IT Examiner School - Oct 2023

Internal Use Only

External Technology Service Provider (TSP) Reports

• FFIEC TSP Reports • Public/open section that is available to FI clients • Confidential section is available to regulatory agencies • Service Organization Control (SOC) Reports • AICPA standard for reviews of service providers • A type of control assessment provided to a service providers clients

FFIEC TSP Reports

SOC Reports SSAE 18 SSAE 16 (2011 ‐ 2016) SAS 70 (pre ‐ 2011)

31

Internal Use Only

Service Organization Control (SOC) Reports

• SOC I • Focus on internal controls over financial reporting (ICFR) • This is the client’s financial reporting • SOC II • Auditor review of internal controls related to: • Security, Availability, Processing, Integrity, Confidentiality, Privacy • Service provider gets to choose the scope of the review • SOC III • Includes a description of the system and the auditor’s opinion • Most abstract, does not include the results of testing

Three Levels of Service Organization Control (SOC) Reports:

32