System and Organization Controls (SOC) 2 Standard
(Redirected from SOC 2)
Jump to navigation
Jump to search
A System and Organization Controls (SOC) 2 Standard is an SOC standard for audit reports (SOC 2 reports).
- Context:
- It can be referenced by an Organizational Policy, especially an organizational risk-related policy.
- ...
- See: System And Organization Controls, SSAE No. 18, Internal Controls, NIST Special Publication 800-53, General Data Protection Regulation, Generally_Accepted_Auditing_Standards.
References
2023
- (Wikipedia, 2023) ⇒ https://en.wikipedia.org/wiki/System_and_Organization_Controls Retrieved:2023-7-27.
- System and Organization Controls (SOC), (also sometimes referred to as service organizations controls) as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Criteria.[1] The Trust Services Criteria were established by The AICPA through its Assurance Services Executive Committee (ASEC) in 2017 (2017 TSC). These control criteria are to be used by the practitioner/examiner (Certified Public Accountant, CPA) in attestation or consulting engagements to evaluate and report on controls of information systems offered as a service. The engagements can be done on an entity wide, subsidiary, division, operating unit, product line or functional area basis. The Trust Services Criteria were modeled inconformity to The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework (COSO Framework). In addition, the Trust Services Criteria can be mapped to NIST SP 800 - 53 criteria and to EU General Data Protection Regulation (GDPR) Articles. The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18 (SSAE 18), section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of reporting, type 1 and type 2. Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.
- ↑ Cite error: Invalid
<ref>tag; no text was provided for refs namedImperva