SOC 1 vs. SOC 2 | AICPA | Understanding the Key Differences & Similarities and What You Need to Know
SOC 1 vs. SOC 2 Overview and Differences (socreports.com)
🔑 Key differences between SOC 1 vs SOC 2 explained | strongDM
The SOC 1 vs. SOC 2 discussion is well under way, thanks in large part to the American Institute of Certified Public Accountants' ( AICPA) 美国注册会计师协会 launch of their new service organization reporting platform, known as the SOC framework. Officially, SOC standards for "System and Organization Controls", which allows qualified practitioners 执业者 (i.e., licensed and registered Certified Public Accountants) to issue SOC 1, SOC 2, and/or SOC 3 reports.
With the SSAE 16 standard (which is used for issuing SOC 1 reports) effectively replacing the longstanding SAS 70 auditing standard for reporting periods ending on or after June 15, 2011, there's been much debate regarding SOC 1 vs. SOC 2, specifically, when are they applicable 何时适用, what is the respective scope for each 范围, and what similarities or differences do they each share异同. Now, the SSAE 16 standard has been replaced by the SSAE 18 standard for reporting opinions dated on or after May 1, 2018.
SSAE - statement on standards for attestation engagement 鉴证准则
SAS - State on auditing standards 美国审计准则说明书
Goodbye SAS 70 and SSAE 16, and Hello to SSAE 18
Service Organization Control (SOC) 1 reports are to be conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, the AICPA "attest" standard that, not only replaced SAS 70, but was intended to reinforce SAS 70's true intent, which was an audit conducted over "internal controls over financial reporting", more commonly known as the ICFR concept. Because SAS 70 strayed heavily from its intended use, the newly formed SOC framework placed great emphasis on the ICFR component for service organization reporting, thus advocating service organizations to opt for a SOC 1 (for which you can obtain a SOC 1 SSAE 18 Type 1 or SOC 1 SSAE 18 or Type 2 report only if your organization has a true relationship and/or nexus with ICFR. To learn more about SOC 1 vs. SOC 2, contact NDNB today.
SOC1主要目的是为了符合SSAE 16,替代SAS70的同时加强“内部财报控制”(ICFR). 组织可以申请SOC 1 type1或type2。
A Type 1 report demonstrates that your company’s internal financial controls are properly designed, while a Type 2 report further demonstrates that your controls operate effectively over a period.
SOC 1 Type 1 证明组织的内部财务控制设计合理。SOC 1 Type 2 证明这些控制已经有效的运作一定时间。
Say Hello to the SOC 2 Auditing Framework
To meet the growing needs of the ever-expanding technology companies 技术型企业 who are classified as service organization for SOC reporting, the AICPA put forth the SOC 2 framework, a reporting option specifically designed for entities such as data centers数据中心业务, I.T. managed services 信息技术管理服务, software as a service (SaaS) vendors, and many other technology and cloud-computing based businesses新技术和云计算业务. And within the SOC 2 framework is a comprehensive set of criteria known as the Trust Services Principles (TSP) 新人服务原则 that are composed of the following five (5) sections:
• 安全 The security of a service organization' system. (systems and data need to be protected against unauthorized access and anything that could compromise their confidentiality, integrity, availability and privacy.)
• 可用性 The availability of a service organization's system. (systems need to be available for use and operation.)
• 流程完整性 The processing integrity of a service organization's system. (system processing must be timely, accurate and authorized)
• 保密性 The confidentiality of the information that the service organization's system processes or maintains for user entities. (information delegated as confidential needs to have appropriate protections.)
• 隐私合规 The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.
Similar to SOC 1, the SOC 2 offers a Type 1 and Type 2 report. The Type 1 report is a point-in-time snapshot of your organization’s controls, validated by tests to determine if the controls are designed appropriately. The Type 2 report looks at the effectiveness of those same controls over a more extended period - usually 12 months.
