Complementary User Entity Controls (CUECs) are an important component of SOC 2 reporting and are required to be disclosed in the description of the service organization’s system. The AICPA defines CUECs as follows: “CUECs are those controls that service organization management assumed, in the design of the system, would be implemented […]
Many companies that receive SOC 1 reports use “subservice organizations” as part of their service offering. The AICPA defines a subservice organization as: “A service organization used by another service organization to perform some or all of the services provided to user entities that are likely to be relevant to those […]
It is not unusual for an organization that is engaged in its first SOC 2 audit to receive a qualified (i.e. modified) opinion from its SOC auditor as it pursues the path toward a more robust and mature set of controls. It is also common for organizations that are in the […]
A bridge letter, also referred to as a gap letter, can be used to bridge the “gap” between the service organization’s SOC report date and the user entity’s year-end (i.e., calendar or fiscal year-end). Bridge letters are used for both SOC 1 and SOC 2 reports. SOC reports typically cover a period […]
For the first time since the start of Covid-19 in 2020, the Kfi team was able to return to the Urban Peak shelter in Denver to serve breakfast to youth experiencing homelessness. Just like the good old days, we brought 80 breakfast burritos, fruit, granola bars, trail mix, chocolate milk, juice […]
There are several factors that should be considered when determining whether a company’s internal audit function can be leveraged during a SOC 1 or SOC 2 audit: the nature of the internal audit activities the extent to which the internal audit function’s organizational status and relevant policies and procedures support the […]
Many organizations have a difficult time distinguishing between “vendors” and “subservice organizations” for purposes of their SOC 1 and SOC 2 reports. This is partially because the differentiation / classification of vendors and subservice organizations has no bearing whatsoever on day to day operations of a service provider / organization receiving […]
One of the most common errors found during an audit of a 401(k) or employee benefit plan is the failure to timely remit employee contributions to the retirement plan. Management of the 401(k) or employee benefit plan needs to be mindful of the Department of Labor’s (DOL) rules for remittance of […]
Kfi Foundation and There With Care The Kfi Team delivered groceries today to a family with a child that has terminal brain cancer. After picking up the groceries at There With Care, the Kfi Foundation threw in a few extra goodies to add to our delivery to hopefully make life a […]
If you previously had a DOL limited-scope audit performed on your 401(k) or employee benefit plan, you should be expecting some changes to your 2021 plan year audit. The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) issued a new Statement on Auditing Standards for auditors who […]