ISC

5 components of COSO framework

CRIME

Control environment

Risk assessment

Info and communication

Monitoring activities

Existing control activities

SOC 1

• Internal controls financial reporting (ICFR)

• Type 1 or 2

• Restricted: service org mgmt, user entities, auditors

• No “potential” users

SOC 2

• CAPPS controls; S mandatory

• Trust Services Criteria (TSC)

• Type 1 or 2

• Restricted: service org mgmt and other specified parties

• Test of controls description/results

SOC 3

• CAPPS controls

• TSC for general use

• Type 2 only

• Nonrestricted

• No description of system and no test of controls description/results

CAPPS controls

• Confidential: maintain protected info

• Available: operating systems

• Processing integrity: inputs/outputs

• Privacy: personal info collected/used/retained/disposed

• Security: against unauthorized access

Type 1 SOC report

• Specified date

• Fairness of mgmt description

• Control design

• No test of controls description & results

Type 2 SOC report

• Throughout period

• Fairness of mgmt description

• Control design & operating effectiveness

• Test of controls description & results

SOC 2, Type 1

SOC 2, Type 2

SOC 3, Type 2

• S2, T1: design only, NO op effectiveness and NO test of controls/result

• S2, T2: design, op effectiveness, and test of controls/results

• S3: design and op effectiveness, but NO test of controls/results

Control environment principles

EBOCA

• Ethics & integrity

• Board independence & oversight

• Org structure

• Commitment to competence

• Accountability

Risk assessment principles

SAFR

• Specify objectives

• Assess changes

• Fraud potential

• Risks analyzed

Info & communication principles

OIE & FACT