SOC

Who Can prepare/ Issue

Who regulated or governs

Objective

Mandatory?

Types of SOC reports

SOC 1

SOC 2

SOC 3

Period
Assessment Type
Period

Can we issue multiple SOC reports

for the same company?
Service Organization Controls/ System Organization controls
CPA
AICPA
To give assurance about the effectiveness of Internal control based on the service
commitments with the User Organizations or Customers
Its not a regulatory requirement, but it can be mandated from the customers or User
Organizations

SOC 1 - Type I & Type II

SOC 2- Type I, Type II, Type II plus reports

SOC 3
SOC for Cyber Security
SOC for Supply Mangement

Internal Control related to Financial Reporting

Controls related various 5 Trust Service Criteria's - Security, Availability, Confidentiality,

Processing Integrity and Privacy
We will issue SOC 2 report in SOC 3 format which excludes the sensitive information like
description of Service Organization system & Controls tested in the final SOC report, which is
used for marketing purpose or to share with general public.

Type I
3 months
Design of the Control
Point in Time

yes, if the company has multiple Systems

Payrol Organizations, Loan Processing
Services, Banking Services, Investment
Services, Mortgage Services etc.

BPO Organizations, Cloud Service Providers,

Data Hosting, Software as a Service
providers etc.

Type II
6 months to 1 year
Design & Operative effectiveness
Over a period of Time
Trust service Categories Criteria's
CC1 — Control environment
CC2 — Communication and Information
CC3 — Risk Assessment
CC4 — Monitoring Controls
Security (Common Criteria) CC5 — Control Activities
CC6 – Logical and Physical Access Controls
CC7 – System Operations
CC8 – Change Management
CC9 – Risk Mitigation
Availability A
Processing Integrity PI
Confidentiality C
Privacy P
17 COSO Principles

Additional Criteria's
SOC 1 & SOC 2 SOC 3
Management's Assertion/ Assertions of
Independent Service Auditor's Report Service Organization Management
Management's Assertion/ Assertions of Service
Organization Management Independent Service Auditor's Report
Description of Service organization System
Controls, Testing Matrix
 Criteria Control Description/ Criteria Description.

CC1 CONTROL ENVIRONMENT

CC1.1 COSO Principle 1: The entity demonstrates a
commitment to integrity and ethical values.

CC1.2 COSO Principle 2: The board of directors

demonstrates independence from
management and exercises oversight of the
development and performance of internal
control.
CC1.3 COSO Principle 3: Management establishes,
with board oversight, structures, reporting
lines, and appropriate authorities and
responsibilities in the pursuit of objectives.
CC1.4 COSO Principle 4: The entity demonstrates a
commitment to attract, develop, and retain
competent individuals in alignment with
objectives.
CC1.5 COSO Principle 5: The entity holds individuals
accountable for their internal control
responsibilities in the pursuit of objectives.

CC2.0 COMMUNICATION AND INFORMATION

CC2.1 COSO Principle 13: The entity obtains or
generates and uses relevant, quality
information to support the functioning of
internal control.
CC2.2 COSO Principle 14: The entity internally
communicates information, including
objectives and responsibilities for internal
control, necessary to support the functioning
of internal control.
CC2.3 COSO Principle 15: The entity communicates
with external parties regarding matters
affecting
the functioning of internal control.
CC3.1 COSO Principle 6: The entity specifies
objectives with sufficient clarity to enable the
identification and assessment of risks relating
to
CC3.2 COSO Principle 7: The entity identifies risks to
the achievement of its objectives across the
entity and analyzes risks as a basis for
determining how the risks should be
managed.

CC3.3 COSO Principle 8: The entity considers the

potential for fraud in assessing risks to the
achievement of objective
CC3.4 COSO Principle 9: The entity identifies and
assesses changes that could significantly
impact the system of internal control.
CC4.1 COSO Principle 16: The entity selects,
develops, and performs ongoing and/or
separate evaluations to ascertain whether
the components of internal control are pre

CC4.2 COSO Principle 17: The entity evaluates and

communicates internal control deficiencies in
a timely manner to those parties responsible
for taking corrective action, including senior
management and the board of directors, as
appropriate
CC5.1 COSO Principle 10: The entity selects and
develops control activities that contribute to
the mitigation of risks to the achievement of
objectives to acceptable levels.

CC5.2 COSO Principle 11: The entity also selects and

develops general control activities over
technology to support the achievement of
objec
CC5.3 COSO Principle 12: The entity deploys control
activities through policies that establish what
is expected and in procedures that put
policies into action.
CC6.1 The entity implements logical access security
software, infrastructure, and architectures
over protected information assets to protect
them from security events to meet the
entity's objectives.

CC6.2 Prior to issuing system credentials and

granting system access, the entity registers
and authorizes new internal and external
users whose access is administered by the
entity. For those users whose access is
administered by the entity, user system
credentials are removed when user access is
no longer authorized.
CC6.3 The entity authorizes, modifies, or removes
access to data, software, functions, and other
protected information assets based on roles,
responsibilities, or the system design and
changes, giving consideration to the concepts
of least privilege and segregation of duties, to
meet the entity’s objectives.

CC6.4 The entity restricts physical access to facilities

and protected information assets (for
example, data center facilities, backup media
storage, and other sensitive locations) to
authorized personnel to meet the entity’s
objectives.

CC6.5 The entity discontinues logical and physical

protections over physical assets only after the
ability to read or recover data and software
from those assets has been diminished and is
no longer required to meet the entity’s
objectives.
CC6.6 The entity implements logical access security
measures to protect against threats from
sources outside its system boundaries.

CC6.7 The entity restricts the transmission,

movement, and removal of information to
authorized internal
and external users and processes, and
protects it during transmission, movement,
or removal to
meet the entity’s objectives.
CC6.8 The entity implements controls to prevent or
detect and act upon the introduction of
unauthorized or malicious software to meet
the entity’s objectives.

