SlideShare a Scribd company logo

SOC 2: Build Trust and Confidence

Schellman & Company, profile picture
Schellman & Company

The document provides an overview of SOC 2 reports, emphasizing their importance for building trust and compliance with regulatory requirements. It outlines the AICPA framework, key principles, report types, and considerations for service organizations and user entities. Additionally, it includes mapping of SOC 2 to other standards and the necessity of third-party assessments in vendor management programs.

Technology
1 of 43
Downloaded 157 times
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Most read
17
18
19
20
21
22
23
24
25
26
Most read
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved SOC 2: Build Trust & Confidence Overview & Considerations
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved 01. Background / Overview of SOC 2 02. The AICPA Framework 03. Purpose and Scope 04. The Anatomy 05. Considerations 06. Mapping – Other Standards 06. Q/A Contents
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Background & Overview 01 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Growth & Popularity ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Service Auditors ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Service Providers
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved User Entities
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Why Do You Need a SOC Report? Regulatory requirements
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Why Do You Need a SOC Report? Regulatory requirements User entity mandates
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Why Do You Need a SOC Report? Regulatory requirements User entity mandates Vendor management programs
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Why Do You Need a SOC Report? Regulatory requirements User entity mandates Vendor management programs Due diligence
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Why Do You Need a SOC Report? Regulatory requirements User entity mandates Vendor management programs Due diligence Independent 3rd party opinion
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Why Do You Need a SOC Report? Regulatory requirements User entity mandates Vendor management programs Due diligence Independent 3rd party opinion Competition and market
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Overview • What is a SOC 2 report? • How does a SOC 2 differ from a SOC 1 report • SOC 2 versus SOC 3
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Overview of the AICPA Framework 02 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved AICPA SOC Framework Applicable SOC-1 SOC-2 SOC-3 Standard/Guidance SSAE 16: AICPA Guide (2013) AT 101: AICPA Guide (2013) AT 101: Technical Practice Aid (2014) Scope ICFR Security/Systems, Privacy Security/Systems, Privacy Criteria Control Objectives Trust Services Principles/GAPP Trust Services Principles/GAPP Usage of report User auditor, user entity, management of SO Knowledgeable parties Anyone
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Purpose & Scope 03 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Purpose • What SOC 2 does cover? • What SOC 2 does cover?
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • System • Boundaries • Commitments • System Requirements Scope
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Principles • Security • Availability • Processing Integrity • Confidentiality • Privacy
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Common Criteria (Security): 1: Organization & Mgmt 2: Communications 3: Risk Mgmt & Controls 4: Monitoring of Controls 5: Logical and Physical Access 6: System Operations 7: Change Management Principles
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Principles Availability Common Criteria: +3 Processing Integrity Common Criteria: +6 Confidentiality Common Criteria: +6 Privacy Common Criteria: +74
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Type 1 • Type 2 Report Type
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Anatomy 04 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Service Auditor’s Report – “The Opinion” Management’s Assertion Description of the System Tests of Controls and Corresponding Results Additional Information – Provided by Service Organization Report Structure
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Unqualified vs. Qualified Service Auditor’s Report
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Commitment - suitability and accuracy • Subservice organizations Management’s Assertion
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Management’s objective description of the services provided to user entities • Components of a System Description System Description
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Test procedures • Results • Deviations / Exceptions Test of Controls / Results
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Intended Use • Management of service organization • User entities of the services • Other knowledgeable parties
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Considerations 05 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Relevance To The User • RFP requirements • Customer mandates • Regulatory needs • Vendor management process
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Understanding Reporting • SOC 1 vs. SOC 2 • AT 101 • AT 601 • Agreed Upon Procedures • Readiness Assessment • PCI
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Education & Preparedness • Contracts, RFP, SLA • AICPA website • Training and awareness • Executive communication • Discussion with service auditor
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Control Environment • Start-up • Developing systems • No customers yet • Lack of documentation /evidence • No monitoring of controls
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Carve-out Vs Inclusive • Subservice organization • Carve-out method emphasis • Inclusive method requirements
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Perform a risk assessment Risk Assessment & Scope
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Internally • Service auditors Readiness Assessment
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Policies / Procedures • Segregation of duties • Monitoring Remediation
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Licensed CPA firm • Independent • Single vendor approach • Audit team Audit Firm Selection
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Mapping to Other Standards 06 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • SOC 1 • ISO 27001 • HIPAA • HITRUST • PCI Other Standards
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved View the WebinarView the Webinar

