consulting-1024x341

System and Organization Controls (SOC 1 / SOC 2)

SOC 1 Overview for Implementation
Service Organisation Controls- SOC 1 aims to protect the interest of the user entity while receiving services from the service organisation. Upon implementation of the framework, it is a demonstration of internal control over financial reporting (ICFR).

SOC 2 Overview for Implementation
The System and Organisation Controls – SOC 2 aims to protect the interest of the user entity while receiving services from the service organisation. This is assured by the attestation provided by Certified Public Accountant (CPA) in issuing a Type 1 report or a Type 2 report. Type 1 is an attestation of control testing for a point in time, whereas Type 2 report as a result of testing controls over a period of time.

We have a Phased Methodology, to help achieve successful SOC 1 / SOC 2 compliance

SOC 1

  • Internal Controls
  • Financial Reporting
  • Type 1 – design of the controls
  • Type 2 – design and operating effectiveness of the controls

 

SOC 2

  • Internal Controls
  • Trust Principles
  • Security, Availability, Processing integrity of systems
  • Confidentiality and privacy of user information
  •  Type 1 – design of the controls
  •  Type 2 – design and operating effectiveness of the controls

 

SOC 3

  • Internal Controls
  • Security, availability, processing integrity confidentiality, or privacy
  • General use reports, SOC 3 reports can be freely distributed.

SOC 2 Trust Principles

SOC 2 has the following 5 principles, listed below are the principles and their objectives.

  • Common Criteria Security: The system is protected, both logically and physically, against unauthorised access.
  • Availability: The system is available for operation and use as committed or agreed to.
  • Processing Integrity: System processing is complete, accurate, timely, and authorized.
  • Confidentiality: Information that is designated ‘confidential’ is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants, and the Canadian Institute of Chartered Public Accountants (CICA).

Each of these principles has more detail risks/controls that need to be fulfilled.

ISAE 3402

Attestation standard used by global professional accountants to attest SOC 1 controls. 

SSAE 18 

Attestation standard used by US based CPAs to attest SOC 1.