In general, organizations that receive SOC 1 or SOC 2 reports must demonstrate that they have a vendor management program and associated controls in place to address the risks associated with vendors and business partners. One of the common questions that arises during SOC audits is how to identify the “critical” […]
Companies often align their controls with specific processes or frameworks such as the International Organization for Standardization (ISO) or the National Institute of Standards and Technology (NIST). When this occurs and the company receives a SOC 2 report, the service auditor should consider if: The process or framework used is required […]
Generally, SOC 1 and SOC 2 reports include a description of complementary subservice organization controls (CSOCs) and complementary user entity controls (CUECs), which are defined as follows in the AICPA SOC 2 Audit Guide: CSOCs Controls that service organization management assumed, in the design of the service organization’s system, would be implemented […]
The AICPA defines a scope limitation as “An inability to obtain sufficient appropriate evidence.” In a SOC 1 or SOC 2 examination, a scope limitation may occur for the following reasons: Circumstances beyond the control of management. For example, documents that the service auditor considers necessary to inspect were in the […]
Multiple service offerings Most Type 2 SOC reports include a single service offering that was operational during the entire period covered by the report. In some instances, however, a Type 2 SOC report may include multiple service offerings. For these SOC reports, it is necessary that each of the services be […]
In a SOC 2 report that includes the confidentiality Trust Services Category, some companies and their auditors struggle with the following point of focus under the change management criteria CC8.1: “Protects Confidential Information – The entity protects confidential information during system design, development, testing, implementation and change processes to support the […]
In a SOC 1 or SOC 2 report, organizations may wish to communicate to report users information that is beyond the scope of the engagement. Such information may be prepared by the service organization’s management or by another party. For example, an organization may want to include other information, such as […]
One of the most common exceptions in SOC 2 reports involves the failure to remediate critical and high vulnerabilities in a timely manner. The purpose of this paper is to evaluate the importance of vulnerability management and why it is critical to addressing Common Criteria (CC) 7.1 in a SOC 2 […]
An effective patch management process is a critical component of cybersecurity strategy and is also essential to a successful SOC 2 audit. Patching is relevant to several of the Trust Services Criteria (TSC) in a SOC 2 report, but is considered most applicable to the change management requirements under CC8.1. When […]
Two key resources for SOC 2 reporting were updated during 2022: Revised Implementation Guidance was added to DC 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report. DC 200 includes the categories of information that must be addressed in an organization’s system description […]