IT Examiner School eBook May 2025

Internal Use Only

External Technology Service Provider (TSP) Reports

• FFIEC TSP Reports • Public/open section that is available to FI clients • Confidential section is available to regulatory agencies • Service Organization Control (SOC) Reports • AICPA standard for reviews of service providers • A type of control assessment provided to a service provider’s clients

FFIEC TSP Reports

SOC Reports SSAE 18

Internal Use Only

Service Organization Control (SOC) Reports • SOC I • Focus on internal controls over financial reporting (ICFR) • SOC II • Review of internal controls related to: • Security, Availability, Processing, Integrity, Confidentiality, Privacy Three Levels of Service

Organization Control (SOC) Reports:

• Review of specific controls based on service or product. Not environment wide. These are for different users not audit. • SOC III • Includes a description of the system and the auditor’s opinion. Like SOC II, but excludes disclosure/notes • Other SOC Reports- for Supply Chain and Cybersecurity