hi everyone my name is Sachin isarya and
in this video we will be discussing
about SOC sock okay so we will be
discussing about what is sock the type
of socks uh type of sock report and some
key terms used in the sock and I will
also show you the sock report template
as well so without wasting much time
let's start the video okay so our first
topic is what is sock okay so sock the
full form of sock is system and
organization control and earlier it was
known as a service organization control
but now it is known as a system and
organization control now let me give you
one example why the sock is required
okay so for example
that is one company this is which is sh
and Company Sachin is company now what
this company will do this company
provides the services of
data center hosting okay so uh shm
company provides the service related to
Data Center hosting now sh and Company
have a many clients like for example
they have a 100 plus client who host
their data on the shm company data
center okay now one of the client is TCS
now TCS also hosts their data center on
shn company now what will happen suppose
uh TCS is doing their ID audit now their
ID auditor may require that uh whatever
controls implemented by Sachin and
Sachin isary and Company are working
properly or not so what they will do
they will say that I want to audit your
company okay uh TCS companies auditor
will go to shn company and they will ask
to uh ask to perform the audit now
likewise there are many clients so it is
not feasible for shn company to
accommodate all the auditor okay like
because TCS is only one of the clients
likewise there are many other clients
who are utilizing the services of shn
company and their auditor also want an
assurance that shm company has put in
place proper control to protect the data
of their client so in the in this case
what shn company will do they will
appoint an independent auditor
okay so they themselves will appoint an
independent auditor that auditor will
verify the controls and give the report
okay so that report is known as a sock
report okay so uh this is this is the
scenario where sock comes into the
picture now let's see the scene with the
technical terms so there is a service
organization so what service
organization will do service
organization will demonstrate the design
and operating effectiveness of internal
control to existing customer okay so
service organization will obtain an
independent assessment assessment of
internal controls framework so service
organization will appoint a service
auditor and this service auditor will
give the sock report okay now uh there
is a user entity who is a user entity
user entity are the End customer okay so
the swag report provides an assurance of
consistence performance of control and
it provides an assurance of control
relating to security
confidentiality uh availability privacy
and processing Integrity okay now all
these five are a service trust criteria
okay so uh press service criteria so
this we will be discussing uh after uh
some concept okay so as of now just
understand guys okay so this is the use
of sock report service organization will
appoint an independent auditor and that
independent auditor will examine the
controls and then they will they will
give a shock report this sock report
will be used by a user entity now in
this case who is the service
organization so service organization is
a shn company okay so SSN company is a
service organization and who is a user
entity TCS who is using the services of
assistant company they are a user entity
okay so they will exchange a sock report
and this is this is the scenario where
sock comes into the picture now who is a
regulator of this
entire system and organization control
audit
aicpa which is American Institute of
certified public accountant they are the
regulator so this audit is conducted
based on sse18 and Isa 3401 okay so yeah
this is about a sock okay now we will be
discussing the different different type
of song okay so there is a sock one what
is the use of sock one so sock one
report is used for internal control for
financial statement and Reporting okay
so swap one report is related to uh a
control for financial statement and
Reporting okay so uh like this report
will uh like suppose if any organization
who is providing a Services which can
impact the cutlines financial statement
then they conduct a sock one audit okay
now swap to audit so swap to audit is
for internal control for security
confidentiality availability privacy and
processing Integrity so all this are
again a trust service criteria so the
swap to report is conducted basis on a
trust service criteria okay so uh this
is this is a software report where you
verify the internal control for security
confidentiality availability privacy and
processing Integrity okay
now sock 3 what is sock 3 soft 3 report
is a tailored version of software report
so this soft 3 report are publicly
available you can go on the Google you
can search for any software report it's
a publicly available okay and sock 3 uh
sock 3 is another import this is a
certification this software sock one and
sock to other report and sock 3 is a
certification and this sock one in
software report are confidential and it
is shared only when you have signed the
non-disclosure agreement with the
company and stock 3 reports are publicly
available like for example suppose if
you want to see the uh sock 3 report of
Amazon so you just type on a Google okay
and yeah so you can read this software
report it's a publicly available
document you can check for any company
okay
so this is sock 3 okay now there is one
more report which is called swap two