More Related Content

PPTX
SOC 2 Compliance and Certification
ControlCase
 
PDF
SOC 2 and You
Schellman & Company
 
PDF
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
Mark S. Mahre
 
PDF
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
HITRUST Certification
ControlCase
 
PPTX
SOC 2 presentation. Overview of SOC 2 assessment
Modu9
 
PDF
EY Advisory Services
Mohit Madan
 
PPSX
GRC Governance, Risk mgmt. & Compliance Executive
Max Neira Schliemann
 
SOC 2 Compliance and Certification
ControlCase
 
SOC 2 and You
Schellman & Company
 
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
Mark S. Mahre
 
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
HITRUST Certification
ControlCase
 
SOC 2 presentation. Overview of SOC 2 assessment
Modu9
 
EY Advisory Services
Mohit Madan
 
GRC Governance, Risk mgmt. & Compliance Executive
Max Neira Schliemann
 

What's hot (20)

PDF
SOC2 Intro and Mindfulness
EmilyGladstoneCole
 
PPTX
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
PPT
isms-presentation.ppt
HasnolAhmad2
 
PPTX
Soc 2 attestation or ISO 27001 certification - Which is better for organization
VISTA InfoSec
 
PDF
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
PDF
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
PDF
Enterprise Cybersecurity: From Strategy to Operating Model
Eryk Budi Pratama
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
PPTX
27001 awareness Training
Dr Madhu Aman Sharma
 
PPTX
Introduction to PCI DSS
Saumya Vishnoi
 
PDF
NIST cybersecurity framework
Shriya Rai
 
PPTX
SOC Architecture Workshop - Part 1
Priyanka Aash
 
PPTX
Control Standards for Information Security
JohnHPazEMCPMPITIL5G
 
PDF
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
PDF
ISO 27001
n|u - The Open Security Community
 
PPTX
New ISO 20000-1:2018 Changes, Implementation Steps
Integration Technologies Group Inc
 
PDF
What is ISO 27001 ISMS
Business Beam
 
PPTX
Project plan for ISO 27001
technakama
 
PDF
SOC 1 Overview
Schellman & Company
 
PDF
Soc 2 vs iso 27001 certification withh links converted-converted
VISTA InfoSec
 
SOC2 Intro and Mindfulness
EmilyGladstoneCole
 
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
isms-presentation.ppt
HasnolAhmad2
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
VISTA InfoSec
 
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Enterprise Cybersecurity: From Strategy to Operating Model
Eryk Budi Pratama
 
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
27001 awareness Training
Dr Madhu Aman Sharma
 
Introduction to PCI DSS
Saumya Vishnoi
 
NIST cybersecurity framework
Shriya Rai
 
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Control Standards for Information Security
JohnHPazEMCPMPITIL5G
 
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
ISO 27001
n|u - The Open Security Community
 
New ISO 20000-1:2018 Changes, Implementation Steps
Integration Technologies Group Inc
 
What is ISO 27001 ISMS
Business Beam
 
Project plan for ISO 27001
technakama
 
SOC 1 Overview
Schellman & Company
 
Soc 2 vs iso 27001 certification withh links converted-converted
VISTA InfoSec
 
Ad

Similar to SOC 2: Build Trust and Confidence (20)

PDF
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Schellman & Company
 
PDF
CSA STAR Program
Schellman & Company
 
PDF
Salesforce.com Relaunch Featuring Customer Success Story From Aon
Rightpoint
 
PPTX
Issues Management In The Digital Age
Charlie Pownall
 
PPTX
Achieving SSAE 16 Certification
Gary Pennington
 
PDF
Facilities Management - Extending Service Automation to Outside Contractors
ServiceChannel
 
PDF
EPCS Overview
Schellman & Company
 
PPTX
Service Organizational Control (SOC 2) Compliance - Kloudlearn
KloudLearn
 
PPTX
Empowering ACOs: Leveraging Quality Management Tools for MIPS and Beyond
Health Catalyst
 
PPTX
Innovation TVA Presentation Deck
Joe Scherrer
 
PDF
CQS_ISO 2015_ASQR (4-16-15)
Lori Cohen
 
PDF
2016 AICPA Bank - CECL Governance
Dorsey Baskin
 
PPTX
Auditor Report on Controls to be used as Template.pptx
aramaky
 
PDF
Cigniti joint webinar with Soasta - Agile DevOps: Test-driven IT Environment ...
Cigniti Technologies Ltd
 
