【笔记】SOC1与SOC2的区别
手指缝痒SOC 1 vs. SOC 2 | AICPA | Understanding the Key Differences & Similarities and What You Need to Know
The SOC 1 vs. SOC 2 discussion is well under way, thanks in large part to the American Institute of Certified Public Accountants' ( AICPA) 美国注册会计师协会 launch of their new rvice organization reporting platform, known as the SOC framework. Officially, SOC standards for "", which allows qualified practitioners 执业者 (i.e., licend and registered Certified Public Accountants) to issue , , and/or SOC 3 reports.
With the SSAE 16 standard (which is ud for issuing SOC 1 reports) effectively replacing the longstanding auditing standard for reporting periods ending on or after June 15, 2011, there's been much debate regarding SOC 1 vs. SOC 2, specifically, when are they applicable 何时适⽤, what is the respective scope for each 范围, and what similarities or differences do they each share异同. Now, the SSAE 16 standard has been replaced by the SSAE 18 standard for reporting opinions dated on or after May 1, 2018.
SSAE - statement on standards for attestation engagement 鉴证准则
SAS - State on auditing standards 美国审计准则说明书
Goodbye SAS 70 and SSAE 16, and Hello to SSAE 18
Service Organization Control (SOC) 1 reports are to be conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, the AICPA "attest" standard that, not only replaced SAS 70, but was intended to reinforce SAS 70's true intent, which was an audit conducted over "internal controls over financial reporting", more commonly known as the ICFR concept. Becau SAS 70 strayed heavily from its intended u, the newly formed SOC framework placed great emphasis on the ICFR component for rvice organization reporting, thus advocating rvice organizations to opt for a SOC 1 (for which you can obtain a SOC 1 SSAE 18 Type 1 or SOC 1 SSAE 18 or report only if your organization has a true relationship and/or nexus with ICFR. To learn more about SOC 1 vs. SOC 2, contact today.
SOC1主要⽬的是为了符合SSAE 16,替代SAS70的同时加强“内部财报控制”(ICFR). 组织可以申请SOC 1 type1或type2。
插入我
A Type 1 report demonstrates that your company’s internal financial controls are properly designed, while a Type 2 report further demonstrates that your controls operate effectively over a period.
SOC 1 Type 1 证明组织的内部财务控制设计合理。SOC 1 Type 2 证明这些控制已经有效的运作⼀定时间。
Say Hello to the SOC 2 Auditing Framework
To meet the growing needs of the ever-expanding technology companies 技术型企业 who are classified as rvice organization for SOC reporting, the AICPA put forth the framework, a reporting option specifically designed for entities such as data centers数据中⼼业务, I.T. managed rvices 信息技术管理服务, software as a rvice (SaaS) vendors, and many other technology and cloud-computing bad business新技术和云计算业务. And within the SOC 2 framework is a comprehensive t of criteria known as the Trust Services Principles (TSP) 新⼈服务原则 that are compod of the following five (5) ctions:
· 安全 The curity of a rvice organization' system. (systems and data need to be protected against unauthorized access and anything that could compromi their confidentiality, integrity, availability and privacy.)
· 可⽤性 The availability of a rvice organization's system. (systems need to be available for u and operation.)
· 流程完整性 The processing integrity of a rvice organization's system. (system processing must be timely, accurate and authorized)
· 保密性 The confidentiality of the information that the rvice organization's system process or maintains for ur entities. (information delegated as confidential needs to have appropriate protections.)
· 隐私合规 The privacy of personal information that the rvice organization collects, us, retains, disclos, and dispos of for ur entities.
Similar to SOC 1, the SOC 2 offers a Type 1 and Type 2 report. The Type 1 report is a point-in-time snapshot of your organization’s controls, validated by tests to determine if the controls are designed appropriately. The Type 2 report looks at the effectiveness of tho same controls over a more extended period - usually 12 months.
SOC 2 同样有Type 1 和 Type 2, Type 1提供当下的控制设计合理性证明,Type 2通过更长时间(通常1年)的观察确认控制的有效性。
Thus, the vast majority of rvice organizations that underwent SAS 70 compliance in recent years
would "technically" fall under scope for a SOC 2 report, leaving the framework to organizations with a true ICFR relationship, such as tho in financial rvices and other financially driven industries.
