See more: what is soc 2, what does soc 2 stand for, soc 2 type 2 audit checklist, what is soc 2 compliance, soc 2 report example, soc 2 controls list, soc 2 wiki, soc 2 compliance checklist, visual basic support, odin diet visual basic support, read level microphone visual basic, school level project visual basic hospital management source code. SOC 2 Report or for a First Year SOC 2 Report The project to transition to the new 2017 TSC is not unlike the first year effort to prepare for a SOC 2 examination (i.e., a “readiness assessment” or “diagnostic review”). Below is an example transition timeline for a SOC 2 report that covers the annual period of October 1 to September 30. Service organisation controls (SOC) 2 is an internal controls offering that utilises the American Institute of Certified Public Accountants (AICPA) standards to provide an audit opinion on the security, availability, processing integrity, confidentiality and/or privacy of a service organisation’s controls.
IT Vulnerability
The vulnerability of information technology (IT) systems globally has become a major, financial liability for companies and institutions that have not been certified as being in compliance with the laws set to determine adequate protection.
Summary
- Information technology systems are expanding nationally and globally.
- Lack of controls results in financial losses and major law suits.
- Standards and guidelines for System Organizational Controls have been adopted.
- Current law suits regarding invasions indicate the seriousness of the problem.
Information technology has become the medium by which businesses, institutions and people around the globe communicate. The use of email has increased to the point where the number of transmissions per minute is in the millions at practically no cost to the senders. The amount of letters and use of postal service have declined to such a degree that the United States postal service can no longer afford to operate at prior levels of manpower.
Information technology systems handling financial data that is personal and nonpublic have literally taken over the exchange of financial data between banks and businesses. Businesses processing credit card information, and other types of financial history of individuals transmit personal data that is not for release to the public on a routine basis.
Processing communications and financial information has increased business efficiencies to a level that it is impossible to calculate. However this has come at a high cost for many people and businesses globally because of invasions of systems by unauthorized users which lead to unauthorized withdrawals and charges by identity thefts.
The degree to which people who have been damaged by the invasion of an IT system is being reported by the filing of law suits nationally and internationally against system organizations, financial institutions and business indicates that the vulnerability of IT systems remains very high.
This has created the necessity for establishing a standard for Service Organizational Controls (SOC). This has lead to the establishment of SOC 1, SOC 2, and SOC 3 standards and guidelines for information technology systems by AICPA.
-->SOC 1, 2, and 3 Reports overview
Increasingly, businesses outsource basic functions such as data storage and access to applications to cloud service providers (CSPs) and other service organizations. In response, the American Institute of Certified Public Accountants (AICPA) has developed the Service Organization Controls (SOC) framework, a standard for controls that safeguard the confidentiality and privacy of information stored and processed in the cloud. This aligns with the International Standard on Assurance Engagements (ISAE), the reporting standard for international service organizations.
Service audits based on the SOC framework fall into two categories — SOC 1 and SOC 2 — that apply to in-scope Microsoft cloud services.
Soc 2 Control Objectives
A SOC 1 audit, intended for CPA firms that audit financial statements, evaluates the effectiveness of a CSP's internal controls that affect the financial reports of a customer using the provider's cloud services. The Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) are the standards under which the audit is performed, and is the basis of the SOC 1 report.
A SOC 2 audit gauges the effectiveness of a CSP's system based on the AICPA Trust Service Principles and Criteria. An Attest Engagement under Attestation Standards (AT) Section 101 is the basis of SOC 2 and SOC 3 reports.
At the conclusion of a SOC 1 or SOC 2 audit, the service auditor renders an opinion in a SOC 1 Type 2 or SOC 2 Type 2 report, which describes the CSP's system and assesses the fairness of the CSP's description of its controls. It also evaluates whether the CSP's controls are designed appropriately, were in operation on a specified date, and were operating effectively over a specified time period.
Auditors can also create a SOC 3 report — an abbreviated version of the SOC 2 Type 2 audit report — for users who want assurance about the CSP's controls but don't need a full SOC 2 report. A SOC 3 report can be conferred only if the CSP has an unqualified audit opinion for SOC 2.
Microsoft and SOC 1, 2, and 3 Reports
Microsoft covered cloud services are audited at least annually against the SOC reporting framework by independent third-party auditors. The audit for Microsoft cloud services covers controls for data security, availability, processing integrity, and confidentiality as applicable to in-scope trust principles for each service.
Microsoft has achieved SOC 1 Type 2, SOC 2 Type 2, and SOC 3 reports. In general, the availability of SOC 1 and SOC 2 reports is restricted to customers who have signed nondisclosure agreements with Microsoft; the SOC 3 report is publicly available.
Microsoft in-scope cloud services
Covered services for SOC 1 and SOC 2
- Microsoft Cloud App Security
- Microsoft Graph
- Intune
- Microsoft Managed Desktop
- Power Automate (formerly Microsoft Flow) cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
- Microsoft Stream
- Azure DevOps Services
Covered services for SOC 3
Soc Codes List
- Microsoft Cloud App Security
- Microsoft Graph
- Intune
- Microsoft Managed Desktop
- Power Automate (formerly Microsoft Flow) cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power BI
- Microsoft Stream
Audits, reports, and certificates
Audit cycle
Microsoft cloud services are audited at least annually against SOC 1 (SSAE18, ISAE 3402), SOC 2 (AT Section 101), and SOC 3 standards.
Azure, Dynamics 365, Microsoft Cloud App Security, Flow, Microsoft Graph, Intune, Power BI, PowerApps, Microsoft Stream, and Microsoft Datacenters
Office 365
Frequently asked questions
How can I get copies of the SOC reports?
With the reports, your auditors can compare Microsoft business cloud services results with your own legal and regulatory requirements.
- You can see all SOC reports through the Service Trust Platform.
- Azure DevOps Service customers that can't access Service Trust Platform can email Azure DevOps for its SOC 1 and SOC 2 reports. This email is to request Azure DevOps SOC reports only.
How often are Azure SOC reports issued?
SOC reports for Azure, Microsoft Cloud App Security, Flow, Microsoft Graph, Intune, Power BI, PowerApps, Microsoft Stream, and Microsoft Datacenters are based on a rolling 12-month run window (audit period) with new reports issued semi-annually (period ends are March 31 and September 30). Bridge letters are issued each quarter to cover the prior three month period. For example, the January letter covers 10/1-12/31, the April letter covers 1/1-3/31, the July letter covers 4/1-6/30, and the October letter covers 7/1-9/30. Customers can download the latest reports from the Service Trust Portal.
Do I need to conduct my own audit of Microsoft datacenters?
No. Microsoft shares the independent audit reports and certifications with customers so that they can verify Microsoft compliance with its security commitments.
Can I use Microsoft's compliance in my organization's certification process?
Soc Controls List
Yes. When you migrate your applications and data to covered Microsoft cloud services, you can build on the audits and certifications that Microsoft holds. The independent reports attest to the effectiveness of controls that Microsoft has implemented to help maintain the security and privacy of your data.
Where do I start with my organization's own compliance effort?
The SOC Toolkit for Service Organizations is a helpful resource for understanding SOC reporting processes and promoting your organization's use of them.
Use Microsoft Compliance Manager to assess your risk
Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.