CSOCs and CUECs in a SOC Report

Generally, SOC 1 and SOC 2 reports include a description of complementary subservice organization controls (CSOCs) and complementary user entity controls (CUECs), which are defined as follows in the AICPA SOC 2 Audit Guide: CSOCs Controls that service organization management assumed, in the design of the service organization’s system, would be implemented […]

Scope Limitations in a SOC Report

The AICPA defines a scope limitation as “An inability to obtain sufficient appropriate evidence.” In a SOC 1 or SOC 2 examination, a scope limitation may occur for the following reasons: Circumstances beyond the control of management. For example, documents that the service auditor considers necessary to inspect were in the […]

SOC 2 Pro Tip – Addressing the Use of Production Data in Non-Production Environments

In a SOC 2 report that includes the confidentiality Trust Services Category, some companies and their auditors struggle with the following point of focus under the change management criteria CC8.1: “Protects Confidential Information – The entity protects confidential information during system design, development, testing, implementation and change processes to support the […]

SOC 2 Audit Insights – Patch Management

An effective patch management process is a critical component of cybersecurity strategy and is also essential to a successful SOC 2 audit.  Patching is relevant to several of the Trust Services Criteria (TSC) in a SOC 2 report, but is considered most applicable to the change management requirements under CC8.1.  When […]