What is SOC (Service Organization Control)!🔥🔥🔥🗣

This video provides an overview about SOC or Service Organization Controls developed by AICPA. You will get the knowledge of the following areas as per part of our SOC journey.
What is SOC?
What are the different versions of SOC reports available
What are all the criteria tested during the SOC audit
Why it is mandatory for the organizations to be SOC compliant and many more
So stay tuned till the end of this video to get an overview about SOC.
In 2010, American Institute of Certified Public Accountants (AICPA) announced
that the existing SAS 70 standard will be replaced by a new auditing standard called SSAE 16 or Statement on Standards for Attestation.
The history of SAS 70 was intended for financial and accounting auditing only but SSAE 16 audit was
designed to verify the data center’s operational and security excellence
In the new SSAE 16 standard there are 3 reports available namely:
SOC 1
SOC 2
And SOC 3
As you can see the hierarchy of SOC it is divided in to 3 parts:
SOC 1
SOC 2
And SOC 3
What is the meaning of these 3 different reports
SOC 1 report is mainly used for examining the controls over financial reporting where as SOC 2 and SOC 3 reports are more focused on the pre-defined, standardized benchmark for controls related to:
Security, processing integrity, confidentiality, and privacy of the data centers systems and information.
SOC 2 goes in detail on examining the details of operational effectiveness.
As per the AICPA.org guidelines these reports are very detailed and useful to understand the oversight of
the organization, Supplier management process, Governance and Risk Management, and regulatory oversight.
SOC 3 is for public use, and provides the highest level of certification and assurance of operational excellence that a data center can receive.

The major difference in SOC2 and SOC 3 reports are that SOC 2 report provides auditors testing and results and SOC 3 provides a system description and auditors opinion which organizations can make it public.
But SOC 2 reports are not made public and shared only with NDA (Non-Disclosure Agreement) in place. Both SOC 1 and SOC 2 reports can be assessed as either Type 1 or Type 2 reports:
Now the question is what is the difference in both the reports
So in Type 1 the report is issued as on a specific date mentioned like – the report issued
as per the management description of the service organization as on 5th Aug 2020. Which means the tested controls are working as expected as on the date mentioned.
And in Type 2 - the report is issued from a specified period like 1st jan 2019 – 31st Dec 2019. Which means the tested control effectiveness were audited for the specified period and found to be satisfactory.
Now lets understand the purpose and usage of SOC 1, SOC 2 and SOC 3
SOC 1
Internal controls over financial reporting
Used by auditors
SOC 2
Security, Availability, Processing, Integrity, Confidentiality and privacy controls
Shared under NDA by management to their existing or potential customers
SOC 3
Security, Availability, Processing, Integrity, Confidentiality and privacy controls
Publicly available to anyone, so to share the SOC 3 reports you don’t require NDA
So this is the major difference we see when review the Type 1 and Type 2 reports. I hope this is clear now.
Now lets understand the Trusted Service Criteria or Principles of SOC auditing”

The following principles and related criteria are used by practitioners in the performance of SOC 2 engagements:
Which are Security, Availability, Integrity, Confidentiality and Privacy

Lets get in to more detailed in each on of these areas.
Security: The system is protected against unauthorized access (both physical and logical).

Availability: The system is available for operation and use as committed or agreed.

Processing Integrity. System processing is complete, accurate, timely, and authorized.

Confidentiality: Information designated as confidential is protected as committed or agreed.

Privacy: Personal information is collected, used, retained, disclosed and destroyed in conformity with the
commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and CICA.

Now the question is that Why SOC is important for the organizations.
So its very simple
Service Organization Controls (SOC) reports help companies establish trust and confidence in their
service delivery processes and controls. That gives confidence to their customers about the controls implemented to protect the information and information systems.