One of the more challenging parts of completing a SOC 1 or SOC 2 audit is distinguishing between a vendor and a subservice organization. In this blog post, we expand on blog post (https://kfinancial.com/how-to-identify-subservice-organizations-in-soc-1-and-soc-2-reports/) over subservice organizations to cover a specific type of vendor: managed detection and response (MDR) vendors. Many organizations […]
Introduction System and Organization Controls (SOC) audits have become a critical standard for service organizations seeking to demonstrate their commitment to security, confidentiality, and operational excellence. As businesses increasingly rely on third-party vendors, SOC reports—especially SOC 1, SOC 2, and SOC 3—provide assurance to clients and stakeholders regarding the effectiveness of […]
Staff augmentation is an outsourcing strategy where a company hires external professionals to supplement its existing workforce for specific projects or to meet temporary needs, rather than hiring full-time employees. This approach allows businesses to quickly scale their teams, access specialized skills, and maintain flexibility to handle fluctuating workloads without the long-term commitment […]
The intention of this blog post is to provide Plan sponsors with useful tips and documentation considerations to ensure a plan transfer of assets is successful in meeting the Employee Retirement Income Security Act of 1974 (ERISA), Department of Labor (DOL), and American Institute of Certified Public Accountants (AICPA) requirements and […]
Some service organizations struggle with determining the types of information to include in the system description of their SOC 1 report. A useful resource for ensuring that the system description includes all of the required components is AT-C Section 320: Reporting on an Examination of Controls at a Service Organization Relevant […]
Overview In today’s environment, firewalls are an important and necessary control for organizations that are subject to SOC 1 and SOC 2 audits. In the case of SOC 1 reports, firewalls generally address network security control objectives. And in SOC 2 reports, they address CC6.6: The entity implements logical access security […]
Section 103(a)(3)(C) of the Employee Retirement Income and Security Act (ERISA) allows employee benefit plan and 401(k) plan administrators to elect to instruct the employee benefit plan or 401(k) plan auditor not to perform any additional procedures with respect to the investment information prepared and certified by a bank or similar […]
In SOC 1 and SOC 2 audits, one of management’s primary responsibilities is to update their system description (often referred to as Section 3 of the SOC report) from the previous year. In the case of a first year SOC audit, management will be preparing the initial draft rather than updating […]
An agreed-upon procedures (AUP) engagement is an attestation engagement where a CPA or CPA firm performs specific procedures on the subject matter and issues a report of findings. The subject matter can be financial or nonfinancial. The practitioner and the client agree on the procedures to be performed. The authoritative guidance that […]
Whether your 401(k) or employee benefit plan recently hit the audit requirement or you are looking for a new 401(k) or employee benefit plan auditor, there many resources to consider and steps to take in order to ensure that your 401(k) or employee benefit plan audit is completed efficiently and in […]