Compass IT Compliance Blog

IT Audit: Because you know I'm all about that Scope, 'bout that scope.

The term IT Audit is so often used and misused by IT and business professionals in all industries.

According to Wikipedia, IT Audit is defined as, “an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives.”

Ok, that’s not bad, but it is also incomplete.  It doesn’t speak to the People, and Process part of the picture, only the Technology.

SSAE 16 SOC 2 Report: The 5 Trust Principles

Over the past several weeks, we have been digging in to the SSAE 16 SOC 2 reports. We have looked at what a SOC 2 report is, the differences between a Type I and Type II report, and why the Section III is so important. This week we are going to look at what are called the 5 Trust Service Principles. These are very specific to the SSAE 16 SOC 2 report and are critical when going through the entire process.

AT 101 SOC 2 Report: What is a Section III?

In the last couple of posts, we talked about how an AT 101 SOC 2 report differs from a SOC 1 and SOC 3 report and also what the differences are between a SOC 2 Type I and Type II report. In this post, we are going to continue dissecting the different terminology and components of the AT 101 SOC 2 report so we can gain a little more understanding about this service and what these terms mean. Today, we will focus on what is referred to as the Section III.

SSAE 16 SOC 2: Differences Between Type I and Type II Reports

One of the challenges that we have when it comes to consulting with our clients on SSAE 16 is the confusion that comes with the different reports and types of reports. In last weeks blog post, we outlined what the key differences are between a SOC 1, SOC 2, and a SOC 3 report. This week, we are going to focus specifically on the SSAE 16 SOC 2 reports and discuss what the differences are between a Type I and a Type II report. Before we dig into the differences, let me quickly summarize what we are going to cover in this post as a follow up to last weeks post. 

SSAE 16 SOC 2 Reports: How Are They Different From Other SOC Reports?

Fact: More and more organizations are outsourcing business functions to third party providers so they can concentrate on their core business functions, reduce headcount, and ultimately save money. A great example of this is what is called Business Process Outsourcing (BPO) where companies outsource specific business functions to that third party provider. Some common examples of these processes include: