Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2. What is the subject Controls at a service Controls at a service organization relevant Controls at a service organization
matter of the organization relevant to to security, availability, relevant to security, availability,
engagement? user entities internal control processing integrity, confidentiality, or processing integrity, confidentiality,
over financial reporting. privacy. or privacy.
If the report addresses the privacy If the report addresses the privacy
principle, the service organization’s principle, the service organization’s
compliance with the commitments in its compliance with the commitments in its
statement of privacy practices. statement of privacy practices.
SOC 1 Reports SOC 2 Reports SOC 3 Reports
3. What is the purpose of the To provide information to the auditor of To provide management of a service To provide interested parties with a CPA’s
report? a user entity’s financial statements about organization, user entities and other opinion about controls at the service
controls at a service organization that specified parties with information and a organization relevant to security,
may be relevant to a user entity’s CPA’s opinion about controls at the availability, processing integrity,
internal control over financial reporting. service organization relevant to security, confidentiality, or privacy.
It enables the user auditor to perform availability, processing integrity,
risk assessment procedures, and if a type confidentiality, or privacy. A report that addresses the privacy
2 report is provided, to assess the risk of principle also provides a CPA’s opinion
material misstatement of financial A type 2 report that addresses the privacy about the service organization’s
statement assertions affected by the principle also provides a CPA’s opinion compliance with the commitments in its
service organization’s processing. about the service organization’s privacy notice.
compliance with the commitments in its
statement of privacy practices.
SOC 1 Reports SOC 2 Reports SOC 3 Reports
4. What are the components A description of the service A description of the service organization’s A description of the system and its
of the report? organization’s system. system. boundaries or in the case of a report that
addresses the privacy principle, a copy of
A service auditor’s report that contains A service auditor’s report that contains an the service organization’s privacy notice.
an opinion on the fairness of the opinion on the fairness of the
presentation of the description of the presentation of the description of the A service auditor’s report on whether the
service organization’s system, the service organization’s system, the entity maintained effective controls over
suitability of the design of the controls, suitability of the design of the controls, its system as it relates to the principle
and in a type 2 report, the operating and in a type 2 report, the operating being reported on, such as, security,
effectiveness of the controls. effectiveness of the controls. availability, processing integrity,
confidentiality, or privacy, based on the
In a type 2 report, a description of the If the report addresses the privacy applicable trust services criteria.
service auditor’s tests of the controls and principle, the service auditor’s opinion on
the results of the tests. whether the service organization If the report addresses the privacy
complied with the commitments in its principle the service auditor’s opinion on
statement of privacy practices. whether the service organization complied
with the commitments in its privacy
In a type 2 report, a description of the notice.
service auditor’s tests of controls and
the results of the tests.