PDF
It12015
Jim Kaplan CIA CFE
 
PPTX
Customer Success in the Healthcare Industry
Gainsight
 
PDF
So CaTec 2015 metrics
Kathryn Kuhn
 
PPTX
BSW Value of Muni Audits
Ron Steinkamp
 
PDF
The Future of Auditing and Fraud Detection
Jim Kaplan CIA CFE
 
PDF
AgileCamp Silicon Valley 2015: Unlock Excellence with Agile Metrics
Hyperdrive Agile Leadership (powered by Bratton & Company)
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Schellman & Company
 
CSA STAR Program
Schellman & Company
 
Salesforce.com Relaunch Featuring Customer Success Story From Aon
Rightpoint
 
Issues Management In The Digital Age
Charlie Pownall
 
Achieving SSAE 16 Certification
Gary Pennington
 
Facilities Management - Extending Service Automation to Outside Contractors
ServiceChannel
 
EPCS Overview
Schellman & Company
 
Service Organizational Control (SOC 2) Compliance - Kloudlearn
KloudLearn
 
Empowering ACOs: Leveraging Quality Management Tools for MIPS and Beyond
Health Catalyst
 
Innovation TVA Presentation Deck
Joe Scherrer
 
CQS_ISO 2015_ASQR (4-16-15)
Lori Cohen
 
2016 AICPA Bank - CECL Governance
Dorsey Baskin
 
Auditor Report on Controls to be used as Template.pptx
aramaky
 
Cigniti joint webinar with Soasta - Agile DevOps: Test-driven IT Environment ...
Cigniti Technologies Ltd
 
It12015
Jim Kaplan CIA CFE
 
Customer Success in the Healthcare Industry
Gainsight
 
So CaTec 2015 metrics
Kathryn Kuhn
 
BSW Value of Muni Audits
Ron Steinkamp
 
The Future of Auditing and Fraud Detection
Jim Kaplan CIA CFE
 
AgileCamp Silicon Valley 2015: Unlock Excellence with Agile Metrics
Hyperdrive Agile Leadership (powered by Bratton & Company)
 
Ad

More from Schellman & Company (15)

PDF
Privacy in the Cloud- Introduction to ISO 27018
Schellman & Company
 
PDF
Demystifying the Cyber NISTs
Schellman & Company
 
PDF
Determining Scope for PCI DSS Compliance
Schellman & Company
 
PDF
Privacy shield: What You Need To Know About Storing EU Data
Schellman & Company
 
PDF
Everything You Need To Know About SOC 1
Schellman & Company
 
PDF
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Schellman & Company
 
PDF
PA-DSS and Application Penetration Testing
Schellman & Company
 
PDF
The CSA STAR Program: Certification & Attestation
Schellman & Company
 
PDF
Get Ready Now for HITRUST 2017
Schellman & Company
 
PDF
STAND OUT: Why You Should Become ISO 27001 Certified
Schellman & Company
 
PDF
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Schellman & Company
 
PDF
12 Steps to Preparing for a QAR
Schellman & Company
 
PDF
PCI DSS 3.0 Overview and Key Updates
Schellman & Company
 
PDF
10 Steps Toward FedRAMP Compliance
Schellman & Company
 
PDF
Your've Been Hacked in Florida! Now What?
Schellman & Company
 
Privacy in the Cloud- Introduction to ISO 27018
Schellman & Company
 
Demystifying the Cyber NISTs
Schellman & Company
 
Determining Scope for PCI DSS Compliance
Schellman & Company
 
Privacy shield: What You Need To Know About Storing EU Data
Schellman & Company
 
Everything You Need To Know About SOC 1
Schellman & Company
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Schellman & Company
 
PA-DSS and Application Penetration Testing
Schellman & Company
 
The CSA STAR Program: Certification & Attestation
Schellman & Company
 
Get Ready Now for HITRUST 2017
Schellman & Company
 
STAND OUT: Why You Should Become ISO 27001 Certified
Schellman & Company
 
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Schellman & Company
 
12 Steps to Preparing for a QAR
Schellman & Company
 
PCI DSS 3.0 Overview and Key Updates
Schellman & Company
 
10 Steps Toward FedRAMP Compliance
Schellman & Company
 
Your've Been Hacked in Florida! Now What?
Schellman & Company
 

Recently uploaded (20)

PPTX
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
defencerabbit Team
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Advanced IT Governance
University of Hertfordshire
 
PDF
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
defencerabbit Team
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Advanced IT Governance
University of Hertfordshire
 
