Scope Limitations in a SOC Report

The AICPA defines a scope limitation as “An inability to obtain sufficient appropriate evidence.” In a SOC 1 or SOC 2 examination, a scope limitation may occur for the following reasons: Circumstances beyond the control of management. For example, documents that the service auditor considers necessary to inspect were in the […]

SOC 2 Pro Tip – Addressing the Use of Production Data in Non-Production Environments

In a SOC 2 report that includes the confidentiality Trust Services Category, some companies and their auditors struggle with the following point of focus under the change management criteria CC8.1: “Protects Confidential Information – The entity protects confidential information during system design, development, testing, implementation and change processes to support the […]

SOC 2 Audit Insights – Patch Management

An effective patch management process is a critical component of cybersecurity strategy and is also essential to a successful SOC 2 audit.  Patching is relevant to several of the Trust Services Criteria (TSC) in a SOC 2 report, but is considered most applicable to the change management requirements under CC8.1.  When […]

What is a SOC 3 Examination?

A service organization may wish to provide prospective customers (user entities) with information regarding the effectiveness of controls over its system. However, the prospective customers may not have signed a nondisclosure agreement required by the service organization to access the system description in the SOC 2 report. In other situations, prospective […]

SOC 2 Reporting Updates

SOC 2 Updates

Two key resources for SOC 2 reporting were updated during 2022: Revised Implementation Guidance was added to DC 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report.  DC 200 includes the categories of information that must be addressed in an organization’s system description […]

DOL Cybersecurity Guidance

DOL Cybersecurity Guidance for 401(k) and Employee Benefit Plans The U.S. Department of Labor recently announced new guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants on best practices for maintaining cybersecurity for 401(k) and employee benefit plans. The guidance is directed at plan sponsors and fiduciaries regulated by […]