Skip to main content
Promotion: Promotional Banner Image

CUNA is now America’s Credit Unions.
A stronger voice to advance the credit union industry.

Learn More

Certified AICPA SOC® Report Analyst (CASRA®)

Are you intimidated, overwhelmed, confused, short on time or just don’t know where to start when reviewing AICPA SOC 1®, SOC 2®, or SOC 3® reports? Or are you looking to augment your current SOC® report knowledge-base?

The Certified AICPA SOC® Report Analyst (CASRA®) course is for you! SOC® Reports are great tools for better understanding the risk that a third party might expose your company to. However, they are filled with information that you need to sift through and frequently take a great deal of time to analyze if you don’t know what to look for, where to find it and what it means.

This course will educate you as to what SOC® reports are all about and how to quickly find the pieces of information you need in order to perform an analysis of the report. It utilizes the standard methodology and tools developed by our CEI Advisory Services Group that are provided with the course so you can create a consistent, well-documented, informative analysis report every time.

14 CPE credits (based on 1 credit per 50 minutes)

This course and certification is provided by Compliance Education Institute. Recertification is required annually

Who should attend

This course benefits anyone who has to read SOC® reports and needs to understand what to look for, where to find it, and what it means regarding 3rd party risk to their organization.

Topics

SOC® reports have evolved over many years and the AICPA has done an outstanding job of keeping up with the ever-evolving business environment. This chapter will take you through the evolution from SAS® to SOC® and SSAE 18®. It will also familiarize you with common terminology used in reports and you will gain an understanding of the inter-relationship and importance of the following:

  • COSO Principles
  • Trust Services Criteria
  • Common Criteria

Chapter 2 begins our dive into a SOC report and explains what the Independent Service Auditor’s Report, Management’s Assertion and the Auditor’s Opinion are about. It also dissects those sections and pinpoints the information you can glean from a report in just a few paragraphs. We will begin working through the SOC® Report Analysis report template provided with the course.

We begin our voyage through the Description of the System and the 9 key Description Criteria, identifying key pieces of information that will be incorporated into the SOC® Analysis Report. It might also indicate that additional information is required from our vendor to gain a better understanding of their controls.

We continue our analysis of the Description of the System as we work through Vendor Management, Complementary User Entity Controls (CUECs, Sub-service Organizations, Complementary Sub-service Organization Controls, Changes to the System and Incidents. Chapter 4 then continues on to discuss Tests and Test Results and the impact of Exceptions and Deviations to the Auditor’s Opinion. 

Section 5 contains unaudited information, sometimes referred to as Irrelevant Information. Very often, the Service Organization’s management wants you to know more about their company or might respond to an incident or a test Exception/Deviation. The Service Auditor doesn’t verify this information but makes it known to you and it could contain valuable information that you need to utilize in your SOC® Analysis Report. We will also help you understand what a Bridge Letter is and why you might need it. We finish Chapter 5 with an analysis of SOC 3® reports. While many think a SOC 3® is just a marketing tool and contains nothing of value, it is chocked full of information that you might find extremely useful as you’re conducting your due diligence on a potential vendor.

Chapter 6 compares and contrasts SOC 2 and SOC 1 reports throughout all sections of the report. It points out the difference in controls; Trust Services and Common Criteria vs IT General Controls and Business Process. It also sheds light on the influence of COSO Principles and the indirect way in which the relationship is documented. It finishes with Tests and Test Results and Section 5 (Other Information).

About the presenter: Compliance Education Institute LLC

Mick Kless is the founder and CEO of RISC Associates, a regulatory compliance consultancy and compliance automation tools developer, and Compliance Education Institute, the training and education division of RISC. He is a recognized industry expert on vendor management and the creator of the Certified Regulatory Vendor Program Manager (CRVPM) course. Mick has spent more than 30 years in financial services, has focused on GLBA 501(b) issues since 2001 and has specialized in vendor management regulatory issues since 2004.

For course access questions, email support@compliance-edu.com.

Course length: 12 hours

Order Now

Member

Regular Price

1499.0
Non-Member

Regular Price

Learn how to become a member here: https://www.cuna.org/join/

2998.0
Product Code: CASRA23
Add to cart

Who should attend

This course benefits anyone who has to read SOC® reports and needs to understand what to look for, where to find it, and what it means regarding 3rd party risk to their organization.

Topics

SOC® reports have evolved over many years and the AICPA has done an outstanding job of keeping up with the ever-evolving business environment. This chapter will take you through the evolution from SAS® to SOC® and SSAE 18®. It will also familiarize you with common terminology used in reports and you will gain an understanding of the inter-relationship and importance of the following:

  • COSO Principles
  • Trust Services Criteria
  • Common Criteria

Chapter 2 begins our dive into a SOC report and explains what the Independent Service Auditor’s Report, Management’s Assertion and the Auditor’s Opinion are about. It also dissects those sections and pinpoints the information you can glean from a report in just a few paragraphs. We will begin working through the SOC® Report Analysis report template provided with the course.

We begin our voyage through the Description of the System and the 9 key Description Criteria, identifying key pieces of information that will be incorporated into the SOC® Analysis Report. It might also indicate that additional information is required from our vendor to gain a better understanding of their controls.

We continue our analysis of the Description of the System as we work through Vendor Management, Complementary User Entity Controls (CUECs, Sub-service Organizations, Complementary Sub-service Organization Controls, Changes to the System and Incidents. Chapter 4 then continues on to discuss Tests and Test Results and the impact of Exceptions and Deviations to the Auditor’s Opinion. 

Section 5 contains unaudited information, sometimes referred to as Irrelevant Information. Very often, the Service Organization’s management wants you to know more about their company or might respond to an incident or a test Exception/Deviation. The Service Auditor doesn’t verify this information but makes it known to you and it could contain valuable information that you need to utilize in your SOC® Analysis Report. We will also help you understand what a Bridge Letter is and why you might need it. We finish Chapter 5 with an analysis of SOC 3® reports. While many think a SOC 3® is just a marketing tool and contains nothing of value, it is chocked full of information that you might find extremely useful as you’re conducting your due diligence on a potential vendor.

Chapter 6 compares and contrasts SOC 2 and SOC 1 reports throughout all sections of the report. It points out the difference in controls; Trust Services and Common Criteria vs IT General Controls and Business Process. It also sheds light on the influence of COSO Principles and the indirect way in which the relationship is documented. It finishes with Tests and Test Results and Section 5 (Other Information).

About the presenter: Compliance Education Institute LLC

Mick Kless is the founder and CEO of RISC Associates, a regulatory compliance consultancy and compliance automation tools developer, and Compliance Education Institute, the training and education division of RISC. He is a recognized industry expert on vendor management and the creator of the Certified Regulatory Vendor Program Manager (CRVPM) course. Mick has spent more than 30 years in financial services, has focused on GLBA 501(b) issues since 2001 and has specialized in vendor management regulatory issues since 2004.

For course access questions, email support@compliance-edu.com.

Course length: 12 hours