SOC 2 (System and Organization Controls 2) is a framework for managing customer data based on five Trust Service Criteria (TSC): security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are crucial for service organizations to demonstrate that they have the necessary controls in place to protect client data. SOC 2 Section 5 Section …
SOC 2 (System and Organization Controls 2) Attestation is a framework for managing and auditing the security, availability, processing integrity, confidentiality, and privacy of information processed by a service organization. Established by the American Institute of Certified Public Accountants (AICPA), SOC 2 Attestation ensures that service organizations can securely handle the data they process for …
What is a System Description of a SOC 2 Report? A system description within the context of a SOC 2 (Service Organization Control 2) report is a detailed narrative that outlines the key components and operational aspects of a service provider’s system. This description is a critical element of SOC 2 compliance, providing users and …
What is SSAE 16? SSAE 16, otherwise known as Statement on Standards for Attestation Engagements No. 16, was an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It was issued in April 2010 and was specifically designed for service organizations that provide outsourced services. SSAE 16 was introduced to enhance the …
What is SSAE 18? SSAE 18, also known as Statement on Standards for Attestation Engagements No. 18, is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It recently replaced the previous standard SSAE 16 in May 2017 and introduced several changes and enhancements to meet the evolving needs of the …
What is a system description? Generally speaking, a system description is a section of a technical document or report that provides an overview of the system, its structure and components, and explains how it works. It may also provide information about related systems and technologies used in conjunction with the main system. System descriptions are …
What is the carved-out vs inclusive method? Simply put, these are two different methods for SOC reporting of your subservice organizations specifically. Subservice organizations include managed service organizations, data center providers, cloud providers, etc. Think about modern-day businesses. It is no longer common practice to develop your own system end-to-end. You would rather make use …
SOC 2 attestation, explained Breaking it down into definitions, an ‘attestation’ is defined as “a declaration that something exists”, and “evidence or proof of something”. A synonym for attestation is the word ‘vouch’. That is the best way to simplify this. What is a SOC 2 attestation report in the compliance and audit world? Well, …
What SOC 2 compliance testing procedures does an auditor follow? This question can only be answered at a high-level. The reason for this is that the specific methodology of each auditing company varies. In all instances, the testing procedures that are defined, address the same requirements (i.e. a specific control is tested in a similar …
Overview of subservice organizations As part of the SOC 1 or SOC 2 process, an organization needs to go through an exercise to identify vendors that are performing a service to the organization. Once those vendors are identified, the organization needs to understand which of those services performed have an impact on the control environment …
What is the AICPA? The AICPA (American Institute of Certified Public Accountants) is the US’s organization of Professional CPAs (Certified Public Accountants). The AICPA is the founder and originator of the SOC reporting standard and audit. Furthermore, the AICPA is a very influential body of professional accountants, and they combine the skills and expertise of …
What is a SOC report? SOC stands for Service Organizations Controls. A SOC report provides a detailed assessment of the controls, processes, and implementation thereof within an organization. A SOC report is one the easiest and most effective ways to verify and ensure that an organization is following industry best standards and that the controls …
