focuses on business process or financial controls at a service organization that are relevant to internal control over financial reporting.
Considered a “traditional” governance, risk, and compliance (GRC) report type that addresses controls at a service organization’s system related to the AICPA’s Trust Service Categories (TSCs) of security, availability, processing integrity of a system, or the confidentiality or privacy of the information processed by that system.
Most commonly a redacted form of a SOC 2 report, removing any proprietary and/or confidential information so can be made publicly available, such as on a website.
SOC for Cybersecurity
A report on an entity’s cybersecurity risk management program; meant for investors, boards of directors, and senior management.
SOC for Supply Chain
A report to help entities better assess and manage supply chain risk. This examination and report can provide an audited track record for customers, business partners, and other interested parties to show a commitment by the entity to these stakeholders.
CSA STAR Attestation
The SOC 2+ CSA STAR report was developed as a collaboration between the CSA and the AICPA to provide guidance for CPA firms to conduct STAR Attestations using criteria from the AICPA TSCs and the Cloud Control Matrix (CCM). This assessment utilizes the SOC 2 framework to report on the suitability of the design and operating effectiveness of a Cloud Service Provider’s (CSP’s) controls relevant to the applicable TSCs, which include Security, Availability, Confidentiality, Processing Integrity, and Privacy, and the suitability of the design and operating effectiveness of its controls in meeting the criteria in the CSA CCM.
A report on controls that addresses the cloud computing compliance criteria catalogue (C5) developed by the Federal Office for Information Security in Germany (Bundesmat fur Sicherheit in der Informationstechnik, or BSI). CSPs can decide whether they are looking to meet the basic criteria of the catalogue of controls, or they can add the additional criteria if necessary. At a minimum, the catalog consists of 121 criteria across 17 objectives or areas.
For subject matter outside of the above, we can issue reports based on agreed-upon procedures under SSAE standards. Our objectives in conducting an agreed-upon procedures engagement would be to:
- Apply procedures that are established by the specified parties.
- Issue a written practitioner's report that describes the procedures and findings.