Talking with experts and getting 你的 questions answered are incomparable benefits of attending a conference.
在 188bet亚洲真人体育下载®2023 & CIMA®SOC & 第三方风险管理会议 今年早些时候举行, attendees posed their questions about real and hypothetical scenarios to a panel. 专家们就SOC项目面临的挑战提供了见解, including when there are inadequate vendor management controls. 一小时问答的精彩片段&接下来是一个会话.
尽管供应商管理控制不足,SOC报告
的 SOC 1® engagement involves reporting on the service organization’s description of its system and the design (and in type 2 report, the operating effectiveness) of the service organization’s controls within the system. So, what do you when there aren’t vendor management controls?
在SOC 2®业务中,通用标准(CC) 9.2 of the trust services criteria gives you an opportunity to report if vendor management processing is not functioning adequately. SOC 1交战不同于SOC 2交战, 然而, which presents challenges when you need to articulate errors or inadequate controls related specifically to vendor management in a SOC 1 engagement.
When reviewing the classes of transactions in a SOC 1 engagement,there will be key elements of the systems that are used to process transactions. 史蒂文Ursillo, 188bet亚洲真人体育下载网址, 中钢协, CISSP, CCSFP, partner and national leader for information assurance and cybersecurity at Cherry Bekaert LLP, 阐述了, “If those transactions and the controls around those transactions are contingent upon certain elements of vendors’ responsibilities, then obviously there's an expectation that there's some element of coverage that the service organization is providing in order to make sure that they are comfortable with the actions that are being performed to report properly.”
Ursillo offered this advice: “It comes down to auditor judgment. … Vendor management can be a critical component of that and needs to be actioned accordingly with the right controls in order to substantiate the achievement of the control objective.”
SOC报告和ICFR依赖关系
Factors to consider when conducting a SOC 1 or SOC 2 engagement extend beyond vendor management control objectives to include financial reporting (ICFR) dependencies.
克里斯·K. 哈特曼, 188bet亚洲真人体育下载网址, 安永会计师事务所SOC报告负责人, 所述, “SOC 2报告提供了有用的证据, 但还没有达到一级SOC报告的程度.“在进行SOC 1审计时, you’ll need to concentrate “on the needs of the user auditors and user entities.
“的 big area of focus is that when we're doing an SOC 1 audit, 我们戴上了关注用户需求的帽子, 特别是用户审计员和用户实体, 关于ICFR. 然而当我们戴上SOC 2的帽子时, it's a much broader perspective of how it relates to security, 可用性, 处理完整性, 保密, 隐私, 主体承诺, 或者系统需求.
“So, the two reports have different intended uses and different auditors, 这就是为什么当你试图利用其中一个或另一个时, 你会发现你没有得到足够的信息,霍尔特曼说.
A nuanced understanding is vital for extracting sufficient information from the reports. And SOC practitioners need to advise clients to ensure they understand, 作为一个服务机构, 他们在SOC 1或SOC 2的职责.
But can you justify performing a SOC 1 examination when the subject matter isn't clearly ICFR?
哈特曼 offers this tip: “Remember that the subject matter has to be appropriate. And a system just may not be an appropriate subject matter for [a] SOC 1 report … SOC 1 has its own criteria. … If they're not appropriate, you shouldn't accept that engagement. You may need to work with 你的 client to help them and their user entities understand exactly why and help better define what their needs are and make sure they're getting the right report and helping the client resolve that issue.”
收集证据的时间框架
Conference attendees were curious to know about an efficient timeframe to collect evidence, 和肖恩·林顿, 188bet亚洲真人体育下载网址/ CITP, EisnerAmper LLP合伙人, posed a hypothetical scenario to the panel regarding a type 1 report with an as-of date.
According to 哈特曼, it comes down to professional judgment. “That professional judgment is going to be reflected based on … what other controls are in place ... 以及它们是如何相互联系的? How close have you collected evidence to the end of the period on those other controls?”
Neha帕特尔, 188bet亚洲真人体育下载网址, 中钢协, CDPSE, and partner in charge of IT Advisory Services at Weaver and Tidwell LLP, 添加, “对于1型糖尿病人来说, the service auditor is evaluating controls as of a specific date. If an auditor is using evidential support after the as-of date, the key question is what additional steps did the auditor take to validate a control that was in place in the past? Professional judgment and application are instrumental in regard to determining how far in advance or beyond the date you can go to maximize the level of assurance the report provides.”
额外的SOC资源
审计ing system-level controls of a service organization or entity-level controls of other organizations is a noteworthy service offering that gives you a competitive edge.
的 服务组织工具包的SOC guides you through key considerations, such as determining scoping and pricing. 的 系统和组织控制:SOC服务套件网页为SOC 1提供资源, SOC 2, SOC 3, 面向网络安全的SOC, 和SOC的供应链检查.
学习更多,得到更多 你的 questions answered, join us online or in Las Vegas for 188bet亚洲真人体育下载 & Cima engage 2024. 十二月登记. 19,节省350美元.