Are you intimidated, overwhelmed, confused, short on time or just don’t know where to start when reviewing AICPA SOC 1®, SOC 2®, or SOC 3® reports? Or are you looking to augment your current SOC® report knowledge-base?
The CRVPM Level VI/Certified AICPA SOC® Report Analyst (CASRA®) course the dual certification course for you! SOC® Reports are great tools for better understanding the risk that a third party might expose your company to. However, they are filled with information that you need to sift through and frequently take a great deal of time to analyze if you don’t know what to look for, where to find it and what it means.
This course will educate you as to what SOC® reports are all about and how to quickly find the pieces of information you need in order to perform an analysis of the report. It utilizes the standard methodology and tools developed by our CEI Advisory Services Group that are provided with the course so you can create a consistent, well-documented, informative analysis report every time.
Time Required: 12 hours
CPE Credits: 14.4 Continuing Professional Education credits
Availability: web-based, self-paced, on demand
Curriculum: 7 chapters, each followed by an exam
Certification Requirement: 80% passing grade on each exam
Recertification: Annual requirement. Cost: $499.00
- PDF Course Content
- SOC® Report Analysis Report Template
- CUEC Tracking Sheet
- CUEC Management Report
Upon Successful Completion: Those successfully completing the course receive:
- CASRA® Certificate
- CASRA® Designation Number
- Where To Find It guide
- 1 year free telephone/email support
The goal of the CRVPM Level VI/Certified AICPA SOC® Report Analyst (CASRA®) course is to teach you how to quickly find the key pieces of information within a SOC® report, understand what they mean and develop a consolidated report about the level of risk that a vendor (3rd party) poses to your organization.
Chapter 1 – History, Terms and Definitions: SOC® reports have evolved over many years and the AICPA has done an outstanding job of keeping up with the ever-evolving business environment. This chapter will take you through the evolution from SAS® to SOC® and SSAE 18®. It will also familiarize you with common terminology used in reports and you will gain an understanding of the inter-relationship and importance of the following:
- COSO Principles
- Trust Services Criteria
- Common Criteria
Chapter 2 – The Report Components: Chapter 2 begins our dive into a SOC report and explains what the Independent Service Auditor’s Report, Management’s Assertion and the Auditor’s Opinion are about. It also dissects those sections and pinpoints the information you glean from a report in just a few paragraphs. We will begin working through the SOC® Report Analysis template provided with the course.
Chapter 3 – Description of The System: We begin our voyage through the Description of the System and the 9 key Description Criteria, identifying key pieces of information that will be incorporated into the SOC® Analysis Report. It might also indicate that additional information is required from our vendor to gain a better understanding of their controls.
Chapter 4 – Description of the System, Tests and Test Results: We continue our analysis of the Description of the System as we work through Vendor Management, Complementary User Entity Controls (CUECs, Sub-service Organizations, Complementary Sub-service Organization Controls, Changes to the System and Incidents. Chapter 4 then continues on to discuss Tests and Test Results and the impact of Exceptions and Deviations to the Auditor’s Opinion.
Chapter 5 – Section 5 (Other Information), Bridge Letters, SOC 3®: Section 5 contains unaudited information, sometimes referred to as Irrelevant Information. Very often, the Service Organization’s management wants you to know more about their company or might respond to an incident or a test Exception/Deviation. The Service Auditor doesn’t verify this information but makes it known to you and it could contain valuable information that you need to utilize in your SOC® Analysis Report. We will also help you understand what a Bridge Letter is and why you might need it. We finish Chapter 5 with an analysis of SOC 3® reports. While many think a SOC 3® is just a marketing tool and contains nothing of value, it is chocked full of information that you might find extremely useful as you’re conducting your due diligence on a potential vendor.
Chapter 6 – SOC 1® Report: Chapter 6 compares and contrasts SOC 2 and SOC 1 reports throughout all sections of the report. It points out the difference in controls; Trust Services and Common Criteria vs IT General Controls and Business Process. It also sheds light on the influence of COSO Principles and the indirect way in which the relationship is documented. It finishes with Tests and Test Results and Section 5 (Other Information).
AICPA SOC 1®, SOC 2® and SOC 3® are registered trademarks of the American Institute of Certified Public Accountants