SOC Audit

Last updated: 2018-06-22 10:12:53

The System and Organization Controls Reports (“SOC Reports”) are independent audit reports, and encompass the Tencent Cloud platform security, availability and confidentiality control points. Depending on the authentication service type, they may be provided to cloud users and auditors, to fulfill the relevant requirements.

The SOC Reports are a series of reports on the internal controls of a service organization, issued by a third party accounting firm, in accordance with the relevant standards of the American Institute of Certified Public Accountants (AICPA).

  • The Tencent Cloud SOC 1 Reports were issued with reference to the AICPA Audit Standard SSAE No. 18, AT-C section 320, and pertains to the adequacy of the design of the internal controls for the Tencent Cloud Service System – Tenant User Financial Report.

  • The Tencent Cloud SOC 2 Reports were issued with reference to the AICPA Audit Standard SSAE No. 18, AT-C sections 105 and 205 as well as the TSP section 100 (2007 edition), and pertains to the adequacy of the design of the security, availability and confidentiality related controls.

The AICPA published its latest 2017 edition of the Trust Services Criteria in April 2017, and clarified that during the transition period (between 15 April 2017 and 15 December 2018), service providers may at their sole discretion, abide by either the 2017 or the 2016 edition. As a leading cloud service provider, Tencent Cloud has already implemented the 2017 edition criteria in the course of its 2017 SOC Audit exercise, and is the first domestic cloud service provider to spearhead the adoption of the same.

The SOC series of Reports provides Tencent Cloud users with valuable information so as to assess and resolve risks associated with service providers.

  • SOC 1 Reports: Cloud users and independent auditors may make use of the SOC 1 Reports and together with the users’ custom controls evaluate the risk of material misstatements in the Financial Statements of Institutional Users.

  • SOC 2 Reports: Institutional Cloud Users, independent auditors, regulatory authorities, shareholders and other stakeholders may assess the internal controls (covers security, availability, integrity of the whole process, confidentiality and privacy) of the cloud service provider, based on the said reports.