SOC/SSAE16/SAS70 SOC Requirements SOC Requirements
The service organization, not the service auditor, is responsible for describing the controls and control objectives that are disclosed in the SOC report. While there are no set rules on the controls that should be included in a SOC, the quality of the audit report is often dependent on the appropriateness of the control objectives and the testing procedures. The service auditor may provide guidance and recommendations.
A SOC typically covers the following processes: control environment, risk assessment processes, control activities, information and communication, and monitoring processes.
The service auditor typically evaluates and tests the following type of controls: application development, configuration management, change management, telecommunication network, logical access, physical access, data retention and transmission, application, and input and output process controls.
