Professional Documents
Culture Documents
SOC Short Notes
SOC Short Notes
SOC Short Notes
Obtain Policy and list of new hires from the active directory listing during the reporting period.
TOD- Select 1 sample and check whether access request is raised with time and date, who are
approvers, What are access that granted, application used.
Privileged Access-Admin rights are inline with the role and responsibilities.
Access Reviews:
Password management: Policy, Complexity, Frequency, Blacklisted, MFA or two factor authentication
as additional layer of security
Initiation- Raising ticket, authorized, Planning- resource planning, Development, Testing, approved by
change advisory board (CAB), deployment (implementation), Post implementation review.
Types: Standard ( Low risk, more frequent, pre approved and tested) Normal( Normal Process),
Emergency (High Risk, resolved immediately)
Testing :procedures: CM Policy, List of changes during the reporting period match with ticketing tool
to production.
Segregation of duties
Incident management: Plan to resolve the reported incidents to reduce the risk of loss, reputation
Testing Procedure: Identifying, Reporting- raising a ticket, validating the event, capturing or logging
information, Investigation or root cause analysis, Communication, Resolution, Review, Lessons
documented.
Audit: Obtain the policy, inspect the policy, plan effective incident response plan, document review
and approved by senior management.
Backup plan: Important for disaster recovery plan, policy and process documents, frequency, life
cycle and types of back up, verify if alarms are created,
If fails, management actions to resolve the issue, verify admin rights to change the configuration of
the backup is restricted to IT personnel.
SOC Reporting:
Types of reporting: SOC1- used by service organization for internal control over Financial Reporting.
SOC 2- Addresses controls relevant for operations and compliance as outlined by TSC. Genreally From
6 to 12 months.
Confidentiality
Bridge letter: Gap letter b/w the reporting period end date and organization fiscal year end date.
Implies that there are no significant changes impacting the conclusion. signed by organization itself
and provided directly to customer. CPA firm does not attest anything as they have not performed any
additional procedures.
SOC 3- Report whether entity have effective controls w.r.t to TSC. Used in B2C environment. Can be
shared without NDA and displayed on website.