CC7.1 To meet its objectives, the entity uses

detection and monitoring procedures to
identify (1) changes to configurations that
result in the introduction of new
vulnerabilities, and (2) susceptibilities to
newly discovered vulnerabilities.
CC7.2 The entity monitors system components and
the operation of those components for
anomalies that are indicative of malicious
acts, natural disasters, and errors affecting
the entity's ability to meet its objectives;
anomalies are analyzed to determine
whether they represent security events.
CC7.3 The entity evaluates security events to
determine whether they could or have
resulted in a failure of the entity to meet its
objectives (security incidents) and, if so, takes
actions to prevent or address
such failures.
CC7.4 The entity responds to identified security
incidents by executing a defined incident-
response program to understand, contain,
remediate, and communicate security
incidents, as appropriate
CC7.5 The entity identifies, develops, and
implements activities to recover from
identified security incidents.
CC8.1 The entity authorizes, designs, develops or
acquires, configures, documents, tests,
approves, and implements changes to
infrastructure, data, software, and
procedures to meet its objectives

CC9.1 The entity identifies, selects, and develops

risk mitigation activities for risks arising from
potential business disruptions.
CC9.2 The entity assesses and manages risks
associated with vendors and business
partners.
 2017 Audit Requirement AICPA Defined Risk Wording

1. Personnel do not adhere to the code of conduct.

2. Candidate has background considered to be
unacceptable by management of the entity.

1.Conflicts of interest arise due to lack of independence

between management and board.
2. Poorly designed or non-operational internal controls
exist due to lack of board oversight.
1. The entity organizational structure does not provide the
necessary information flow to manage security activities.
2. The roles and responsibilities of key Managers are not
sufficiently defined to permit proper oversight,
management, and monitoring of security activities.
3. Reporting relationships and Organization structures do
not permit effective senior management oversight of
security activities.
4. Personnel have not been assigned responsibility or have
not been deligated insufficiently authority to meet security
commitments and system requirements.
5. Resposibilty and accountability for privacy and data
protection are not assigned to personnel with sufficient
authority within the entity to manage risk and compliance.
1. Newly hired or transferred personnel do not have
sufficient knowledge and experience to perform their
responsibilities.
2. Personnel do not have periodic training to perform their
responsibilities.
3. Technical tools and knowledge resources are insufficient
to perform assigned tasks.
1. Personnel have not been assigned responsibility or
delegated insufficient authority to meet security
commitments and requirements.
1. The system fails to function as designed due to
information required and expected to support the
functioning of the other components of internal control
and the achivement of the entity's objectives is not
identified.
2. Tha system fails to funtion as designed due to data
failing to be processes or transformed into relevant
information.
3. Data inputs do not produce useful to correct outputs of
information.
 2022 AICPA Point of Focus (Not an Audit requirement; guidelines for assessing risk,
appropriate controls and recommendations)

Sets the Tone at the Top — The board of directors and management, at all levels,
demonstrate through their directives, actions, and behavior the importance of integrity
and ethical values to support the functioning of the system of internal control.
• Establishes Standards of Conduct — The expectations of the board of directors and
senior management concerning integrity and ethical values are defined in the entity’s
standards of conduct and understood at all levels of the entity and by outsourced service
providers and business partners.
• Evaluates Adherence to Standards of Conduct — Processes are in place to evaluate the
performance of individuals and teams against the entity’s expected standards of conduct.
• Addresses Deviations in a Timely Manner — Deviations from the entity’s expected
standards of conduct are identified and remedied in a timely and consistent manner.
• Considers Contractors and Vendor Employees in Demonstrating Its Commitment —
Management and the board of directors consider the use of contractors and vendor
employees in its processes for establishing standards of conduct, evaluating adherence to
those standards, and addressing deviations in a timely manner.

• Establishes Oversight Responsibilities — The board of directors identifies and accepts

