在当今相互关联的商业环境中, understanding the role of subservice organizations in SOC (System and Organization Controls) reports is paramount.
Subservice organizations are third-party entities utilized by service organizations to perform key functions, 需要审查以确保全面的风险管理和法规遵从性.
通过对子bet9平台游戏组织角色的详细检查, 责任, 以及对SOC报告的影响, organizations can enhance their ability to effectively manage risk and uphold the integrity of their assurance processes.
本文探讨了子bet9平台游戏组织在SOC报告中的重要性, 探索如何识别子bet9平台游戏组织, 以及这对你的SOC报告意味着什么.
什么是子bet9平台游戏组织?
The 2022 AICPA SOC 2 Guide defines a subservice organization as a “vendor used by a service organization that performs controls that are necessary, 与bet9平台游戏机构的控制相结合, to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved”.
详细阐述美国注册会计师协会对子bet9平台游戏组织的定义, 如果满足以下条件,供应商就是子bet9平台游戏组织:
- You need the vendor’s controls to achieve service commitments and meet system requirements for SOC 1 objectives or SOC 2 criteria.
- It is necessary to describe the vendor’s services for customers to understand your core system and how it relates to applicable Trust bet9平台游戏 criteria.
- A contract is in place with the vendor that stipulates the vendor’s obligations to execute certain controls to address risks related to their service.
将子bet9平台游戏组织添加到报表时, 所有子bet9平台游戏组织的补充控制(CSOCs)和每个用户实体的互补用户实体控件(cuec), must be evaluated to be in alignment with the operating effectiveness of the service organization controls.
One of the most typical scenarios seen for adding a subservice organization is for cloud-based hosting services. 亚马逊网络bet9平台游戏(AWS), Azure, and the Google Cloud Platform (GCP) are typical service providers for this specific type of service.
子bet9平台游戏组织(如AWS)的csoc之一, Azure, or GCP for providing cloud-based hosting services would be providing physical and environmental security over the production servers being used.
选择包含或分割报告方法
当bet9平台游戏组织选择将子bet9平台游戏组织添加到其SOC报告时, they can choose to use either the inclusive or carve-out method to present the subservice organization.
使用包含方法时, the auditor will audit the subservice organization for the controls that the service organization relies on them for.
选择这种方法时, it’s important to consider whether the subservice organization is willing to allow the auditor to test the controls within their environment.
当使用雕刻方法时, the auditor does not audit the subservice organization for the controls that the service organization relies on them for. 选择这种方法时, it’s important to consider if the subservice organization receives a SOC report or another certification that will allow you to monitor their control environment.
监视子bet9平台游戏组织
当选择依赖子bet9平台游戏组织正在执行的控制时, 始终如一地审查控制报告(如控制报告)是很重要的.g.(SOC报告),因为它们是可用的.
在审查子bet9平台游戏组织的SOC报告时, check to see if the subservice organization received a clean opinion or any exceptions on controls that could have an impact to the service you are providing to your clients.
如果子bet9平台游戏组织没有SOC报告, it’s important to find an alternate approach to monitor the controls that are being relied on. This could mean requesting vendor questionnaires or even setting up recurring meetings with the subservice organization for monitoring.
为下一次SOC审核做准备
It is important to note that whether you use the inclusive or carve-out reporting method, you must disclose any use of services provided by a subservice organization in your audit report.
用于下次SOC审核, do you need to decide whether to have an inclusive or carve-out report to represent your subservice organization?
在考虑了两种方法的优点和缺点之后, 现在,您可以做出明智的决定,什么对您和您的客户是最好的.
如果您需要帮助确定子bet9平台游戏组织, 对审计报告方法有疑问吗, 或任何其他SOC问题, 请随时与我们的团队直接联系 contactsd@raymond-illinois.com.
相关资源
关于施耐德唐斯风险咨询
Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
探索我们的全部 风险咨询bet9平台游戏 提供或与团队联系 contactsd@raymond-illinois.com