SOC 2 Reporting Updates

SOC 2 Updates

Two key resources for SOC 2 reporting were updated during 2022: Revised Implementation Guidance was added to DC 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report.  DC 200 includes the categories of information that must be addressed in an organization’s system description […]

DOL Cybersecurity Guidance

DOL Cybersecurity Guidance for 401(k) and Employee Benefit Plans The U.S. Department of Labor recently announced new guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants on best practices for maintaining cybersecurity for 401(k) and employee benefit plans. The guidance is directed at plan sponsors and fiduciaries regulated by […]

The Impact of SSAE No. 21 on SOC 2 Audits

Background In September 2020, the AICPA Auditing Standards Board issued Statement on Standards for Attestation Engagements (SSAE) No. 21, Direct Examination Engagements. SSAE No. 21 is applicable to SOC 2 audits, however, the changes brought about by SSAE No. 21 consist primarily of new terminology and the clarification of certain concepts. […]

SOC for Supply Chain

Due to rapid technological advancement, the production, manufacture, or distribution of products often involves a high level of interdependence and connectivity between an entity and (a) organizations that supply raw materials or components for the manufacturing process (suppliers) and (b) the entity’s customers and business partners. These relationships are often considered part […]

Bridge Letters for SOC Audits

Long bridge over a river

A bridge letter, also referred to as a gap letter, can be used to bridge the “gap” between the service organization’s SOC report date and the user entity’s year-end (i.e., calendar or fiscal year-end).  Bridge letters are used for both SOC 1 and SOC 2 reports. SOC reports typically cover a period […]