- +971 52 437 2811
- info@hebronmgtconsultancy.com
1. Internal Control Policies (SOC 1): Documents outlining policies and procedures related to internal controls over financial reporting, such as segregation of duties, authorization, and transaction processing.
2. Security Policies (SOC 2): Policies and procedures related to information security, including access control, data classification, incident response, and data retention.
1. Documentation of risk assessment methodologies used to identify and assess risks to financial reporting (SOC 1) or to the security, availability, processing integrity, confidentiality, and privacy of systems and data (SOC 2). 2. Records of risk mitigation strategies and controls implemented to address identified risks.
1. Description of the control environment, including organizational structure, governance processes, and the tone set by management regarding controls and compliance. 2. Documentation of management's oversight of controls and their commitment to internal control effectiveness.
1. Detailed descriptions of control activities implemented to achieve control objectives related to financial reporting (SOC 1) or security, availability, processing integrity, confidentiality, and privacy (SOC 2). 2. Evidence of the design and operating effectiveness of control activities.
1. Description of IT general controls (ITGCs) and application controls relevant to financial reporting (SOC 1) or security and data protection (SOC 2). 2. Documentation of controls related to logical access, change management, data backups, system monitoring, and incident response.
1. Documentation of contracts and agreements with third-party service providers and vendors, including service level agreements (SLAs) and agreements related to data processing and protection. 2. Records of due diligence performed on third-party service providers and assessments of their controls and compliance.
1. Records of testing procedures conducted to evaluate the effectiveness of controls over financial reporting (SOC 1) or security, availability, processing integrity, confidentiality, and privacy (SOC 2). 2. Documentation of monitoring activities performed to detect control failures or deficiencies and to ensure ongoing compliance.
1. Procedures for responding to and remediating control deficiencies, incidents, and breaches. 2. Documentation of incidents, including their nature, impact, root causes, and remediation actions taken to prevent recurrence.
1. Documentation of communication with stakeholders, including reports issued to management, customers, regulators, and auditors regarding control objectives, testing results, and compliance status. 2. Records of management's assertions and representations regarding control effectiveness and compliance with SOC 1 or SOC 2 requirements.
1. Documentation of audit procedures performed by internal or external auditors to evaluate control effectiveness and compliance with SOC 1 or SOC 2 requirements. 2. Audit reports, findings, and recommendations for improving controls and compliance.
1. Documentation of the organization's adoption of control frameworks, standards, and best practices relevant to SOC 1 or SOC 2 compliance, such as COSO (Committee of Sponsoring Organizations of the Treadway Commission) for SOC 1 or the Trust Services Criteria for SOC
Policies and procedures for retaining and securely storing documentation and evidence related to SOC 1 or SOC 2 compliance, including retention periods and access controls.