plus okay so this report is also very
similar to Sock to the only difference
is in swap to uh there are trust service
criteria but apart from thrust service
criteria we will also map the control
with specific compliance and the
regulatory framework like ISO pcids and
I nist and all so uh this is this is
called the Swap 2 plus report okay when
you map the control with trust service
criteria as well as some other
compliance and Regulatory framework okay
so when we will be discussing the sock
report template that at that time I will
give you a more clarity on this this
okay as of now you might not be
understanding what is this service trust
criteria or trust service criteria okay
so this we will be discussing very much
in detail in our upcoming slides okay so
as of now you can understand that sock 2
report is basically uh used when some
organization store process or transmit
any kind of customer data okay so for
for that stock to report is used okay
now in stock 2 uh sorry in stock there
are different different type of stock
reports so basically there are Typhon
report and there is a type to report
what is type 1 report so typhoon report
is a point in time report okay it is a
as on date report okay for example
suppose if you are conducting audit as
on 31st uh December 2021 so this this
report will give you an assurance as on
that date only okay it is a type 1
report and in this report we only check
the design of control okay so basically
there are two things
one is a test of design and another is a
test of Effectiveness so basically in uh
software report we only check the test
of design okay we don't check the test
of effectiveness of control I will give
you one example of this for example uh
suppose you are verifying a change
management process of the company now to
verify this change management process
first you will obtain the policy
procedure of the company in policy
procedure you will check whether
controls are mentioned or not so
whatever activity that you are doing
currently it is called as a test of
design where you are verifying whether
controls are appropriately put in place
or not it is a desktop design now Poe is
what where you will actually check
whatever is mentioned in the policy
procedures are actually implemented or
not so that you will verify in test of
Effectiveness okay so in type 1 report
we only check the design okay not the
operating Effectiveness whereas the type
2 report are uh
uh our type to report are conducted for
one period for example suppose if you
have conducted audits uh from first
January 1st January to 31st December so
this is a pre-end report this is what
this is a period report it is not a as
on date report so stop uh in shop type
to report our pre-aid report and in this
report you will check the design you
will check the implementation and
operative Effectiveness as well so that
is why shop to report a more
comprehensive and it requires more
effort okay so yeah this is a type one
this is the difference between type 1
and type 2 report okay now sock1 and
sock 2 can be type 1 or type 2. okay so
in like previous slide we have discussed
about sock 1 and sock two so sock one
can be sock one type one and sock one
can also be sock one type two similarly
shop to type 1 and sock 2 type 2. okay
but sock 3 is always type to report okay
so swap three is always time to stop 3
cannot be type 1 okay so this is about a
type of report okay now next slide
now we will be discussing some of the
key terms which is used in the soccer
board
first term is c u e c what is the full
form of cuec it is a complementary user
entity control okay so guys whenever you
will refer any soft report in stock
report you will find one section of cuec
so this cuec section will highlight the
control which needs to be presented at a
user organization in order for them to
properly use for the services now let's
go back to our example like for example
in our case assistant company is
providing some services to TCS so who is
the service entity SSN company is a
service organization and TCS is what TCS
is a user organization now in order to
provide services there are some controls
which needs to be implemented at TCS
level okay okay there are some controls
which TCS needs to implement in their
organization so that control is known as
a cuec okay so basically in stock report
auditor will highlight those control
which needs to be implemented by a user
entity okay
okay so auditor will mention the list of
control I can give you an example of
this as well for example suppose if you
have outsourced your change management
process to some third party okay now
that third part is your service
organization
now in the change management process
suppose approval part is with the user
entity okay and then the uat is also
conducted by user organization so all
these are example of cuec okay
complementary user entity control so in
soccer report there is a separate
section where auditor will highlight
whether what are the control which is
owned by a user entity okay
now there is another terminology which
is a sea sock subservice organization
monitoring and complementary
organization control now for this first
we need to understand what is sub
service organization so let's go back to
our example again for example in order
to provide services suppose assistant
company is also using some vendor
Services okay in order to provide the
services suppose shn company is also
taking the services from the vendor so
that vendor is known as a sub service
organization
okay
so in stock report you will mention what
are the sub service organization
okay what are the controls which is
handled by a subservice organization
