CSOCs and CUECs in a SOC Report

Generally, SOC 1 and SOC 2 reports include a description of complementary subservice organization controls (CSOCs) and complementary user entity controls (CUECs), which are defined as follows in the AICPA SOC 2 Audit Guide: CSOCs Controls that service organization management assumed, in the design of the service organization’s system, would be implemented […]

Scope Limitations in a SOC Report

The AICPA defines a scope limitation as “An inability to obtain sufficient appropriate evidence.” In a SOC 1 or SOC 2 examination, a scope limitation may occur for the following reasons: Circumstances beyond the control of management. For example, documents that the service auditor considers necessary to inspect were in the […]

SOC 2 Pro Tip – Addressing the Use of Production Data in Non-Production Environments

In a SOC 2 report that includes the confidentiality Trust Services Category, some companies and their auditors struggle with the following point of focus under the change management criteria CC8.1: “Protects Confidential Information – The entity protects confidential information during system design, development, testing, implementation and change processes to support the […]

SOC 2 Audit Insights – Patch Management

An effective patch management process is a critical component of cybersecurity strategy and is also essential to a successful SOC 2 audit.  Patching is relevant to several of the Trust Services Criteria (TSC) in a SOC 2 report, but is considered most applicable to the change management requirements under CC8.1.  When […]

What is a SOC 3 Examination?

A service organization may wish to provide prospective customers (user entities) with information regarding the effectiveness of controls over its system. However, the prospective customers may not have signed a nondisclosure agreement required by the service organization to access the system description in the SOC 2 report. In other situations, prospective […]

SOC 2 Reporting Updates

SOC 2 Updates

Two key resources for SOC 2 reporting were updated during 2022: Revised Implementation Guidance was added to DC 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report.  DC 200 includes the categories of information that must be addressed in an organization’s system description […]