System and Organization Controls


System and Organization Controls, defined by the American Institute of Certified Public Accountants, is the name of a suite of reports produced during an audit. It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Principles. The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18, section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of reporting, type 1 and type 2. Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.

''Trust Service Principles''

The SOC reports focus on controls addressed by five semi-overlapping categories called Trust Service Principles which also support the CIA triad of information security:
  1. Privacy
  2. *Access Control
  3. *Multi-factor authentication
  4. *Encryption
  5. Security
  6. *Firewalls
  7. *Intrusion detection
  8. *Multi-factor authentication
  9. Availability
  10. *Performance monitoring
  11. *Disaster recovery
  12. *Incident handling
  13. Processing Integrity
  14. *Quality assurance
  15. *Process monitoring
  16. Confidentiality
  17. *Encryption
  18. *Access controls
  19. *Firewalls

    Reporting

Levels

There are two levels of SOC reports which are also specified by SSAE no. 18:
There are three types of SOC reports.