和组织控制, 或SOC 1报告, is a formal audit of a service provider’s controls that affects their customer’s internal control over financial reporting. SOC 1报告, often referred to by the AICPA attestation standards as SAS 70 and SSAE 16 (now SSAE 18), are specifically intended to meet the requirements of the entities that use service organizations and those entities’ financial statement auditors.

自2017年5月起,SSAE 18认证标准取代SSAE 16认证标准. This update is intended to help simplify and unify international attestation standards. 大多数要求保持不变,但是,一些关键的变化包括:

  • 更加注重风险评估
  • 强调供应商管理计划
  • 监控subservice组织
  • 对管理的书面断言需求的修改

SOC 1报告分为两类:

  • Type 1 – This report shows customers and their auditors that your organization’s systems and controls are accurately described, 控制已经到位, and that those controls are designed to fulfill your financial control objectives as of a specified date.
  • 类型2 -  该报告提供与Type 1报告相同的信息, 同时还要验证控件是否正常运行, 提供审核员为确定该信息所进行的测试的描述, 以及一段时间内的测试结果.

Obtaining a third party SOC 1 attestation report adds significant value to your organization and also provides your customers with an increased level of confidence. It sets you apart from the competition by demonstrating your commitment to the security of your customer’s data and information.

SOC 2

SOC 2和SOC 3 reports address controls at a service organization related to operations and compliance as identified in the AICPA’s 信任 Service Principles.

A SOC 2 report provides service organizations with an opinion on controls that are related to a predefined set of principles. 不像SOC 1报告, where control objectives and controls are specified to the industry and unique processes within a company, a SOC 2 report utilizes a standardized set of industry neutral controls based on the AICPA’s 信任 m88体育 Principles — security, 可用性, 处理完整性, 保密性和隐私. SOC 2报告必须包括安全原则(称为公共标准), with inclusion of the remaining four principles being optional based on the company’s needs.

SOC 2报告有两种类型: 

  • 类型1 - This report shows customers and their auditors that your organization’s systems and controls are accurately described, 控件的设计是恰当的 and that those controls are in place as of a specified date, 或时间点.
  • 类型2 - This report demonstrates to customers and their auditors that your organization’s systems and controls are accurately described, 控件的设计是恰当的, and include a description of tests performed to verify that the controls are operating effectively throughout a specified period of time.

我应该选择哪个信托m88体育原则? 

在选择适合您的SOC 2报告的信任m88体育原则时, first determine the scope of the engagement and the principles most applicable to your system. The following high-level definitions can help get you thinking about which principles apply to your organization:

  1. 安全 —保护系统免受非授权的物理和逻辑访问
  2. 可用性 —系统是可访问的,由m88体育水平协议契约决定
  3. 处理完整性 -系统处理是完整、有效、准确、及时和授权的
  4. 保密 -被指定为机密的信息受到协议的保护
  5. 隐私 —已收集个人信息, 使用, 保留, disclosed and destroyed with the commitments in the entity’s privacy notice and principles set forth by the AICPA

SOC 2 reports provide significant value in situations where customers and internal management must have confidence in the service organization’s system of controls to provide security, 可用性, 处理完整性, 保密性和隐私. 除了满足内部需求, the SOC 2 report is valuable to your existing customers because it provides a CPA-signed report as 保证 of your systems and processes.

SOC 3

The SOC 3 report is intended to be 使用 as a marketing tool to an unrestricted expanded audience compared to that of a SOC 2 report.

The SOC 3 report is intended to be 使用 as a marketing tool to an unrestricted expanded audience compared to that of a SOC 2 report, 比如潜在客户, 投资者, 等.  Similar to a SOC 2 report the SOC 3 report provides an opinion on controls relevant to one or more of the 信任 Service Principles (TSP).  The SOC 3 report is unique in its lack of use restrictions and the use of a SOC 3 seal to be 使用 on your website making it the perfect marketing tool for customers that must have confidence in the service organization’s system of controls to provide security, 可用性, 处理完整性, 保密性和隐私.

准备了解更多关于SSF的SOC报告m88体育如何帮助您开展业务的信息?

m88体育

实践的领导力

杰夫·斯塔克
杰夫·斯塔克风险保证实务负责人
电子邮件杰夫
(408) 286-7780
布莱恩·比尔
布莱恩·比尔保证风险总监
电子邮件布莱恩
(408) 286-7780

相关的帖子