let's read the same organization may
work with the third parties to maintain
their environment and provide their
product or services to customer the
third party is considered as a sub
service organization okay so you could
also think of service organization as an
entity that service organization
Outsource some of their operations for
example suppose I am providing a
Services related to Data Center hosting
now to provide the services of data
center hosting suppose I have outsourced
my physical and environmental control to
some vendor they will look after those
control so those vendorama are my sub
service organization okay so basically
in stock report we need to mention what
are the controls which is handled by a
subservice organization and in your
stock report there are two way of
reporting the controls related to sub
service organization so one is a carbine
approach and the second is a curve out
approach so basically
in carving what you will do whatever
control activity performed by a
subservice organization you will also
validate the same so that will be
included in your scope of the report
okay so you need to validate those
control as well it is called a carving
approach in carve out approach uh the
control activity performed by a
subservice organizations are excluded
from the scope of audit so we will not
perform testing on the same so that is
carbon carve out approach so when you
will see the sock report in the sock
report they will clearly mention whether
it is a carbine or whether it is a
carbon okay and this carving approach is
also known as a inclusive audit method
okay so it is called as a c sock okay
now in the sock there is another
terminology which is called a bridge
letter now what is Bridge letter for
example in previous slide we have
discussed sock is generally covered the
period of 6 to 12 months okay
now uh sometime what will happen that
your stock report period may not align
with the user entities calendar or
fiscal year okay for example suppose you
have conducted a sock audit for the
period of October to September 2021
okay and your customer will follow this
financial year suppose they are
following Jan 22 December 21 okay now
suppose if you provide that sock report
to customer what customer will say that
your report is only covering the nine
month period it is not covering uh the
last three months which is October to
December so there is a gap so basically
what uh service organization will do
they will issue one Bridge Lantern okay
in Bridge letter they will say that
there is no change in the control and
this bridge letter will fill the gap
between the date of uh uh report versus
the customers fiscal yearn okay so I
will show you the template of this
bridge letter okay let me open the
bridge letter template for you so this
is a bridge letter this is given on the
company's letterhead for example shn
company is giving this bridge letter to
TCS okay so uh they will print this uh
Bridge letter on the letterhead okay
so you can see they will mention that
our audit period was this okay and as on
this date also assassin company is not
aware about any material changes in our
relevant control environment as
described in the software report so
basically they are saying whatever audit
is conducted in this period is also
valid till this date okay so uh this
bridge letter is issued for this purpose
now whatever was the gap for this Gap
they can take this bridge letter into
the consideration okay so this is a
bridge letter now to summarize all the
sock I would say that control validation
at service organization level is not
enough okay for example in our case uh
if you validate the control at
service organization which is shn
company so this control validation is
not enough to uh give the complete
Assurance you need to validate the
control from uh which which is done by
sub service organization and you need to
also validate the control which is
handled by a user entity so once you
validate all this control then only you
can say that yes this particular area is
providing a complete Assurance okay
so basically in stock report you will
find all these things okay
so yeah that is all about sock now sock
report template so basically sock report
is divided in a four section whenever
you will see any sock report you will
find this four section so section one
will talk about independent service
auditor report section 2 will talk about
management
assertions provided by service
organization Section 3 will talk about
the system descriptions and
section 4 will talk about the
information provided by service auditor
this is very important okay this is very
important now in next video what I will
be doing I will be sharing you this sock
report template in the same manner that
I have shown you the bridge letter okay
so we will be discussing about each
section we will be uh discussing what is
included in the section e section okay
and also one more important concept
which is a trust service criteria okay
like for example here you have seen some
thrust service criteria there are five
trust service criteria security
confidentiality availability privacy and
processing Integrity this is very
important in stock so we will be
discussing how this trust service
criteria is uh verified in the stock
report okay so all these things we will
be discussing in our upcoming video for
this video that is all okay so if you uh
require any clarification regarding this
video please let me know in the comment
section okay and if you like the video
uh please share with your other friend
as well so that is all for today's video
guys uh we'll see you in the next video
till then bye bye and take care