You are working for a public company and evaluating an initiative to subscribe to cloud services to host an information system for financial reporting. The independent auditor is concerned with compliance requirements and the suitability of the design and operating effectiveness of the controls at the cloud service provider. Which of the following provides the best assurance to address the concern? (Wentz QOTD)
A. SOC 1 Type 1 Report
B. SOC 1 Type 2 Report
C. SOC 2 Type 1 Report
D. SOC 2 Type 2 Report

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. SOC 1 Type 2 Report.

A public company is subject to the Sarbanes–Oxley Act (SOX) of 2002. SOX Section 404 “requires management and the external auditor to report on the adequacy of the company’s internal control on financial reporting (ICFR).” (Wikipedia)

If your company subscribes to cloud services for financial reporting, it has to impose controls on them. However, it’s may not be feasible for your company to do that (including auditing those controls), so it’s common for the cloud service providers to provide the SOC 1 reports to their customers (aka user entities in SOC).

If your company subscribes to cloud services for processing enterprise proprietary data or personal data, SOC 2 reports can provide appropriate assurance.

SOC 1 and SOC 2

SOC 1 is the “Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR).” SOC 2 is the “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.” Both SOC 1 and SOC 2 have two types of reports:

• Type 1: the engagement covers the design suitability of the controls (or the snapshot of the design) at the cloud service provider.
• Type 2: the engagement covers the design suitability and operating effectiveness of the controls at the cloud service provider typically for at least six months.

Reference

• SOC 1 – SOC for Service Organizations: ICFR
• SOC 2 – SOC for Service Organizations: Trust Services Criteria
• Attest Clarity Project Update
• GUIDE TO INTERNAL CONTROL OVER FINANCIAL REPORTING
• The role of the audit committee
• SOC 1 Report
• International Financial Reporting Standards
• What is Internal Control over Financial Reporting (ICFR)?
• UNDERSTANDING INTERNAL CONTROL OVER FINANCIAL REPORTING

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

您正在一家上市公司工作，並正在評估一項初始提案(initiative)，以訂閱雲服務來託管用於財務報告的資訊系統。獨立稽核員對於符合性要求及雲服務提供商之控制(control)設計的妥適性和運作(operating)的有效性有所疑慮。 以下哪項可提供最佳保證(assurance)以消除疑慮？(Wentz QOTD)
A. SOC 1 Type 1 Report
B. SOC 1 Type 2 Report
C. SOC 2 Type 1 Report
D. SOC 2 Type 2 Report