Many organizations have a difficult time distinguishing between “vendors” and “subservice organizations” for purposes of their SOC 1 and SOC 2 reports. This is partially because the differentiation / classification of vendors and subservice organizations has no bearing whatsoever on day to day operations of a service provider / organization receiving […]
One of the unique aspects of SOC 2 reports is that organizations have a great deal of flexibility in determining the scope of their report. This blog post covers a few common scoping considerations that companies face. Service Provided The services included within the scope of a SOC 2 report are […]
A company’s first SOC audit generally follows a standard lifecycle (and this applies to both SOC 1 and SOC 2): First your auditor performs a readiness assessment (also called a gap assessment) to help you prepare for your first SOC audit and identify control weaknesses that need to be addressed in […]
If a company has experienced a security incident, it may be necessary to disclose certain information about the incident in their SOC 2 report. However, just like many other areas of the SOC 2 reporting standards, a great deal of judgment is needed to determine if disclosure is required. According to […]
If your organization is subject to a SOC 1 or SOC 2 audit, then you are likely familiar with the vendor management requirements under both reporting frameworks. The American Institute of Certified Public Accountants’ (AICPA) reporting standards for SOC 1 (Section AT-C 320 of SSAE #18) states that: “Management’s description […]
Control Self Assessments (CSAs) are a key control that we consistently recommend to our SOC and other audit clients. The purpose of this blog post is to elaborate on CSAs and provide a practical and effective approach to performing them. CSAs can take many different forms and can range from very […]
Background The 2020 audit cycle for organizations that receive SOC reports is going to include new challenges related to COVID-19. Remote workforces are now the norm throughout the world and there are many new risks associated with this. For example, the use of insecure personal computers (or those already infected with […]
As outsourcing services becomes a more integral component of business operations across many industries, the need for SOC reporting grows. Data protection is of paramount importance in today’s connected landscape, especially when it comes to safeguarding financial statements and other sensitive information. However, the key to understanding and maintaining compliance is […]
As businesses increasingly outsource core functions to service organizations, managers at service organizations are more likely to receive requests for a SOC audit to examine their internal control environment. Choosing between a SOC 1, SOC 2, and SOC 3 report can be a little confusing but understanding the differences between these […]
When a company outsources elements of their operations to a third-party vendor, they take on some level of inherent risk. However, strategic managers want to know exactly how much risk their organization is about to incur. SOC reports exist as a way to differentiate service providers from their competitors by clearly […]