System and Organization Control Reporting (SOC)

As the demand for your company’s services increase, so do the requests from your customers for 保证. Assurance, 您已经采取了必要的步骤来保护他们的隐私和数据的机密性以及安全性, availability and processing integrity of your systems. You are not alone.  Looking to reduce infrastructure costs, many organizations are utilizing outsourcing and cloud computing solutions. Similarly, the demand for 保证 of the integrity of these outsourced applications and functions has expanded as well.SOC会计师协会

As a service organization providing outsourced or cloud computing, 你是客户内部控制系统的延伸,你的客户依靠你来保护他们免受欺诈的风险, unauthorized use of data, loss of data and violation of privacy.

美国注册会计师协会(AICPA)提供了解决方案,以演示您的控制系统的可靠性,并通过提供三种系统和组织控制(SOC)报告选项向您的客户提供保证, SOC 1, SOC 2 and SOC 3.

Identifying Which System and Organizations (SOC) Report Is Right For You


SOC 1 Report

Not this time.


SOC 2 or SOC 3 Report

No SOC this time.

Do you need to make the report generally available?

SOC 3 Report

Not this time.

您的客户是否需要并有能力理解凯时登录组织中处理和控制的细节, the tests performed by the service auditor and results of those tests?

SOC 2 Report

SOC 3 Report


SOC 1报告处理凯时登录组织中可能与客户财务报表审计相关的控制.

A System and Organization Control, or SOC 1 report, 是否对凯时登录提供者的控制进行正式审计,以影响其客户对财务报告的内部控制. SOC 1 reports, 通常被AICPA认证标准称为SAS 70和SSAE 16(现在的SSAE 18), 是否专门用于满足使用凯时登录组织的实体和这些实体的财务报表审计人员的要求.

Effective May of 2017, the SSAE 18 attestation standard superseded SSAE 16. 这一更新旨在帮助简化和统一国际认证标准. Most requirements remained the same, however, some key changes include:

  • Stronger focus on Risk Assessment
  • Emphasis on Vendor Management Programs
  • Monitoring subservice organizations
  • Modifications to the written assertion requirements of management

There are two types of SOC 1 reports:

  • Type 1 – 该报告向客户和他们的审计人员显示,您的组织的系统和控制得到了准确的描述, that the controls are in place, 这些控制是为了在指定日期实现你的财务控制目标而设计的.
  • 类型2 -  This report provides the same information as the Type 1 report, while also verifying that the controls properly operate, providing a description of the tests auditors performed to determine that information, and the results of those tests over a specified period.

获得第三方SOC 1认证报告为您的组织增加了重要的价值,也为您的客户提供了更高水平的信心. 它通过展示你对客户数据和信息安全的承诺,使你在竞争中脱颖而出.


SOC 2和SOC 3报告处理了与AICPA的信任凯时登录原则中确定的运营和合规相关的凯时登录组织的控制.

SOC 2报告为凯时登录组织提供关于与预定义的一组原则相关的控制的意见. Unlike a SOC 1 report, 控制目标和控制是针对行业和公司内部独特的过程规定的, SOC 2报告采用了基于AICPA的信任凯时登录原则-安全的标准化行业中立控制集, availability, processing integrity, confidentiality and privacy. A SOC 2 report must include the security principle (known as the common criteria), 根据公司的需要,其余四个原则是可选的.

There are two types of SOC 2 reports: 

  • 类型1 - 该报告向客户和他们的审计人员显示,您的组织的系统和控制得到了准确的描述, 控件的设计是适当的,并且这些控件在指定日期已到位, or point in time.
  • 类型2 - 该报告向客户和他们的审核员证明,你们组织的系统和控制是准确描述的, that the controls are appropriately designed, 并包括为验证控件在指定时间段内有效运行而执行的测试的描述.

Which 信任 凯时登录 Principles should I select? 

When selecting the 信任 凯时登录 Principles that are right for your SOC 2 report, 首先确定审计业务的范围和最适用于您的系统的原则. 以下高级定义可以帮助您思考哪些原则适用于您的组织:

  1. 安全 – The system is protected against unauthorized physical and logical access
  2. Availability – The system is accessible, as determined by contract of service level agreement
  3. Processing Integrity – System processing is complete, valid, accurate, timely, and authorized
  4. Confidentiality – Information designated as confidential is protected as agreed
  5. 隐私 – Personal information is collected, 使用, 保留, 披露和销毁的承诺在实体的隐私通知和AICPA规定的原则

在客户和内部管理必须对凯时登录组织的控制系统有信心以提供安全的情况下,SOC 2报告具有重要的价值, availability, processing integrity, confidentiality and privacy. In addition to addressing the internal needs, SOC 2报告对您的现有客户很有价值,因为它提供了一份注册会计师签署的报告,作为您的系统和过程的保证.


与SOC 2报告相比,SOC 3报告旨在作为一种营销工具,面向无限制的扩展受众.

与SOC 2报告相比,SOC 3报告旨在作为一种营销工具,面向无限制的扩展受众, such as potential customers, investors, 等.  与SOC 2报告类似,SOC 3报告提供了与一个或多个信托凯时登录原则(TSP)相关的控制意见。.  SOC 3报告的独特之处在于它缺乏使用限制,并且使用SOC 3印章用于您的网站,这使它成为客户的完美营销工具,客户必须对凯时登录组织的控制系统提供安全有信心, availability, processing integrity, confidentiality and privacy.

Ready to learn more about how SSF’s SOC Reporting 凯时登录 can help you business?

Contact Us

Practice Leadership

Jeff Stark
Jeff StarkRisk Assurance Practice Leader
Email Jeff
(408) 286-7780
Brian Beal
Brian BealRisk Assurance Director
Email Brian
(408) 286-7780

Related Posts