The one that requires a service organization to describe its system and define its control objectives and controls relevant to the user's internal control over financial reporting is B.
Service Organization Control 1 (SOC 1)
A. Statement on Auditing Standards (SAS) 70: SAS 70, replaced by SSAE 16 (Reporting on Controls at a Service Organization), did not focus on a service organization's impact on a user's internal control over financial reporting.
B. Service Organization Control 1 (SOC 1): A SOC 1 report is specifically designed for situations where a service organization's services impact the financial reporting of its clients. It mandates the service organization to outline its system, control objectives, and the controls relevant to the user's financial reporting.
C. Service Organization Control 2 (SOC 2): A SOC 2 report centers on a broader range of controls, including security, availability, and confidentiality. It doesn't necessarily address a service organization's influence on a user's financial reporting controls.
D. Service Organization Control 3 (SOC 3): A SOC 3 report is a condensed version of a SOC 1 or SOC 2 report, intended for general purposes. It doesn't delve into the details of the service organization's controls.
No comments:
Post a Comment