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 

SOC 2: Build Trust and Confidence

  • 1. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved SOC 2: Build Trust & Confidence Overview & Considerations
  • 2. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved 01. Background / Overview of SOC 2 02. The AICPA Framework 03. Purpose and Scope 04. The Anatomy 05. Considerations 06. Mapping – Other Standards 06. Q/A Contents
  • 3. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Background & Overview 01 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 4. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Growth & Popularity ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 5. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Service Auditors ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 6. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Service Providers
  • 7. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved User Entities
  • 8. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Why Do You Need a SOC Report? Regulatory requirements
  • 9. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Why Do You Need a SOC Report? Regulatory requirements User entity mandates
  • 10. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Why Do You Need a SOC Report? Regulatory requirements User entity mandates Vendor management programs
  • 11. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Why Do You Need a SOC Report? Regulatory requirements User entity mandates Vendor management programs Due diligence
  • 12. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Why Do You Need a SOC Report? Regulatory requirements User entity mandates Vendor management programs Due diligence Independent 3rd party opinion
  • 13. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Why Do You Need a SOC Report? Regulatory requirements User entity mandates Vendor management programs Due diligence Independent 3rd party opinion Competition and market
  • 14. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Overview • What is a SOC 2 report? • How does a SOC 2 differ from a SOC 1 report • SOC 2 versus SOC 3
  • 15. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Overview of the AICPA Framework 02 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 16. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved AICPA SOC Framework Applicable SOC-1 SOC-2 SOC-3 Standard/Guidance SSAE 16: AICPA Guide (2013) AT 101: AICPA Guide (2013) AT 101: Technical Practice Aid (2014) Scope ICFR Security/Systems, Privacy Security/Systems, Privacy Criteria Control Objectives Trust Services Principles/GAPP Trust Services Principles/GAPP Usage of report User auditor, user entity, management of SO Knowledgeable parties Anyone
  • 17. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Purpose & Scope 03 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 18. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Purpose • What SOC 2 does cover? • What SOC 2 does cover?
  • 19. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • System • Boundaries • Commitments • System Requirements Scope
  • 20. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Principles • Security • Availability • Processing Integrity • Confidentiality • Privacy
  • 21. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Common Criteria (Security): 1: Organization & Mgmt 2: Communications 3: Risk Mgmt & Controls 4: Monitoring of Controls 5: Logical and Physical Access 6: System Operations 7: Change Management Principles
  • 22. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Principles Availability Common Criteria: +3 Processing Integrity Common Criteria: +6 Confidentiality Common Criteria: +6 Privacy Common Criteria: +74
  • 23. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Type 1 • Type 2 Report Type
  • 24. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Anatomy 04 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 25. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Service Auditor’s Report – “The Opinion” Management’s Assertion Description of the System Tests of Controls and Corresponding Results Additional Information – Provided by Service Organization Report Structure
  • 26. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Unqualified vs. Qualified Service Auditor’s Report
  • 27. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Commitment - suitability and accuracy • Subservice organizations Management’s Assertion
  • 28. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Management’s objective description of the services provided to user entities • Components of a System Description System Description
  • 29. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Test procedures • Results • Deviations / Exceptions Test of Controls / Results
  • 30. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Intended Use • Management of service organization • User entities of the services • Other knowledgeable parties
  • 31. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Considerations 05 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 32. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Relevance To The User • RFP requirements • Customer mandates • Regulatory needs • Vendor management process
  • 33. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Understanding Reporting • SOC 1 vs. SOC 2 • AT 101 • AT 601 • Agreed Upon Procedures • Readiness Assessment • PCI
  • 34. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Education & Preparedness • Contracts, RFP, SLA • AICPA website • Training and awareness • Executive communication • Discussion with service auditor
  • 35. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Control Environment • Start-up • Developing systems • No customers yet • Lack of documentation /evidence • No monitoring of controls
  • 36. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Carve-out Vs Inclusive • Subservice organization • Carve-out method emphasis • Inclusive method requirements
  • 37. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Perform a risk assessment Risk Assessment & Scope
  • 38. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Internally • Service auditors Readiness Assessment
  • 39. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Policies / Procedures • Segregation of duties • Monitoring Remediation
  • 40. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Licensed CPA firm • Independent • Single vendor approach • Audit team Audit Firm Selection
  • 41. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Mapping to Other Standards 06 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 42. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • SOC 1 • ISO 27001 • HIPAA • HITRUST • PCI Other Standards
  • 43. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved View the WebinarView the Webinar