System and Organization Controls

Last updated

System and Organization Controls (SOC; also sometimes referred to as service organizations controls) as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Criteria. [1] The Trust Services Criteria were established by The AICPA through its Assurance Services Executive Committee (ASEC) in 2017 (2017 TSC). These control criteria are to be used by the practitioner/examiner (Certified Public Accountant, CPA) in attestation or consulting engagements to evaluate and report on controls of information systems offered as a service. The engagements can be done on an entity wide, subsidiary, division, operating unit, product line or functional area basis. The Trust Services Criteria were modeled in conformity to The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework (COSO Framework). In addition, the Trust Services Criteria can be mapped to NIST SP 800 - 53 criteria and to EU General Data Protection Regulation (GDPR) Articles. The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18 (SSAE 18), section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of reporting, type 1 and type 2. Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.

Contents

Trust Service Criteria

Trust Services Criteria were designed such that they can provide flexibility in application to better suit the unique controls implemented by an organization to address its unique risks and threats it faces. This is in contrast to other control frameworks that mandate specific controls whether applicable or not. Trust Services Criteria application in actual situations requires judgement as to suitability. The Trust Services Criteria are used when "evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, processing integrity, confidentiality or privacy of information and systems used to provide product or services" - AICPA - ASEC.

Organization of the Trust Services Criteria are aligned to the COSO framework's 17 principles with additional supplemental criteria organized into logical and physical access controls, system operations, change management and risk mitigation. Further, the additional supplemental criteria are shared among the Trust Services Criteria - Common Criteria (CC) and additional specific criteria for availability, processing integrity, confidentiality and privacy.

Common criteria are labeled as, Control environment (CC1.x), Information and communication (CC2.x), Risk assessment (CC3.x), Monitoring of controls (CC4.x) and Control activities related to the design and implementation of controls (CC5.x). Common criteria are suitable and complete for evaluation security criteria. However, there additional category specific criteria for Availability (A.x), Processing integrity (PI.x), Confidentiality (C.x) and Privacy (P.x). Criteria for each trust services categories addressed in an engagement are considered complete when all criterial associated with that category are addressed.

SOC 2 reports focus on controls addressed by five semi-overlapping categories called Trust Service Criteria which also support the CIA triad of information security: [1]

  1. Security - information and systems are protected against unauthorized access and disclosure, and damage to the system that could compromise the availability, confidentiality, integrity and privacy of the system.
    • Firewalls
    • Intrusion detection
    • Multi-factor authentication
  2. Availability - information and systems are available for operational use.
    • Performance monitoring
    • Disaster recovery
    • Incident handling
  3. Confidentiality - information is protected and available on a legitimate need to know basis. Applies to various types of sensitive information.
    • Encryption
    • Access controls
    • Firewalls
  4. Processing Integrity - system processing is complete, valid, accurate, timely and authorized.
    • Quality assurance
    • Process monitoring
    • Adherence to principle
  5. Privacy - personal information is collected, used, retained, disclosed and disposed according to policy. Privacy applies only to personal information.
    • Access control
    • Multi-factor authentication
    • Encryption

Reporting

Levels

There are two levels of SOC reports which are also specified by SSAE 18: [2]

Types

There are three types of SOC reports. [3]

Additionally, there are specialized SOC reports for Cybersecurity and Supply Chain. [8]

SOC 1 and SOC 2 reports are intended for a limited audience – specifically, users with an adequate understanding of the system in question. SOC 3 reports contain less specific information and can be distributed to the general public.

Audits

SOC 2 Audits can be carried out only by either a Certified Public Accountant (CPA) or a certified technical expert belonging to an audit firm licensed by the AICPA.

The SOC 2 Audit provides the organization’s detailed internal controls report made in compliance with the 5 trust service criteria. It shows how well the organization safeguards customer data and assures them that the organization provides services in a secure and reliable way. SOC 2 reports are therefore intended to be made available for the customers and other stakeholders only. [9]

See also

Related Research Articles

<span class="mw-page-title-main">American Institute of Certified Public Accountants</span> American trade group of financial transaction trackers

The American Institute of Certified Public Accountants (AICPA) is the national professional organization of Certified Public Accountants (CPAs) in the United States, with more than 428,000 members in 130 countries. Founded in 1887 as the American Association of Public Accountants (AAPA), the organization sets ethical standards and U.S. auditing standards. It also develops and grades the Uniform CPA Examination. AICPA is headquartered in Durham, North Carolina, and maintains additional offices in New York City, Washington, D.C., and Ewing, New Jersey.

<span class="mw-page-title-main">Certified Public Accountant</span> Title of qualified accountants in many countries

Certified Public Accountant (CPA) is the title of qualified accountants in numerous countries in the English-speaking world. It is generally equivalent to the title of chartered accountant in other English-speaking countries. In the United States, the CPA is a license to provide accounting services to the public. It is awarded by each of the 50 states for practice in that state. Additionally, all states except Hawaii have passed mobility laws to allow CPAs from other states to practice in their state. State licensing requirements vary, but the minimum standard requirements include passing the Uniform Certified Public Accountant Examination, 150 semester units of college education, and one year of accounting-related experience.

<span class="mw-page-title-main">Audit</span> Independent examination of an organization

An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, roll forward prior year working papers, and evaluate the propositions in their auditing report.

<span class="mw-page-title-main">Assurance services</span> Profession giving information to reduce risk

Assurance service is an independent professional service, typically provided by Chartered or Certified Public Accountants or Chartered Certified Accountants, with the goal of improving information or the context of information so that decision makers can make more informed, and presumably better, decisions. Assurance services provide independent and professional opinions that reduce information risk.

