S4 System and Organization Controls (SOC) Engagements

What is a SOC1 engagement?

Examination and reporting on controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting

What is a SOC2 engagement?

Examination and reporting on the security, availability, or processing integrity of a system, or the confidentiality or privacy of the information processed by the system

What is a SOC3 engagement?

Report on whether controls within the system were effective to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria

What is a Type 1 report?

Design of the controls to achieve the related control objectives included in the description as of a specified date

What is a Type 2 report?

Design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period

What are the five trust services categories?

• Confidentiality

• Availability

• Processing integrity

• Privacy

• Security

What are the principles of the control environment?

• Integrity and ethical values

• Board of directors demonstrates independence from management

• Structures, reporting lines, and appropriate authorities and responsibilities

• Commitment to attract, develop, and retain competent individuals

• Holds individuals accountable

What are the principles of risk assessment?

• Specifies objectives with sufficient clarity

• Identifies risks to the achievement of its objectives

• Potential for fraud

• Identifies and assesses changes

What are the principles of control activities?

• Mitigation of risks

• General control activities over technology

• Control activities through policies

What are the principles of information and communication?

• Obtains or generates and uses relevant, quality information

• Internally communicates information

• Communicates with external parties

What are the principles of monitoring activities?

• Select, develops, and performs ongoing and/or separate evaluations

• Evaluates and communicates internal control deficiencies in a timely manner

What is the additional criteria for availability?

• Entity maintains, monitors, and evaluates current processing capacity and use of system components

• Ensures systems are available

• Tests its recovery plan procedures

What is the additional criteria for processing integrity?

• Obtains or generates, uses, and communicates relevant, quality information

• Policies and procedures over system inputs

• Policies and procedures over system processing

• Policies and procedures to make available or deliver output that completely, accurately, and timely meets entity objectives

• Policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely

What is the additional criteria for confidentiality?

• Entity identifies and maintains confidential information

• Entity disposes of confidential information

What are the key components of a SOC report?

• Management’s Description of the System

• Management’s Assertion

• Independent Service Auditor’s Report

• Auditor’s Test of Controls and Results of Tests (Type 2 only)

What are the elements of a SOC report?

• Title

• Addressee

• Scope

• Service Organization’s Responsibilities

• Service Auditor’s Responsibilities

• Inherent Limitations

• Description of Tests of Controls (Type 2 only)

• Other Matter (Type 1 only)

• Opinion

• Restricted Use

• Service Auditor’s Signature

• Service Auditor’s City and State

• Date of the Service Auditor’s Report