An Overview of System and Organization Controls (SOC) Reporting

System and Organization Controls (SOC) Reporting is used by service organizations that provide critical, third-party outsourcing services to other companies. Examples of services provided by these organizations include; customer support, health care claims management, IT outsourcing services, and IT-based transaction processing, such as payroll processing.

Although these relationships may help companies increase revenues and reduce costs, they also introduce a new level of risk arising from interactions with the service organization and its systems.

While management can delegate responsibility for specific functions or processes to a service organization, management is still accountable for controls over those activities to shareholders, regulators, customers, boards of directors and other affected parties.

Since service organizations may have hundreds or even thousands of individual customers using their services, handling audit requests from that many customers would be overwhelming for the service provider. To help manage that audit process, the service organization can engage for an independent outside party to perform a review of their controls that are relevant to the security, availability, integrity and confidentiality of its systems. This is the concept of “audit once – serve many” reporting.

In this course, we will explore the types of SOC reports that are available and the scope/timing of testing that can be included in the SOC report.

Course Key Concepts: System and Organization Controls, SOC, SOC1 Type 1, SOC 1 – Type 2, SOC 2 – Type 1, SOC 2 – Type 2, SOC 3, SSAE18, Data Security, Data Availability, Data Integrity, Data Confidentiality, ICFR, Internal Control over Financial Reporting, Trust Services Criteria.