Download Presentation - Plante Moran

More documents

Recommendations

Info

SOC – Types of Engagements SOC engagements are designed to meet the needs of user entities and other stakeholders by providing service organizations with criteria for describing their systems, criteria for evaluating the suitability of design and operating effectiveness of the service organization’s controls, and an independent CPA’s opinion on the description of the system and the design and operating effectiveness of the service organization’s controls. There are three SOC report options: SOC 1 reports are performed in accordance with the Statement of Standards for Attestation Engagements (SSAE 16) and focus solely on controls at the service organization that are relevant to the audit of a user’s financial statements. SOC 2 reports are performed under Attestation Standards (AT) Section 101 “Attest Engagements”, and are based on the AICPA’s Trust Services Principles and Criteria. These reports address one or more of the following key system attributes: security, availability, processing integrity, confidentiality, and privacy. There are two types of reports for both SOC 1 and SOC 2 examination s. A Type 1 and Type 2 SOC 3 reports use the same Trust Services Principles and Criteria as SOC 2. Like SOC 2, SOC 3 reports can address one or more of the five Trust Services Principles and Criteria. SOC 3 reports differ from SOC 2 reports in that they are for general use, without a description of the service auditor’s tests and results. 10
SOC – Types of Engagements Regardless of whether a SOC 1 or 2 is chosen, there are two types of SOC examinations. A Type I examination provides assurance over the design of controls and a Type II examination provides assurance over the design of controls and their operating effectiveness. SOC 3 examinations provide assurance over both the design of controls and their operating effectiveness (i.e., Type II). Type I Coverage A Type I report examines the suitability of the design of controls in meeting specified control objectives or the applicable trust services criteria, as of a specified date (e.g. June 30). Control Design An opinion is given on (1) the fairness of the presentation of management’s description of its system, and (2) the suitability of the design of controls in meeting the specified control objectives (SOC 1) or trust services criteria (SOC 2 and 3). Type II A Type II report examines the suitability of the design of controls, and the operating effectiveness of the controls over a specified period (e.g. January 1 to June 30). An opinion is given on (1) the fairness of the presentation of management’s description of its system, and (2) the suitability of the design of controls in meeting the specified control objectives (SOC 1) or trust services criteria (SOC 2 and 3) during the period specified. Control Effectiveness N/A An opinion is given on the (3) operating effectiveness of the controls in meeting the specified control objectives (SOC 1) or trust services criteria (SOC 2 and 3) during the period specified. 11
Page 1 and 2: Service Organizations Control (SOC)
Page 3 and 4: Introduction Many companies functio
Page 5 and 6: Service Organizations that need a S
Page 7 and 8: Benefits to User Organization User
Page 9: Reasons for New Standard Clear con
Page 13 and 14: SOC 1 Control Objective Examples IT
Page 15 and 16: SAS 70 vs. SSAE 16 Report Date Plan
Page 17 and 18: Preparing for a SOC Review (cont.)
Page 19 and 20: Preparing for a SOC Review (cont.)
Page 21 and 22: Case Study - Risk Assessment Object
Page 23 and 24: During the SOC Review Types of Test
Page 25 and 26: Reporting Types of Opinions Unqual
Page 27 and 28: Management Assertion (additional re
Page 29 and 30: SOC Seals & Logos There are three

Download Presentation - Plante Moran

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?