its oversight responsibilities in relation to established requirements and expectations
• Applies Relevant Expertise — The board of directors defines, maintains, and
periodically evaluates the skills and expertise needed among its members to enable
them to ask probing questions of senior management and take commensurate action.
• Operates Independently — The board of directors has sufficient members whoare
independent from management and objective in evaluations and decision making.
• Supplements Board Expertise — The board of directors supplements its expertise
relevant to security, availability, processing integrity, confidentiality, and privacy,
as needed, through the use of a subcommittee or consultants.
• Considers All Structures of the Entity — Management and the board of directors
consider the multiple structures used (including operating units, legal entities, geographic
distribution, and outsourced service providers) to support the achievement of objectives.
• Establishes Reporting Lines — Management designs and evaluates lines of reporting
for each entity structure to enable execution of authorities and responsibilities
and flow of information to manage the activities of the entity.
• Defines, Assigns, and Limits Authorities and Responsibilities — Management andthe
board of directors delegate authority, define responsibilities, and use appropriate
processes and technology to assign responsibility and segregate duties as necessaryat the
various levels of the organization.
• Addresses Specific Requirements When Defining Authorities and Responsibilities —
Management and the board of directors consider requirements relevant to
security,availability, processing integrity, confidentiality, and privacy when defining
authorities and responsibilities.
• Considers Interactions With External Parties When Establishing Structures, Reporting
Lines, Authorities, and Responsibilities — Management and the board of directors
consider the need for the entity to interact with and monitor the activities of external
parties when establishing structures, reporting lines, authorities, and responsibilities
• Establishes Policies and Practices — Policies and practices reflect expectations of
competence necessary to support the achievement of objectives.
• Evaluates Competence and Addresses Shortcomings — The board of directors and
management evaluate competence across the entity and in outsourced service providers
in relation to established policies and practices and act as necessary to address
shortcomings.
• Attracts, Develops, and Retains Individuals — The entity provides the mentoringand
training needed to attract, develop, and retain sufficient and competent personnel and
outsourced service providers to support the achievement of objectives.
• Plans and Prepares for Succession — Senior management and the board of
directorsdevelop contingency plans for assignments of responsibility important for
internal control.
• Considers the Background of Individuals — The entity considers the background
ofpotential and existing personnel, contractors, and vendor employees when
determining whether to employ and retain the individuals.
• Considers the Technical Competency of Individuals — The entity considers the
technical competency of potential and existing personnel, contractors, and vendor
employees when determining whether to employ and retain the individuals.
• Provides Training to Maintain Technical Competencies — The entity provides training
programs, including continuing education and training, to ensure skill sets
and technical competency of existing personnel, contractors, and vendor employees are
developed and maintained.
• Enforces Accountability Through Structures, Authorities, and Responsibilities —
Management and the board of directors establish the mechanisms to communicate and
hold individuals accountable for performance of internal control responsibilities across
the entity and implement corrective action as necessary.
• Establishes Performance Measures, Incentives, and Rewards — Management and the
board of directors establish performance measures, incentives, and other rewards
appropriate for responsibilities at all levels of the entity, reflecting appropriate
dimensions of performance and expected standards of conduct, and considering the
achievement of both short-term and longer-term objectives.
• Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance —
Management and the board of directors align incentives and rewards with the fulfillment
of internal control responsibilities in the achievement of objectives.
• Considers Excessive Pressures — Management and the board of directors evaluate and
adjust pressures associated with the achievement of objectives as they assign
responsibilities, develop performance measures, and evaluate performance.
• Evaluates Performance and Rewards or Disciplines Individuals — Management and
the board of directors evaluate performance of internal control responsibilities, including
adherence to standards of conduct and expected levels of competence, and provide
rewards or exercise disciplinary action, as appropriate.
• Takes Disciplinary Actions — A sanctions process is defined, and applied as needed,
when an employee violates the entity’s privacy policies or when an employee’s negligent
behavior causes a privacy incident.
• Identifies Information Requirements — A process is in place to identify the information
required and expected to support the functioning of the other components of internal
control and the achievement of the entity’s objectives.
• Captures Internal and External Sources of Data — Information systems capture
internal and external sources of data.
• Processes Relevant Data Into Information — Information systems process and
transform relevant data into information.
• Maintains Quality Throughout Processing — Information systems produce information
that is timely, current, accurate, complete, accessible, protected, verifiable, and retained.
Information is reviewed to assess its relevance in supporting the internal control
components.
• Documents Data Flow — The entity documents and uses internal and external
information and data flows to support the design and operation of controls.
• Manages Assets — The entity identifies, documents, and maintains records of system
components such as infrastructure, software, and other information assets. Information
assets include physical endpoint devices and systems, virtual systems, data and data
flows, external information systems, and organizational roles.
• Classifies Information — The entity classifies information by its relevant characteristics
(for example, personally identifiable information, confidential customer information, and
intellectual property) to support identification of threats to the information and the
design and operation of controls.
• Uses Information That Is Complete and Accurate — The entity uses information and
reports that are complete, accurate, current, and valid in the operation of controls.
• Manages the Location of Assets — The entity identifies, documents, and maintains
records of physical location and custody of information assets, particularly for
those stored outside the physical security control of the entity (for example, software
and data stored on vendor devices or employee mobile phones under a bring-yourown-
device policy).
• Communicates Internal Control Information — A process is in place to communicate
required information to enable all personnel to understand and carry out their internal
control responsibilities.
• Communicates With the Board of Directors — Communication exists between
management and the board of directors so that both have information needed to fulfill
their roles with respect to the entity’s objectives.
• Provides Separate Communication Lines — Separate communication channels, such as
whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable
anonymous or confidential communication when normal channels are inoperative or
effective.
• Selects Relevant Method of Communication — The method of communication
considers the timing, audience, and nature of the information.
• Communicates Responsibilities — Entity personnel with responsibility for designing,
developing, implementing, operating, maintaining, or monitoring system controls receive
communications about their responsibilities, including changes in their responsibilities,
and have the information necessary to carry out those responsibilities.
• Communicates Information on Reporting Failures, Incidents, Concerns, and Other
Matters — Entity personnel are provided with information on how to report systems
failures, incidents, concerns, and other complaints.
• Communicates Objectives and Changes to Objectives — The entity communicates its
objectives and changes to those objectives to personnel in a timely manner.
• Communicates Information to Improve Security Knowledge and Awareness — The
entity communicates information to improve security knowledge and awareness and to
model appropriate security behaviors to personnel through a security awareness training
program.
Communicates Information to Improve Privacy Knowledge and Awareness — The entity
communicates information to improve privacy knowledge and awareness and to model
appropriate behaviors to personnel through a privacy awareness training program.
• Communicates Incident Reporting Methods — The entity has communicated to
employees and others within the entity the process used to report a suspected privacy
incident.
• Communicates Information About System Operation and Boundaries — The entity
prepares and communicates information about the design and operation of
the system and its boundaries to authorized personnel to enable them to understand
their role in the system and the results of system operation.
• Communicates System Objectives — The entity communicates its objectives to
personnel to enable them to carry out their responsibilities.
• Communicates to External Parties — Processes are in place to communicate relevant
and timely information to external parties, including shareholders, partners,
owners, regulators, customers, financial analysts, and other external parties.
• Enables Inbound Communications — Open communication channels allow input
from customers, consumers, suppliers, external auditors, regulators, financial analysts,
and others, providing management and the board of directors with relevant information.
• Communicates With the Board of Directors — Relevant information resulting from
assessments conducted by external parties is communicated to the board of directors.
• Provides Separate Communication Lines — Separate communication channels, such as
whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable
anonymous or confidential communication when normal channels are inoperative or
ineffective.
• Selects Relevant Method of Communication — The method of communication
considers the timing, audience, and nature of the communication and legal, regulatory,
and fiduciary requirements and expectations.
• Communicates Objectives Related to Confidentiality and Changes to Those Objectives
— The entity communicates, to external users, vendors, business partners, and others
whose products or services, or both, are part of the system, the entity’s objectives
related to confidentiality and the protection of confidential information, as well as
changes to those objectives
• Communicates Objectives Related to Privacy and Changes to Those Objectives — The
entity communicates, to external users, vendors, business partners, and others whose
products or services, or both, are part of the system, the entity’s objectives related to
privacy and the protection of personal information, as well as changes to those
objectives.
• Communicates Incident Reporting Methods — The entity communicates to user
entities, third parties, data subjects, and others the process used to report a suspected
privacy incident.
• Communicates Information About System Operation and Boundaries — The entity
prepares and communicates information about the design and operation of
the system and its boundaries to authorized external users to permit users to understand
their role in the system and the results of system operation.
• Communicates System Objectives — The entity communicates its system objectives to
appropriate external users.
• Communicates System Responsibilities — External users with responsibility for
designing, developing, implementing, operating, maintaining, and monitoring system
controls receive information about such responsibilities and have the information
• Reflects Management's Choices — Operations objectives reflect management's choices
about structure, industry considerations, and performance of the entity.
• Considers Tolerances for Risk — Management considers the acceptable levels of
variation relative to the achievement of operations objectives.
• Includes Operations and Financial Performance Goals — The organization reflects the
desired level of operations and financial performance for the entity within operations
objectives.
• Forms a Basis for Committing of Resources — Management uses operations objectives
as a basis for allocating resources needed to attain desired operations and financial
performance
• Complies With Applicable Accounting Standards — Financial reporting objectives are
consistent with accounting principles suitable and available for that entity.The
accounting principles selected are appropriate in the circumstances.
• Considers Materiality — Management considers materiality in financial statement
presentation.
• Reflects Entity Activities — External reporting reflects the underlying transactions and
events to show qualitative characteristics and assertions.
• Complies With Externally Established Frameworks — Management establishes
objectives consistent with laws and regulations or standards and frameworks of
recognized external organizations.
• Considers the Required Level of Precision — Management reflects the required level of
precision and accuracy suitable for user needs and based on criteria established by third
parties in nonfinancial reporting.
• Reflects Entity Activities — External reporting reflects the underlying transactions and
events within a range of acceptable limits.
• Reflects Management's Choices — Internal reporting provides management with
accurate and complete information regarding management's choices and information
needed in managing the entity.
• Considers the Required Level of Precision — Management reflects the required level of
precision and accuracy suitable for user needs in nonfinancial reporting objectives and
materiality within financial reporting objectives.
• Reflects Entity Activities — Internal reporting reflects the underlying transactions and
events within a range of acceptable limits.
• Reflects External Laws and Regulations — Laws and regulations establish minimum
standards of conduct, which the entity integrates into compliance objectives.
• Considers Tolerances for Risk — Management considers the acceptable levels of
variation relative to the achievement of operations objectives.
• Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels — The
entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and
functional levels relevant to the achievement of objectives.
• Analyzes Internal and External Factors — Risk identification considers both internal
and external factors and their impact on the achievement of objectives.
• Involves Appropriate Levels of Management — The entity puts into place effective risk
assessment mechanisms that involve appropriate levels of management.
• Estimates Significance of Risks Identified — Identified risks are analyzed through a
process that includes estimating the potential significance of the risk.
• Determines How to Respond to Risks — Risk assessment includes considering how the
risk should be managed and whether to accept, avoid, reduce, or share the risk.
• Identifies Threats to Objectives —The entity identifies threats to the achievement of its
objectives from intentional (including malicious) and unintentional acts and
environmental events.
• Identifies Vulnerability of System Components — The entity identifies the
vulnerabilities of system components, including system processes, infrastructure,
software, and other information assets.
• Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other
Parties — The entity's risk assessment process includes the analysis of potential
threats and vulnerabilities arising from vendors providing goods and services, as well as
threats and vulnerabilities arising from business partners, customers, and
other third parties with access to the entity's information systems.
• Assesses the Significance of the Risks — The entity assesses the significance of the
identified risks, including (1) determining the criticality of system components, including
information assets, in achieving the objectives; (2) assessing the susceptibility of the
identified vulnerabilities to the identified threats (3) assessing the likelihood of the
identified risks (4) assessing the magnitude of the effect of potential
risks to the achievement of the objectives; (5) considering the potential effects of
unidentified threats and vulnerabilities on the assessed risks; (6) developing risk
mitigation strategies to address the assessed risks; and (7) evaluating the
appropriateness of residual risk (including whether to accept, reduce, or share such risks)

