Service Organization Control practices relate to a world of privacy breaches and fraud, where Service Organization Control have come under the scrutiny of the government to ensure the confidentiality and integrity of user entities’ sensitive data.
2. What is
Service
Organization
Control?
Service Organization Control
practices relate to a world of privacy
breaches and fraud, where Service
Organization Control have come
under the scrutiny of the
government to ensure the
confidentiality and integrity of user
entities’ sensitive data.
2
3. What does
Service
Organization
Control do?
Service Organization Control allows
outsourcing tasks or an entire
function, which can undeniably help
a company to operate more
efficiently and profitably.
3
4. Why do you
need SOC?
4
• You will communicate to clients and
prospects your compliance with
standards and industry best practices.
• You create a level playing field with
your competitors.
• Your clients expect it.
5. What is
Service
Organizational
Control III?
5
• SOC III is the new framework for SOC
reporting
• It will show whether or not a service
organization attained any of the Trust
Service Principles and Criteria
6. What are
Trust Service
Principles?
6
• Concentrated on e-commerce system
due to massive amount of information
that regularly circulate on the Internet
• Reports derived from these principles
can either be WebTrust or SysTrust
• WebTrust can be classified as
WebTrust Online Privacy, WebTrust
Consumer Protection, and WebTrust
for Certification Authorities
• SysTrust covers security, availability,
processing integrity, and
confidentiality.
7. Purpose of
SOC III Reports
7
• Address the users’ need for assurance
regarding the service organization’s
controls such as security, availability,
processing integrity, confidentiality,
and privacy
• Report non-financial controls that are
pertinent to the service organization’s
compliance and operations
8. Scope of
SOC III Reports
8
• Performed under AT 101, Attestation
Engagements, and the AICPA Technical
Practice Aid, Trust Services Principles,
Criteria, and Illustrations
• Cover the criteria laid out by AICPA,
including the five key control domains
9. Sample
Application of
SOC III Reports
9
• An auditor who assesses the processing
integrity of the controls of a service
organization will also test the
timeliness, accuracy, completeness,
and authorization of system inputs and
outputs
• The resulting report will give the user
entity information on the quality of
processing that they would otherwise
not be able to acquire from simple
monitoring
10. SOC III vs
SOC II
• Both reports focus on controls that are
related to any of the Trust Services
Principles
• SOC III reports have less detailed
information on the inner workings of
the organization
• SOC III reports are available to the
public and can be used as a marketing
tool
10
11. SOC III vs
SOC II
• SOC III reports only contain the
auditor’s report regarding the
system’s adherence to the Trust
Service criteria while SOC II reports
contain description of the auditor’s
test of controls, outcome of these
tests, and the service auditor’s opinion
on the description of the service
organization’s system
11
12. Elements of a
SOC III report
12
• Service auditor’s report
• If used to address the privacy
principle, an attestation from the
service auditor about the service
organization’s compliance with the
commitments in its privacy practices
will be incorporated in the report
13. Benefits and
Drawbacks of
SOC III Reports
13
• Users do not have to absorb pages of
comprehensive and thorough control
descriptions, and test procedures
• AICPA SOC III seal can be displayed;
however, service provider must meet
all of the Criteria
• Carving out important subservice
providers is not allowed
14. Good fortune is what
happens when
opportunity meets with
planning.
- Thomas Alva Edison
14
BKM Sowan Horan, LLP
15301 Dallas Parkway, Suite 960
Dallas, Texas 75001
Phone: 214-545-3965
Fax: 214-545-3966
www.bkmsh.com
For more information about Basics of SOC III, please visit: http://bit.ly/BKMSH-Basics-of-SOC-III
