Service Organization Control (SOC) 1

Part 1 - General information

1. Name of certification scheme

2. Acronym

3. Governing organisation

Governing organisation logo

4. What is the governance model (describe briefly the governance model, which organizations are in the board, if/how customers/providers can provide feedback on the overall scheme, etc)

Within SOC 1 reports the defined scope includes classes of transactions, procedures for processing and reporting transactions, accounting records, handling of significant events and conditions other than transactions, report preparation relevant to processing and reporting user transactions. The underlying control objectives are defined by the service provider and vary depending on type of service provided. SOC 1 reports conclude about fairness of presentation of management’s description of service organization’s system and suitability of design and effectiveness of the controls to achieve the related control objectives over a specified period. The reports are important components of user entities’ evaluation of internal controls over financial reporting to comply with laws/regulations regarding financial reporting and the user entities’ auditors as they plan and perform audits of the user entities’ financial statements. A SOC 1 report may be certified under Statement on Standards for Attestation Engagements (SSAE) No. 16 issued by American Institute of Certified Public Accountants (AICPA) or under International Standards on Assurance Engagements (ISAE) 3402 issued by International Auditing and Assurance Standards Board (IAASB).

5. Link to main site of scheme

6. Certification target

Certification scheme logo

Part 2 - Underlying information security standard or best practices

1. What is the underlying information security standard or best practice (describe briefly titles, structure, areas/domains addressed, et cetera)

2. Organisation governing the standard

3. Link to standard or best practice

4. What is the structure of the standard or best practice?

5. Which assets are covered

6. Is the standard or best practice available to the public?

7. Is the standard or best practice based on existing international standards?

8. Give one or more representative examples of a requirement set in the standard? (quote/or describe the requirement)

The standard requires the management of a service organization to set control objectives, in order to have controls in place that affect the internal control over financial reporting (ICFR). The co9ntrol objectives might be individually set, as they refer to the specific service provided within the defined environment and processes. An example might look like: Controls provide reasonable assurance that batch processing transactions are authorized as well as completely and accurately processed. For such a control objectives specific controls need to be designed, in order to comply with the set control objective (design effectiveness). Further the controls need to be implemented, such that an auditor is able to observe, inspect or re-perform the stated control (design effectiveness).

Part 3 - Assessments and certification of compliance

1. Describe the process leading to certification, from the assessments (self-assessment, auditing, and continuous monitoring) to the issuing of a certificate of compliance. (describe)

The service organization compiles its control objectives and designs adequate controls The service organization prepares a system and process description on the relevant aspects of the control environment The service organization implements the controls, documents the execution of controls and monitors the execution and documentation The service organization creates a management assertion on the fair presentation of its systems and controls An auditor is engaged to assess that the controls implemented were executed in an agreed period of time in the past (typically one year or six months) The auditor builds an opinion on the fair presentation of the systems and controls and issues the audit report

2. Which organisations are accredited to issue certificates? (describe briefly)

3. Which organisations license/certify auditors? (describe briefly)

4. How is the quality of the auditors guaranteed.

5. Is a description of the audit process publicly available?

link

http://www.ifac.org/sites/default/files/downloads/b014-2010-iaasb-handbook-isae-3402.pdf

6. Does the framework support quality or maturity levels?

description

7. Is self-assessment an option?

8. Is continuous monitoring part of the framework?

9. Are the results of assessments (self-assessments, auditing, monitoring) publicly accessible?

10. Is the scope of assessment publicly available?

link

http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AT-00801.pdf

11. Is the standard and/or framework updated following past incidents and/or changing technology.

description

The SOC 1 has replaced the former SAS 70.

12. Does certification expire?

description

The SOC 1 report is not a certification. It is issued at a moment in time or covering a period.

Part 4 - Current adoption and usage

1. Describe the current adoption of the certification framework. (describe briefly)

2. How many providers have been certified?

Remarks/notes

3. What is the reach of the certification scheme

4. What is the potential applicability of the certification scheme

5. Outlook, plans for the future

Part 5 - Security objectives