• Considers Various Types of Fraud — The assessment of fraud considers fraudulent

reporting, possible loss of assets, and corruption resulting from the various ways that
fraud and misconduct can occur.
• Assesses Incentives and Pressures — The assessment of fraud risks considers
incentives and pressures.
• Assesses Opportunities — The assessment of fraud risk considers opportunities for
unauthorized acquisition, use, or disposal of assets, altering the entity’s reporting
records, or committing other inappropriate acts.
• Assesses Attitudes and Rationalizations — The assessment of fraud risk considers how
management and other personnel might engage in or justify inappropriate actions.
• Considers the Risks Related to the Use of IT and Access to Information — The
assessment of fraud risks includes consideration of internal and external threats and
vulnerabilities that arise specifically from the use of IT and access to information.
• Assesses Changes in the External Environment — The risk identification process
considers changes to the regulatory, economic, and physical environment in which
the entity operates.
• Assesses Changes in the Business Model — The entity considers the potential impacts
of new business lines, dramatically altered compositions of existing business lines,
acquired or divested business operations on the system of internal control, rapid growth,
changing reliance on foreign geographies, and new technologies.
• Assesses Changes in Leadership — The entity considers changes in management and
respective attitudes and philosophies on the system of internal control.
• Assesses Changes in Systems and Technology — The risk identification process
considers changes arising from changes in the entity’s systems and changes in the
technology environment.
• Assesses Changes in Vendor and Business Partner Relationships — The risk
identification process considers changes in vendor and business partner relationships.
• Assesses Changes in Threats and Vulnerabilities — The risk identification process
assesses changes in (1) internal and external threats to and vulnerabilities of the
components of the entity’s systems and (2) the likelihood and magnitude of the resultant
risks to the achievement of the entity’s objectives.
• Considers a Mix of Ongoing and Separate Evaluations — Management includes a
balance of ongoing and separate evaluations.
• Considers Rate of Change — Management considers the rate of change in business and
business processes when selecting and developing ongoing and separate evaluations.
• Establishes Baseline Understanding — The design and current state of an internal
control system are used to establish a baseline for ongoing and separate evaluations.
• Uses Knowledgeable Personnel — Evaluators performing ongoing and separate
evaluations have sufficient knowledge to understand what is being evaluated.
• Integrates With Business Processes — Ongoing evaluations are built into the business
processes and adjust to changing conditons.
• Adjusts Scope and Frequency — Management varies the scope and frequency of
separate evaluations depending on risk.
• Objectively Evaluates — Separate evaluations are performed periodically to provide
objective feedback.
• Considers Different Types of Ongoing and Separate Evaluations — Management uses a
variety of ongoing and separate risk and control evaluations to determine
whether internal controls are present and functioning. Depending on the entity’s
objectives, such risk and control evaluations may include first- and second-line
monitoring and control testing, internal audit assessments, compliance assessments,
resilience assessments, vulnerability scans, security assessment, penetration testing, and
third-party assessments.

