Overview In today’s environment, firewalls are an important and necessary control for organizations that are subject to SOC 1 and SOC 2 audits. In the case of SOC 1 reports, firewalls generally address network security control objectives. And in SOC 2 reports, they address CC6.6: The entity implements logical access security […]
Section 103(a)(3)(C) of the Employee Retirement Income and Security Act (ERISA) allows employee benefit plan and 401(k) plan administrators to elect to instruct the employee benefit plan or 401(k) plan auditor not to perform any additional procedures with respect to the investment information prepared and certified by a bank or similar […]
In SOC 1 and SOC 2 audits, one of management’s primary responsibilities is to update their system description (often referred to as Section 3 of the SOC report) from the previous year. In the case of a first year SOC audit, management will be preparing the initial draft rather than updating […]
An agreed-upon procedures (AUP) engagement is an attestation engagement where a CPA or CPA firm performs specific procedures on the subject matter and issues a report of findings. The subject matter can be financial or nonfinancial. The practitioner and the client agree on the procedures to be performed. The authoritative guidance that […]
Whether your 401(k) or employee benefit plan recently hit the audit requirement or you are looking for a new 401(k) or employee benefit plan auditor, there many resources to consider and steps to take in order to ensure that your 401(k) or employee benefit plan audit is completed efficiently and in […]
In general, organizations that receive SOC 1 or SOC 2 reports must demonstrate that they have a vendor management program and associated controls in place to address the risks associated with vendors and business partners. One of the common questions that arises during SOC audits is how to identify the “critical” […]
There are several resources that CPA firms can use to develop their sampling methodology for SOC 1 and SOC 2 audits. These included: The AICPA’s SOC 1 and 2 Audit Guides The AICPA’s Audit Sampling Guide AU-C Section 530: Audit Sampling It is important to note that the AICPA does not […]
A popular belief for many years was that Linux systems did not require anti-virus or anti-malware. Although Linux is perceived to be more secure than other desktop operating systems, there are still malware and viruses that can affect Linux computers. In fact, the amount of Linux malware has been steadily growing […]
Background The ERISA Section 103(a)(3)(C) Audit is one of the more common types of audits performed over a 401(k) or employee benefit plan. As part of the audit, management of the 401(k) or employee benefit plan must determine if the ERISA Section 103(a)(3)(C) audit is permissible by obtaining and inspecting a […]
Companies often align their controls with specific processes or frameworks such as the International Organization for Standardization (ISO) or the National Institute of Standards and Technology (NIST). When this occurs and the company receives a SOC 2 report, the service auditor should consider if: The process or framework used is required […]