What Asset Managers Need to Know About SOC Reports
With many recent changes to the System and Organization Controls (SOC) reports guidelines, SIFMA AMG and BDO have prepared this guide for asset managers to understand the function of the SOC 2 report, and its role in asset managers’ third party risk programs. The white paper also compares the various SOC reports to highlight the intended use for each report.
See also: Asset Manager’s Guide to SOC 1 (June 2017)
Excerpt
What Asset Managers Need To Know About System And Organization Controls (SOC) Reports
The Asset Management Group (AMG) of the Securities Industry and Financial Markets Association (SIFMA) and BDO USA, LLP, developed the following guidelines to help Asset Managers understand and leverage System and Organization Controls (SOC) reports as part of their third party/vendor risk management process. This whitepaper was developed by leveraging and applying the American Institute of Certified Public Accountants’ (AICPA) 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (effective December 15, 2018), Guide: Reporting on an Entity’s Cybersecurity Risk Management Program and Controls (May 1, 2017), Guide: SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (January 1, 2018), and AICPA’s Brochure What are you doing to prevent cyberattacks? (May 8, 2018).