• Assesses Results — Management and the board of directors, as appropriate, assess

results of ongoing and separate evaluations.
• Communicates Deficiencies — Deficiencies are communicated to parties responsible
for taking corrective action and to senior management and the board of directors, as
appropriate.
• Monitors Corrective Action — Management tracks whether deficiencies are remedied
on a timely basis.
• Integrates With Risk Assessment — Control activities help ensure that risk responses
that address and mitigate risks are carried out.
• Considers Entity-Specific Factors — Management considers how the environment,
complexity, nature, and scope of its operations, as well as the specific characteristics
of its organization, affect the selection and development of control activities.
• Determines Relevant Business Processes — Management determines which relevant
business processes require control activities.
• Evaluates a Mix of Control Activity Types — Control activities include a range and
variety of controls and may include a balance of approaches to mitigate risks, considering
both manual and automated controls, and preventive and detective controls.
• Considers at What Level Activities Are Applied — Management considers control
activities at various levels in the entity.
• Addresses Segregation of Duties — Management segregates incompatible duties and,
where such segregation is not practical, management selects and develops alternative
control activities

• Determines Dependency Between the Use of Technology in Business Processes and

Technology General Controls — Management understands and determines the
dependency and linkage between business processes, automated control activities, and
technology general controls.
• Establishes Relevant Technology Infrastructure Control Activities — Management
selects and develops control activities over the technology infrastructure, which are
designed and implemented to help ensure the completeness, accuracy, and availability of
technology processing.
• Establishes Relevant Security Management Process Controls Activities —
Management selects and develops control activities that are designed and implemented
to restrict technology access rights to authorized users commensurate with their job
responsibilities and to protect the entity’s assets from external threats.
• Establishes Relevant Technology Acquisition, Development, and Maintenance Process
Control Activities — Management selects and develops control activities overthe
acquisition, development, and maintenance of technology and its infrastructure
to achieve management’s objectives.
• Establishes Policies and Procedures to Support Deployment of Management’s
Directives — Management establishes control activities that are built into business
processes and employees’ day-to-day activities through policies establishing what is
expected and relevant procedures specifying actions.
• Establishes Responsibility and Accountability for Executing Policies and Procedures —
Management establishes responsibility and accountability for control activities with
management (or other designated personnel) of the business unit or function in which
the relevant risks reside.
• Performs in a Timely Manner — Responsible personnel perform control activities in a
timely manner as defined by the policies and procedures.
• Takes Corrective Action — Responsible personnel investigate and act on matters
identified as a result of executing control activities.
• Performs Using Competent Personnel — Competent personnel with sufficient
authority perform control activities with diligence and continuing focus.
• Reassesses Policies and Procedures — Management periodically reviews control
activities to determine their continued relevance and refreshes them when necessary.
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
inventories, classifies, and manages information assets (for example, infrastructure,
software, and data).
• Assesses New Architectures — The entity identifies new system architectures and
assesses their security prior to implementation into the system environment.
• Restricts Logical Access — The entity restricts logical access to information assets,
including infrastructure (for example, server, storage, network elements, APIs, and
endpoint devices), software, and data (at rest, during processing, or in transmission)
through the use of access control software, rule sets, and standard configuration
hardening processes.
• Identifies and Authenticates Users — The entity identifies and authenticates persons,
infrastructure, and software prior to accessing information assets, whether locally or
remotely. The entity uses more complex or advanced user authentication techniques
such as multifactor authentication when such protections are deemed
appropriate based on its risk mitigation strategy.
• Considers Network Segmentation — The entity uses network segmentation, zero trust
architectures, and other techniques to isolate unrelated portions of the entity's
information technology from each other based on the entity’s risk mitigation strategy.
• Manages Points of Access — Points of access by outside entities and the types of data
that flow through the points of access are identified, inventoried, and managed.The
types of individuals and systems using each point of access are identified, documented,
and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate
data structures, port restrictions, access protocol restrictions, user identification, and
digital certificates are used to establish access control rules and configuration standards
for information assets.
• Manages Identification and Authentication — Identification and authentication
requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being
granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required or the
infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to protect data (at rest,
during processing, or in transmission), when such protections are deemed appropriate
based on the entity’s risk mitigation strategy.
• Creates Access Credentials to Protected Information Assets —The entity creates
credentials for accessing protected information assets based on an authorization from
the system's asset owner or authorized custodian. Authorization is required for the
creation of all types of credentials of individuals (for example, employees, contractors,
vendors, and business partner personnel), systems, and software.
• Reviews Validity of Access Credentials — The entity reviews access credentials on a
periodic basis for validity (for example, employees, contractors, vendors, and business
partner personnel) and inappropriate system or service accounts.
• Prevents the Use of Credentials When No Longer Valid — Processes are in place to
disable, destroy, or otherwise prevent the use of access credentials when no longer valid.
• Creates or Modifies Access to Protected Information Assets — Processes are in place
to create or modify access to protected information assets based on authorization from
the asset’s owner.
• Removes Access to Protected Information Assets — Processes are in place to remove
access to protected information assets when no longer required.
• Uses Access Control Structures — The entity uses access control structures, such as
role-based access controls, to restrict access to protected information assets,
limit privileges, and support segregation of incompatible functions.
• Reviews Access Roles and Rules — The appropriateness of access roles and access
rules is reviewed on a periodic basis for unnecessary and inappropriate individuals (for
example, employees, contractors, vendors, business partner personnel) and
inappropriate system or service accounts. Access roles and rules are modified, as
appropriate.

