WEBVTT 00:00:00.440 --> 00:00:05.260 Let's take a look at attestations for technical and financial reporting. 00:00:05.740 --> 00:00:09.890 The Service Organization Control audit framework is designed by the 00:00:09.900 --> 00:00:13.210 AICPA organization, American Institute of Certified Public 00:00:13.210 --> 00:00:17.350 Accountants, with three primary reports in mind. 00:00:18.240 --> 00:00:24.130 The first one called a SOC1 is the report over financial controls. 00:00:24.140 --> 00:00:31.560 A SOC2 is over technical controls, and a SOC3 is a summary of a SOC2. 00:00:32.240 --> 00:00:37.690 The reports are all very much customer‑oriented so that the customer 00:00:37.690 --> 00:00:42.630 can have a set of confidence based on the opinion of the auditor, and 00:00:42.640 --> 00:00:48.530 there's at most an annual calendar that passes by for these reports 00:00:48.530 --> 00:00:50.060 to be conducted. 00:00:50.240 --> 00:00:53.810 A SOC1 report focuses solely on controls at a cloud service 00:00:53.810 --> 00:00:56.520 provider that are likely to be relevant to an audit of a 00:00:56.520 --> 00:00:58.850 subscriber's financial statements. 00:00:59.040 --> 00:00:59.970 In fact, 00:01:00.050 --> 00:01:04.769 it is called the internal control over financial reporting, 00:01:04.769 --> 00:01:10.990 ICOFR. And these reports are in two flavors. 00:01:11.000 --> 00:01:15.630 A Type 1, which is a report of fairness of the presentation of 00:01:15.630 --> 00:01:19.420 management's description of the service organization's system and the 00:01:19.420 --> 00:01:21.590 suitability of the design of the controls. 00:01:21.600 --> 00:01:25.630 So it would be good to think of that as a snapshot, a point in 00:01:25.630 --> 00:01:28.780 time, and it's just a presentation of the design. 00:01:28.780 --> 00:01:32.850 Whereas, a Type 2 is a report on the fairness of the presentation, which 00:01:32.850 --> 00:01:37.330 would not only include the design, but the operating effectiveness. And so 00:01:37.330 --> 00:01:40.960 this is usually achieved over a period of time. 00:01:41.140 --> 00:01:44.850 A SOC2 contains what are called trust services 00:01:44.850 --> 00:01:47.340 principles or trust service criteria. 00:01:47.350 --> 00:01:50.530 There are five in number: security, availability, 00:01:50.530 --> 00:01:54.040 processing integrity, confidentiality, and privacy. 00:01:54.050 --> 00:01:59.220 This is meant to meet a large range of users that need detailed 00:01:59.220 --> 00:02:03.410 information and assurance about the controls at a service organization 00:02:03.420 --> 00:02:07.150 relevant to the five trust service principles. 00:02:07.430 --> 00:02:10.590 It can be, also as in a SOC1, a Type 1, 00:02:11.060 --> 00:02:14.030 which is just a point‑in‑time presentation of the design 00:02:14.030 --> 00:02:19.140 of the controls or a Type 2, which would be the proof of 00:02:19.150 --> 00:02:21.290 effectiveness of the controls. 00:02:21.300 --> 00:02:25.140 So this would be over a period of time, many months, in fact, 00:02:25.150 --> 00:02:27.160 that observation would take place. 00:02:27.540 --> 00:02:33.340 A SOC3 is a summary of a SOC2, often called a SysTrust 00:02:33.350 --> 00:02:36.260 security seal from the AICPA organization. 00:02:36.640 --> 00:02:39.240 This allows the assertion from the vendors management regarding the 00:02:39.240 --> 00:02:43.130 effectiveness of the control, the auditor's opinion, and the vendors 00:02:43.140 --> 00:02:48.310 infrastructure and services recognition. And it gives a significant 00:02:48.310 --> 00:02:53.300 level of assurance without giving away the details of either a SOC1 or 00:02:53.300 --> 00:02:57.260 a SOC2, which would not be published publicly because of the 00:02:57.260 --> 00:02:58.450 sensitivity of the data. 00:02:58.460 --> 00:03:03.190 Whereas, a SOC3 can be a WebSEAL that the organization uses for public. 00:03:03.190 --> 00:03:05.780 There is no sensitive information inside of it. 00:03:05.790 --> 00:03:08.430 There's also what's called a SOC for Cybersecurity. 00:03:08.440 --> 00:03:15.910 This is the examination of an entity's enterprise‑wide assessment 00:03:15.920 --> 00:03:19.220 of their cybersecurity risk management program. 00:03:19.230 --> 00:03:22.670 It's done in a holistic way so that the reporting is 00:03:22.670 --> 00:03:26.990 communicated based upon relevant information for those who 00:03:26.990 --> 00:03:29.240 would want to consume services. 00:03:29.250 --> 00:03:32.460 They also have the trust services criteria for management to evaluate the 00:03:32.460 --> 00:03:38.210 effectiveness of controls and for attestation services. Next, we'll move 00:03:38.210 --> 00:03:41.750 over into the certification environment.