简爱剧本With that said, listed below is a brief description of SOC 1 and and the important components of each respective reporting platform: 以下是SOC1和SOC2区别的简述
Professional Standard ud to Perform the engagement: 遵循的专业标准不同
· SOC 1: SSAE 16, Reporting on Controls at a Service Organization. SSAE 18, Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification
· SOC 2:
AICPA Publications relating to each applicable SOC Framework: 适⽤组织不同,财务控制 vs 技术控制
· SOC 1: Statement on Standards for Attestation Engagements, "Reporting on Controls at a Service Organization" as published by the AICPA in 2010. "Service Organizations: Applying SSAE No. 16, Reporting on Controls at a Service Organization Guide (SOC 1)", as published by the AICPA
in 2011.
· SOC 2: Attestation Standards, Section 101 of the AICPA Codification Standards (AT Section 101). "Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2)", as published by the AICPA in 2011.
New for SOC 1 reporting (as of 2017, that is) is the foillowing publication: Reporting on an Examination of Controls at a Service Organization Relevant to Ur Entities' Internal Control Over Financial Reporting (SOC 1(R)) - Guide
Intended Subject Matter and Applicable Scope: 预定⽬标和范围不同
· SOC 1: Internal Controls over Financial Reporting (ICFR).
脆的反义词是什么
· SOC 2: Controls at a rvice organization that are relevant to curity, availability, processing integrity confidentiality, or privacy.
祸水红颜Intended Urs of each Report: ⽬标⽤户不同,外部审计⼈员+⽤户管理+服务管理 vs 需要技术信任的服务关联⽅
·
香港一日 SOC 1: External financial statements auditor’s of the ur organization's financial statements, management of the ur organizations, and management of the rvice organization.
· SOC 2: Relevant parties that are knowledgeable about the rvices provided by the actual rvice organization and that they have a true and credible need for utilizing a SOC 2 report.
选择SOC1还是SOC2关键看是否会影响客户的财务审计控制。
猕猴桃猴
Your organization should pursue SOC 1 if your rvices impact your clients’ financial reporting. For example, if your organization creates software that process your clients’ billing and collections data, you are affecting your client’s financial reporting, and thus a SOC 1 is appropriate. Another reason organizations pursue SOC 1 vs SOC 2 is if their clients ask for a “right to audit.” Without SOC 1, this could be a costly and time-intensive process for both parties, especially if veral of your clients ask to submit a similar request. You may also need to comply with SOC 1 as part of a compliance requirement. If your company is publicly traded, for example, you will need to pursue SOC 1 as part of the Sarbanes-Oxley Act (SOX).
沈阳大学是几本
SOC 2, on the other hand, is not required by any compliance framework, such as HIPAA or PCI-DSS. But if your organization doesn’t process financial data but process or hosts other types of da
ta, SOC 2 makes n. With
today’s business climate being extraordinarily aware and nsitive to data breaches, your clients may want proof that you are taking reasonable precautions to protect their data and stop any leaks. We built an .
SOC 1 vs. SOC 2 - Which one is the Best Choice?
But one's intent often gives in to the political winds at play, which is currently the ca with SOC 1 vs. SOC 2 as most rvice organizations are simply migrating from the SAS 70 auditing standard to the SOC 1 SSAE 18 reporting framework, with little or no regard to the applicability and merits of the SOC 2 framework. Many technology and cloud-bad vendors are opting for SOC 1 SSAE 16 compliance and resisting the notion of SOC 2 reporting, as witnesd by Google's recent announcement of SSAE 16 compliance for their app engine, known as Google Apps.
If a well-known entity such as Google opts for the technically incorrect , yet finds little or no resistance in the marketplace, the notion of SOC 2 gaining any genuine credibility as a viable reporting may not mature anytime soon. This may change, however, as rvice organizations and ur entities alike are beginning to understand the differences between SOC 1 and SOC 2 and their i
ntended us.
