2023 IT Examiner School

Service Organization Control (SOC) Reports

• Type I • Describes the servicer’s descriptions of controls at a specific point in time • Auditor performs no testing of servicer’s controls attesting to controls based on servicer’s account of controls- no opinion • Type II (preferred) • Includes information from a Type I Report • Detailed testing of the servicer’s controls over a minimum consecutive six-month period • Auditor expresses an opinion based on their testing

Two types of Service Organization Control (SOC) Reports:

Audit Reporting/Follow-up

Similar to Safety & Soundness:

o IT Audit reporting channels  What is being reported and to whom o Senior Management Responses  Are they reasonable and corrective timeframe is appropriate o Exception Tracking  Show all IT audit findings, both Internal and External, and regulatory along with corrective action(s)