SOC 2 同样有Type 1 和 Type 2, Type 1提供当下的控制设计合理性证明,Type 2通过更长时间(通常1年)的观察确认控制的有效性。
Thus, the vast majority of service organizations that underwent SAS 70 compliance in recent years would "technically" fall under scope for a SOC 2 report, leaving the SOC 1 framework to organizations with a true ICFR relationship, such as those in financial services and other financially driven industries.
With that said, listed below is a brief description of SOC 1 and SOC 2 and the important components of each respective reporting platform: 以下是SOC1和SOC2区别的简述
Professional Standard used to Perform the engagement: 遵循的专业标准不同
• SOC 1: SSAE 16, Reporting on Controls at a Service Organization. SSAE 18, Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification
• SOC 2: AT Section 101
AICPA Publications relating to each applicable SOC Framework: 适用组织不同,财务控制 vs 技术控制
• SOC 1: Statement on Standards for Attestation Engagements, "Reporting on Controls at a Service Organization" as published by the AICPA in 2010. "Service Organizations: Applying SSAE No. 16, Reporting on Controls at a Service Organization Guide (SOC 1)", as published by the AICPA in 2011.
• SOC 2: Attestation Standards, Section 101 of the AICPA Codification Standards (AT Section 101). "Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2)", as published by the AICPA in 2011.
New for SOC 1 reporting (as of 2017, that is) is the foillowing publication: Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (SOC 1(R)) - Guide
Intended Subject Matter and Applicable Scope: 预定目标和范围不同
• SOC 1: Internal Controls over Financial Reporting (ICFR).
• SOC 2: Controls at a service organization that are relevant to security, availability, processing integrity confidentiality, or privacy.
Intended Users of each Report: 目标用户不同,外部审计人员+用户管理+服务管理 vs 需要技术信任的服务关联方
• SOC 1: External financial statements auditor’s of the user organization's financial statements, management of the user organizations, and management of the service organization.
• SOC 2: Relevant parties that are knowledgeable about the services provided by the actual service organization and that they have a true and credible need for utilizing a SOC 2 report.
选择SOC1还是SOC2关键看是否会影响客户的财务审计控制。
Your organization should pursue SOC 1 if your services impact your clients’ financial reporting. For example, if your organization creates software that processes your clients’ billing and collections data, you are affecting your client’s financial reporting, and thus a SOC 1 is appropriate. Another reason organizations pursue SOC 1 vs SOC 2 is if their clients ask for a “right to audit.” Without SOC 1, this could be a costly and time-intensive process for both parties, especially if several of your clients ask to submit a similar request. You may also need to comply with SOC 1 as part of a compliance requirement. If your company is publicly traded, for example, you will need to pursue SOC 1 as part of the Sarbanes-Oxley Act (SOX).
SOC 2, on the other hand, is not required by any compliance framework, such as HIPAA or PCI-DSS. But if your organization doesn’t process financial data but processes or hosts other types of data, SOC 2 makes sense. With today’s business climate being extraordinarily aware and sensitive to data breaches, your clients may want proof that you are taking reasonable precautions to protect their data and stop any leaks. We built an open source template for SOC 2 teams.
SOC 1 vs. SOC 2 - Which one is the Best Choice?
But one's intent often gives in to the political winds at play, which is currently the case with SOC 1 vs. SOC 2 as most service organizations are simply migrating from the SAS 70 auditing standard to the SOC 1 SSAE 18 reporting framework, with little or no regard to the applicability and merits of the SOC 2 framework. Many technology and cloud-based vendors are opting for SOC 1 SSAE 16 compliance and resisting the notion of SOC 2 reporting, as witnessed by Google's recent announcement of SSAE 16 compliance for their app engine, known as Google Apps.
If a well-known entity such as Google opts for the technically incorrect SOC framework, yet finds little or no resistance in the marketplace, the notion of SOC 2 gaining any genuine credibility as a viable reporting may not mature anytime soon. This may change, however, as service organizations and user entities alike are beginning to understand the differences between SOC 1 and SOC 2 and their intended uses.
SOC 2 Compliance Software: Everything you need to comply (strongdm.com)
GitHub - strongdm/comply: Compliance automation framework, focused on SOC2
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