• Creates or Modifies Physical Access — Processes are in place to create or modify

physical access by employees, contractors, vendors, and business partner personnel to
facilities such as data centers, office spaces, and work areas, based on appropriate
authorization.
• Removes Physical Access — Processes are in place to remove physical access to
facilities and protected information assets when an employee, contractor, vendor, or
business partner no longer requires access.
• Recovers Physical Devices — Processes are in place to recover entity devices (for
example, badges, laptops, and mobile devices) when an employee, contractor, vendor, or
business partner no longer requires access.
• Reviews Physical Access — Processes are in place to periodically review physical access
to help ensure consistency with job responsibilities.

• Removes Data and Software for Disposal — Procedures are in place to remove, delete,
or otherwise render data and software inaccessible from physical assets and other
devices owned by the entity, its vendors, and employees when the data and software are
no longer required on the asset or the asset will no longer be under the control of the
entity.
• Restricts Access — The types of activities that can occur through a communication
channel (for example, FTP site, router port) are restricted.
• Protects Identification and Authentication Credentials — Identification and
authentication credentials are protected during transmission outside its system
boundaries.
• Requires Additional Authentication or Credentials — Additional authentication
information or credentials are required when accessing the system from outside its
boundaries.
• Implements Boundary Protection Systems — Boundary protection systems (for
example, firewalls, demilitarized zones, intrusion detection or prevention systems, and
endpoint detection and response systems) are configured, implemented, and maintained
to protect external access points.

• Restricts the Ability to Perform Transmission — Data loss prevention processes and
technologies are used to restrict ability to authorize and execute transmission,
movement, and removal of information.
• Uses Encryption Technologies or Secure Communication Channels to Protect Data —
Encryption technologies or secured communication channels are used to protect
transmission of data and other communications beyond connectivity access points.
• Protects Removal Media — Encryption technologies and physical asset protections are
used for removable media (such as USB drives and backup tapes), as appropriate.
• Protects Endpoint Devices — Processes and controls are in place to protect endpoint
devices (such as mobile devices, laptops, desktops, and sensor).
• Restricts Installation and Modification of Application and Software — The ability to
install and modify applications and software is restricted to authorized individuals.Utility
software capable of bypassing normal operating or security procedures is limited to use
by authorized individuals and is monitored regularly.
• Detects Unauthorized Changes to Software and Configuration Parameters —
Processes are in place to detect changes to software and configuration parameters that
may be indicative of unauthorized or malicious software.
• Uses a Defined Change Control Process — A management-defined change control
process is used for the implementation of software.
• Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software on
servers and endpoint devices is configured, implemented, and maintained to provide for
the interception or detection and remediation of malware.
• Scans Information Assets From Outside the Entity for Malware and Other
Unauthorized Software — Procedures are in place to scan information assets that have
been transferred or returned to the entity’s custody for malware and other unauthorized
software. Detected malware or other software is removed prior to connection to the
entity’s network.