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

Information technology auditing began as electronic data process (EDP) auditing and developed largely as a result of the rise in technology in accounting systems, the need for IT control, and the impact of computers on the ability to perform attestation services. The last few years have been an exciting time in the world of IT auditing as a result of the accounting scandals and increased regulation. IT auditing has had a relatively short yet rich history when compared to auditing as a whole and remains an ever-changing field.

Information technology controls are specific activities performed by persons or systems to ensure that computer systems operate in a way that minimises risk. They are a subset of an organisation's internal control. IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the hardware, system software, operational processes, access to programs and data, program development and program changes. IT application controls refer to controls to ensure the integrity of the information processed by the IT environment. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992, COSO published the Internal Control – Integrated Framework, commonly used by businesses in the United States to design, implement, and conduct systems of internal control over financial reporting and assessing their effectiveness.

In the United States, Statements on Auditing Standards provide guidance to external auditors on generally accepted auditing standards in regards to auditing a non-public company and issuing a report. They are promulgated by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), which holds all copyright on the Standards. They are commonly abbreviated as "SAS" followed by their respective number and title.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.

<span class="mw-page-title-main">SOX 404 top–down risk assessment</span>

In financial auditing of public companies in the United States, SOX 404 top–down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002. Under SOX 404, management must test its internal controls; a TDRA is used to determine the scope of such testing. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.

Fraud deterrence has gained public recognition and spotlight since the 2002 inception of the Sarbanes-Oxley Act. Of the many reforms enacted through Sarbanes-Oxley, one major goal was to regain public confidence in the reliability of financial markets in the wake of corporate scandals such as Enron, WorldCom and Waste Management. Section 404 of Sarbanes Oxley mandated that public companies have an independent Audit of internal controls over financial reporting. In essence, the intent of the U.S. Congress in passing the Sarbanes Oxley Act was attempting to proactively deter financial misrepresentation (Fraud) in order to ensure more accurate financial reporting to increase investor confidence. This same concept is applied in the discussion of fraud deterrence.

ISO/IEC 27005 "Information technology — Security techniques — Information security risk management" is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) providing good practice guidance on managing risks to information. It is a core part of the ISO/IEC 27000-series of standards, commonly known as ISO27k.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Financial Executives International (FEI) is a member-service–oriented organization based in Morristown, New Jersey, for senior-level financial at companies of all types. FEI operates a separate nonprofit foundation: Financial Education & Research Foundation (FERF), which acts as an impartial financial resource for members and Foundation supporters.

Generally Accepted Privacy Principles (GAPP) is a framework intended to assist chartered accountants and certified public accountants in creating an effective privacy program for managing and preventing privacy risks. The framework was developed through joint consultation between the Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA) through the AICPA/CICA Privacy Task Force. It is a component of SOC 2.

International Standard on Assurance Engagements (ISAE) 3402, titled Assurance Reports on Controls at a Service Organization, is an international assurance standard that describes Service Organization Control (SOC) engagements, which provides assurance to an organization's customer that the service organization has adequate internal controls. ISAE 3402 was developed by the International Auditing and Assurance Standards Board (IAASB) and published by the International Federation of Accountants (IFAC) in 2009. It supersedes SAS 70. and puts more emphasis on procedures for the ongoing monitoring and evaluation of controls.

Statement on Standards for Attestation Engagements no. 16 is an auditing standard for service organizations, produced by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board, which supersedes Statement on Auditing Standards no. 70 and has been superseded by SSAE No. 18.

Statement on Standards for Attestation Engagements no. 18 is a Generally Accepted Auditing Standard produced and published by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. Though it states that it could be applied to almost any subject matter, its focus is reporting on the quality of financial reporting. It pays particular attention to internal control, extending into the controls over information systems involved in financial reporting. It is intended for use by Certified Public Accountants performing attestation engagements, the preparation of a written opinion about a subject, and the client organizations preparing the reports that are the subject of the attestation engagement. It prescribes three levels of service: examination, review, and agreed-upon procedures. It also prescribes two types of reports: Type 1, which includes an assessment of internal control design, and Type 2, which additionally includes an assessment of the operating effectiveness of controls. Published April 2016, SSAE 18 and all previous standards it supersedes are represented in section AT-C of the AICPA Professional Standards, with most sections becoming effective on May 1, 2017.

References

  1. 1 2 "SOC 2 Compliance". imperva.com. Imperva. Retrieved 25 February 2020.
  2. "AICPA Statement on Standards for Attestation Engagements No. 18". AICPA & CIMA. AICPA. pp. 231–233. Retrieved 16 November 2023.
  3. "System and Organization Controls: SOC Suite of Services". AICPA. Retrieved 2020-03-06.
  4. "SOC 1 – SOC for Service Organizations: ICFR". AICPA. Retrieved 2020-03-06.
  5. "SOC 2 – SOC for Service Organizations: Trust Services Criteria". AICPA. Retrieved 2020-03-06.
  6. "2018 SOC 2® Description Criteria (With Revised Implementation Guidance – 2022)". AICPA.org. Retrieved February 27, 2023.
  7. "SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report". AICPA. Retrieved 2020-03-06.
  8. "System and Organization Controls: SOC Suite of Services". AICPA. Retrieved 2023-02-22.
  9. "Understanding SOC 2". Adaptive.live. Adaptive.