Due to rapid technological advancement, the production, manufacture, or distribution of products often involves a high level of interdependence and connectivity between an entity and (a) organizations that supply raw materials or components for the manufacturing process (suppliers) and (b) the entity’s customers and business partners. These relationships are often considered part […]
Complementary User Entity Controls (CUECs) are an important component of SOC 2 reporting and are required to be disclosed in the description of the service organization’s system. The AICPA defines CUECs as follows: “CUECs are those controls that service organization management assumed, in the design of the system, would be implemented […]
Many companies that receive SOC 1 reports use “subservice organizations” as part of their service offering. The AICPA defines a subservice organization as: “A service organization used by another service organization to perform some or all of the services provided to user entities that are likely to be relevant to those […]
It is not unusual for an organization that is engaged in its first SOC 2 audit to receive a qualified (i.e. modified) opinion from its SOC auditor as it pursues the path toward a more robust and mature set of controls. It is also common for organizations that are in the […]
A bridge letter, also referred to as a gap letter, can be used to bridge the “gap” between the service organization’s SOC report date and the user entity’s year-end (i.e., calendar or fiscal year-end). Bridge letters are used for both SOC 1 and SOC 2 reports. SOC reports typically cover a period […]
For the first time since the start of Covid-19 in 2020, the Kfi team was able to return to the Urban Peak shelter in Denver to serve breakfast to youth experiencing homelessness. Just like the good old days, we brought 80 breakfast burritos, fruit, granola bars, trail mix, chocolate milk, juice […]
There are several factors that should be considered when determining whether a company’s internal audit function can be leveraged during a SOC 1 or SOC 2 audit: the nature of the internal audit activities the extent to which the internal audit function’s organizational status and relevant policies and procedures support the […]
Many organizations have a difficult time distinguishing between “vendors” and “subservice organizations” for purposes of their SOC 1 and SOC 2 reports. This is partially because the differentiation / classification of vendors and subservice organizations has no bearing whatsoever on day to day operations of a service provider / organization receiving […]
One of the most common errors found during an audit of a 401(k) or employee benefit plan is the failure to timely remit employee contributions to the retirement plan. Management of the 401(k) or employee benefit plan needs to be mindful of the Department of Labor’s (DOL) rules for remittance of […]
Kfi Foundation and There With Care The Kfi Team delivered groceries today to a family with a child that has terminal brain cancer. After picking up the groceries at There With Care, the Kfi Foundation threw in a few extra goodies to add to our delivery to hopefully make life a […]