• Uses Defined Configuration Standards — The entity has defined configuration

standards to be used for hardening systems.
• Monitors Infrastructure and Software — The entity monitors infrastructure and
software for noncompliance with the standards, which could threaten the achievement
of the entity's objectives.
• Implements Change-Detection Mechanisms — The IT system includes a change-
detection mechanism (for example, file integrity monitoring tools) to alert personnel to
unauthorized modifications of critical system files, configuration files, or content files.
• Detects Unknown or Unauthorized Components — Procedures are in place to detect
the introduction of unknown or unauthorized components.
• Conducts Vulnerability Scans — The entity conducts infrastructure and software
vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a
periodic basis and after significant changes are made to the environment. Action is taken
to remediate identified deficiencies in a timely manner to support the achievement of
the entity’s objectives.
• Implements Detection Policies, Procedures, and Tools — Detection policies,
procedures, and tools are defined and implemented on infrastructure and software to
identify potential intrusions, inappropriate access, and anomalies in the operation of or
unusual activity on systems. Procedures may include (1) a defined governance process
for security event detection and management; (2) use of intelligence sources to identify
newly discovered threats and vulnerabilities; and (3)logging of unusual system activities.
• Designs Detection Measures — Detection measures are designed to identify anomalies
that could result from actual or attempted (1) compromise of physical barriers; (2)
unauthorized actions of authorized personnel; (3) use of compromised identification and
authentication credentials; (4) unauthorized access from outside the system boundaries;
(5) compromise of authorized external parties; and (6) implementation or connection of
unauthorized hardware and software.
• Implements Filters to Analyze Anomalies — Management has implemented
procedures to filter, summarize, and analyze anomalies to identify security events.
• Monitors Detection Tools for Effective Operation — Management has implemented
processes to monitor and maintain the effectiveness of detection tools.
• Responds to Security Incidents — Procedures are in place for responding to security
incidents and evaluating the effectiveness of those policies and procedures on a periodic
basis.
• Communicates and Reviews Detected Security Events — Detected security events are
communicated to and reviewed by the individuals responsible for the management of
the security program, and actions are taken, if necessary.
• Develops and Implements Procedures to Analyze Security Incidents — Procedures are
in place to analyze security incidents and determine system impact.
• Assesses the Impact on Confidential Information — Detected security events are
evaluated to determine whether they could or did result in the unauthorized disclosure
or use of confidential information.
• Determines Confidential Information Used or Disclosed — When an unauthorized use
or disclosure of confidential information has occurred, the affected information is
identified and actions are taken to help prevent future recurrence and address control
failures to support the achievement of entity objectives.
• Assesses the Impact on Personal Information — Detected security events are
evaluated to determine whether they could or did result in the unauthorized disclosure
or use of personal information and whether there has been a failure to comply with
applicable laws or regulations.
• Determines Personal Information Used or Disclosed — When an unauthorized use or
disclosure of personal information has occurred, the affected information is identified
and actions are taken to help prevent future recurrence and address control failures to
support the achievement of entity objectives.
• Assigns Roles and Responsibilities — Roles and responsibilities for the design,
implementation, maintenance, and execution of the incident-response program are
assigned, including the use of external resources when necessary.
• Contains and Responds to Security Incidents — Procedures are in place to respond to
and contain security incidents that actively threaten entity objectives.
• Mitigates Ongoing Security Incidents — Procedures are in place to mitigate the effects
of ongoing security incidents.
• Resolves Security Incidents — Procedures are in place to resolve security incidents
through closure of vulnerabilities, removal of unauthorized access, and other
remediation actions.
• Restores Operations — Procedures are in place to restore data and business operations
to an interim state that permits the achievement of entity objectives.
• Develops and Implements Communication of Security Incidents — Protocols for
communicating, in a timely manner, information regarding security incidents and
actions taken to affected parties are developed and implemented to support the
achievement of the entity's objectives.
• Obtains Understanding of Nature of Incident and Determines Containment Strategy —
An understanding of the nature (for example, the method by which the incident occurred
and the affected system resources) and severity of the security incident is obtained to
determine the appropriate response and containment strategy, including (1) a
determination of the appropriate response time frame, and (2) the determination and
execution of the containment approach.
• Remediates Identified Vulnerabilities — Identified vulnerabilities are remediated
through the development and execution of remediation activities.
• Communicates Remediation Activities — Remediation activities are documented and
communicated in accordance with the incident-response program.
• Evaluates the Effectiveness of Incident Response — The design of incident-response
activities is evaluated for effectiveness on a periodic basis.
• Periodically Evaluates Incidents — Periodically, management reviews incidents related
to security, availability, processing integrity, confidentiality, and privacy and identifies the
need for system changes based on incident patterns and root causes.
• Applies Breach Response Procedures — Breach response procedures are defined and
applied in the event of a confirmed privacy incident.
• Communicates Unauthorized Use and Disclosure — Events that resulted in
unauthorized use or disclosure of personal information are communicated to the data
subjects, legal and regulatory authorities, and others as required.
• Application of Sanctions — The conduct of individuals and organizations operating
• Restores the Affected Environment — The activities restore the affected environment
to functional operation by rebuilding systems, updating software, installing patches,
modifying access controls, and changing configurations, as needed.
• Communicates Information About the Incident — Communications about the nature
of the incident, recovery actions taken, and activities required for the prevention of
future security incidents are made to management and others as appropriate (internal
and external).
• Determines Root Cause of the Incident — The root cause of the incident is determined.
• Implements Changes to Prevent and Detect Recurrences — Additional architecture or
changes to preventive and detective controls are implemented to prevent and detect
incident recurrences in a timely manner.
• Improves Response and Recovery Procedures — Lessons learned are analyzed and the
incident-response plan and recovery procedures are improved.
• Implements Incident-Recovery Plan Testing — Incident-recovery plan testing is
performed on a periodic basis. The testing includes (1) development of testing scenarios
based on threat likelihood and magnitude; (2) consideration of relevant system
components from across the entity that can impair availability; (3) scenarios that
consider the potential for the lack of availability of key personnel; and (4) revision of
resilience posture and continuity plans based on test results.
• Manages Changes Throughout the System Life Cycle — A process for managing system
changes throughout the life cycle of the system and its components (infrastructure, data,
software, and manual and automated procedures) is used to support the achievement of
entity objectives.
• Authorizes Changes — A process is in place to authorize system and architecture
changes prior to design, development, or acquisition and configuration.
• Designs and Develops Changes — A process is in place to design and develop system
changes in a secure manner to support the achievement of entity objectives.
• Documents Changes — A process is in place to document system changes to support
ongoing maintenance of the system and to support internal and external users in
performing their responsibilities.
• Tracks System Changes — A process is in place to track system changes prior to
implementation.
• Configures Software — A process is in place to select, implement, maintain, and
monitor configuration parameters used to control the functionality of developed and
acquired software.
• Tests System Changes — A process is in place to test internally developed and acquired
system changes prior to implementation into the production environment.
Examples of testing may include unit, integration, regression, static and dynamic
application source code, quality assurance, or automated testing (whether point in
time or continuous).
• Approves System Changes — A process is in place to approve system changes prior to
implementation.
• Deploys System Changes — A process is in place to implement system changes with
consideration of segregation of responsibilities (for example, restricting unilateral code
development or testing and implementation by a single user) to prevent or detect
unauthorized changes.
• Identifies and Evaluates System Changes — Objectives affected by system changes are
identified, and the ability of the modified system to support the achievement of the
objectives is evaluated throughout the system development life cycle.
• Identifies Changes in Infrastructure, Data, Software, and Procedures Required to
Remediate Incidents — Changes in infrastructure, data, software, and procedures
required to remediate incidents are identified and the change process is initiated upon
identification.
• Creates Baseline Configuration of IT Technology — A baseline configuration of IT and
control systems is created and maintained.
• Provides for Changes Necessary in Emergency Situations — A process is in place for
• Considers Mitigation of Risks of Business Disruption — Risk mitigation activities
include the development of planned policies, procedures, communications, and
alternative processing solutions to respond to, mitigate, and recover from incidents
that disrupt business operations. Those resilience policies and procedures include
monitoring processes, information, and communications to support the achievement of
the entity's objectives during response, mitigation, and recovery efforts.
• Considers the Use of Insurance to Mitigate Financial Impact Risks — The risk
management activities consider the use of insurance to offset the financial impact of loss
events that would otherwise impair the ability of the entity to support the achievement
of its objectives.
• Establishes Requirements for Vendor and Business Partner Engagements — The entity
establishes specific requirements for vendor and business partner engagements that
include (1) scope of services and product specifications, (2) roles and responsibilities, (3)
compliance requirements, and (4) service levels.
• Identifies Vulnerabilities — The entity evaluates vulnerabilities arising from vendor and
business partner relationships, including third-party access to the entity’s IT systems and
connections with third-party networks.
• Assesses Vendor and Business Partner Risks — The entity inventories, tiers, and
assesses, on a periodic basis, threats arising from relationships with vendors and
business partners (and those entities’ vendors and business partners) and the
vulnerability of the entity's objectives to those threats. Examples of threats arising from
relationships with vendors and business partners include those arising from their (1)
financial failure, (2) security vulnerabilities, (3) operational disruption, and (4) failure to
meet business or regulatory requirements.
• Assigns Responsibility and Accountability for Managing Vendors and Business
Partners — The entity assigns responsibility and accountability for the management
of risks and changes to services associated with vendors and business partners.
• Establishes Communication Protocols for Vendors and Business Partners — The entity
establishes communication and resolution protocols for service or product issues related
to vendors and business partners.
• Establishes Exception Handling Procedures From Vendors and Business Partners —
The entity establishes exception handling procedures for service or product issues related
to vendors and business partners.
• Assesses Vendor and Business Partner Performance — The entity assesses the
performance of vendors and business partners, as frequently as warranted, based on the
risk associated with the vendor or business partner.
• Implements Procedures for Addressing Issues Identified During Vendor and Business
Partner Assessments — The entity implements procedures for addressing issues
identified with vendor and business partner relationships.
• Implements Procedures for Terminating Vendor and Business Partner Relationships —
The entity implements procedures for terminating vendor and business partner
relationships based on predefined considerations. Those procedures may include safe
return of data and its removal from the vendor or business partner system.
• Obtains Confidentiality Commitments From Vendors and Business Partners — The
entity obtains confidentiality commitments that are consistent with the entity’s
confidentiality commitments and requirements from vendors and business partners who
have access to confidential information.
 Example Controls

