Description

System and Organization Controls (SOC) Assessments are used by service organizations that provide critical, third-party outsourcing services to other companies. Examples of services provided by these organizations include; customer support, health care claims management, IT outsourcing services, and IT-based transaction processing, such as payroll processing.

Although these relationships may help companies increase revenues and reduce costs, they also introduce a new level of risk arising from interactions with the service organization and its systems.

While management can delegate responsibility for specific functions or processes to a service organization, management is still accountable for controls over those activities to shareholders, regulators, customers, boards of directors and other affected parties.

Since service organizations may have hundreds or even thousands of individual customers using their services, handling audit requests from that many customers would be overwhelming for the service provider. To help manage that audit process, the service organization can engage for an independent outside party to perform a review of their controls that are relevant to the security, availability, integrity and confidentiality of its systems. This is the concept of “audit once – serve many” reporting.

While a SOC 1 assessment focuses on Internal Control over Financial Reporting (ICFR), in this course, we will explore the SOC 2 assessment that focuses on Trust Services Criteria and the scope/timing of testing that can be included in the SOC 2 report.

Course Key Concepts: System and Organization Controls, SOC, SOC 2 – Type 1, SOC 2 – Type 2, Security, Availability, Processing Integrity, Confidentiality, Privacy, Logical and Physical Access Controls, Systems Operations, Change Management, Risk Mitigation, Trust Services Criteria, COSO Integrated Control Framework.