One of the most common exceptions in SOC 2 reports involves the failure to remediate critical and high vulnerabilities in a timely manner. The purpose of this paper is to evaluate the importance of vulnerability management and why it is critical to addressing Common Criteria (CC) 7.1 in a SOC 2 […]
The Setting Every Community Up for Retirement Enhancement (SECURE) Act was introduced in 2019 and has already had a direct impact on 401(k) and employee benefit plans. SECURE Act Version 2.0 (the Act) builds on the original legislation and became effective for 401(k) and employee benefit plans on January 1, 2023. […]
An effective patch management process is a critical component of cybersecurity strategy and is also essential to a successful SOC 2 audit. Patching is relevant to several of the Trust Services Criteria (TSC) in a SOC 2 report, but is considered most applicable to the change management requirements under CC8.1. When […]
A service organization may wish to provide prospective customers (user entities) with information regarding the effectiveness of controls over its system. However, the prospective customers may not have signed a nondisclosure agreement required by the service organization to access the system description in the SOC 2 report. In other situations, prospective […]
Two key resources for SOC 2 reporting were updated during 2022: Revised Implementation Guidance was added to DC 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report. DC 200 includes the categories of information that must be addressed in an organization’s system description […]
DOL Cybersecurity Guidance for 401(k) and Employee Benefit Plans The U.S. Department of Labor recently announced new guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants on best practices for maintaining cybersecurity for 401(k) and employee benefit plans. The guidance is directed at plan sponsors and fiduciaries regulated by […]
One of the Trust Services Criteria that organizations sometimes struggle with in SOC 2 examinations is common criteria (CC) 9.2, The entity assesses and manages risks associated with vendors and business partners. Related to CC9.2 is description criteria (DC) #6, which requires that the system description disclose “controls that the subservice […]
Background In September 2020, the AICPA Auditing Standards Board issued Statement on Standards for Attestation Engagements (SSAE) No. 21, Direct Examination Engagements. SSAE No. 21 is applicable to SOC 2 audits, however, the changes brought about by SSAE No. 21 consist primarily of new terminology and the clarification of certain concepts. […]
Due to rapid technological advancement, the production, manufacture, or distribution of products often involves a high level of interdependence and connectivity between an entity and (a) organizations that supply raw materials or components for the manufacturing process (suppliers) and (b) the entity’s customers and business partners. These relationships are often considered part […]
Complementary User Entity Controls (CUECs) are an important component of SOC 2 reporting and are required to be disclosed in the description of the service organization’s system. The AICPA defines CUECs as follows: “CUECs are those controls that service organization management assumed, in the design of the system, would be implemented […]