CC1.1.1- Mission, vision and value statements have been developed by

management and are posted on the company intranet site.
CC1.1.2- An employee handbook, outlining standards of conduct, is
published and made available to employees.
CC1.1.3- Upon hire, employees are required to review and attest to
compliance with the employee handbook.
CC1.1.4- Upon onboarding, contractors are required to sign the
contractor handbook outlining standards
of compliance with the mission, vision and values of aPriori.
CC1.1.5- Annually, employee goals are described and documented.
Employees are evaluated based upon progress toward meeting goals and
discuss these goals with managers. Job training identified for the
employee is tracked on an ongoing basis.

CC1.2.1- A board of directors has been established and consists of senior

management, investors and independent board members with industry
experience. The board of directors meets at least quarterly.
CC1.2.2- The board of directors has established an audit committee,
responsible for the oversight of internal control.
CC1.2.3- The risk assessment is reported to the board of directors
annually by senior management
CC1.3.1- Management has documented an organizational chart, which
outlines structures,
reporting lines and authorities for individuals and job positions.
CC1.3.2- Management has documented progression matrices, outlining
expectations for job
positions and promotion opportunities.
CC1.3.3- Contact information is provided to user entities via the company
website.
CC1.3.4- Customers are able to submit tickets via the customer portal.
CC1.3.5- Vendor relationship owners are assigned and documented by
management.
CC1.4.1- An SOP outlining the hiring process has been documented by
management.
CC1.4.2- Prior to hire, candidates are interviewed and assessed for
organizational fit. Candidates are tracked centrally by HR.
CC1.4.3- Annually, employee goals are described and documented.
Employees are evaluated based
upon progress toward meeting goals and discuss these goals with
managers. Job training identified
for the employee is tracked on an ongoing basis.
CC1.4.4- Where allowed by law, background checks are performed on
candidates prior to hire. All individuals with access to user entity data
have background checks performed.
CC1.4.5- Annually, all employees are required to take security training.
CC1.4.6- Management has documented progression matrices, outlining
expectations for job positions and promotion opportunities.
CC1.4.7- Upon contract renewals, vendors are required to go through the
vendor due diligence process as
outlined in the Vendor Risk Management Policy.
CC1.5.1- Management has documented an organizational chart, which
outlines structures,
reporting lines and authorities for individuals and job positions.
CC1.5.2 Annually, employee goals are described and documented for all
employees under the vice president (VP) level. Employees are evaluated
based upon progress toward meeting goals and discuss these
goals with managers. Job training identified for the employee is tracked
on an ongoing basis.
CC1.5.3- Management has documented progression matrices, outlining
expectations for job positions and promotion opportunities.
CC1.5.4- Annually, all employees are required to take security training.
CC1.5.5- Management has made a whistleblower hotline available to
employees to report instances of noncompliance with policies.
CC1.5.6 Weekly, except during holiday weeks and office closings, a
meeting between engineering, customer support and product managers
occurs to discuss issues identified in production and triage issues, and
outline plans to address them.
CC1.5.7 Every six weeks, scrum milestones are presented to product
managers, professional services and support teams on new code releases
by the engineering team.
CC2.1.1- At the beginning of each release period, product management
meets with various internal
stakeholders to outline goals for the upcoming product release.Release
goals are outlined as part of this process.
CC2.1.2- Weekly, except during holiday weeks and office closings, a
meeting between engineering, customer support and product managers
occurs to discuss issues identified in production and triage issues,
and outline plans to address them.
CC2.1.3- Customer support issues are documented in a support ticket
and are routed to appropriate
individuals for resolution.
CC2.1.4- Every six weeks, scrum milestones are presented to product
managers, professional services and support teams on new code releases
by the engineering team.
CC2.1.5- Major and minor releases are authorized, reviewed and
approved prior to release.
CC2.1.6- Major and minor releases are tested prior to release.
CC1.1.6- Background checks to performed for all the employees prior to hiring or within 30days of hiring.
 Test of Control

Obtained background check reports for a sample of employees and confirmed that
background checks are performed for all the employees prior to hiring.
es prior to hiring or within 30days of hiring.
 ROWD

EY selected a sample of 25 (of 320) new

employees during the audit period, obtained
and background check reports.
 Test Result

No Exceptions noted.
Tester Sign -off QA Sign off
 We will perform gap
Finx EY assessment to see if
Services Loan processing Services the service
organization have
proper
We willcontrols
Test theto
meet
Design of SOC
the all the
1 Gap Assessment requirements.
controls if Design is
We will test
effective both
as per SOC
2 Type I design and
requirements
effectiveness of the
controls as per SOC
3 Type II requirements

After 4 to 6 months After 6 months from Type I

11/10/2023 1/4/2024 1/10/2024
Total Controls 100 Type I (TOD) Type II (TOD + TOE)
Controls
Implemented at
Finx 30 100 100
Controls Need to
implement to
meet SOC
requirements 70
100
User Organization
User Auditor
Service Organization
Service Auditor

User Organization Service Organization

Public Trading Company A <--------- B

User Auditor: PWC SOX SOC

 AICPA - American Institute of Certified Public Accountant
Service Auditor: KPMG Certified Public Accountant