One of the topics which most definitely is asked in CISSP exam is types of audit engagements based on Statement on Standards for Attestation Engagements no. 18 (SSAE No. 18 or SSAE 18).
There are three types of System and Organization Controls (SOC) reports:
- SOC 1 – Internal Control over Financial Reporting
- SOC 2 – Trust Services Criteria
- SOC 3 – Trust Services Criteria for General Use Report
Please note these for exam:
====>>> SOC 3 is for public and SOC 2 is for internal use!
====>>> SOC 1 is for financial reporting!
There are 2 levels of SOC reports:
- Type I, is more of a "point in time" report and describes if a service organisation's systems and whether the design of specified controls meet the relevant trust principles. It is more of a documentation review than actually thoroughly auditing functionality etc.
- Type II, addresses the operational effectiveness of the specified controls over a period of time: usually 9 to 12 months - at least 6 months!
No comments:
Post a Comment