One of the Trust Services Criteria that organizations sometimes struggle with in SOC 2 examinations is common criteria (CC) 9.2, The entity assesses and manages risks associated with vendors and business partners. Related to CC9.2 is description criteria (DC) #6, which requires that the system description disclose “controls that the subservice […]
Background In September 2020, the AICPA Auditing Standards Board issued Statement on Standards for Attestation Engagements (SSAE) No. 21, Direct Examination Engagements. SSAE No. 21 is applicable to SOC 2 audits, however, the changes brought about by SSAE No. 21 consist primarily of new terminology and the clarification of certain concepts. […]
Due to rapid technological advancement, the production, manufacture, or distribution of products often involves a high level of interdependence and connectivity between an entity and (a) organizations that supply raw materials or components for the manufacturing process (suppliers) and (b) the entity’s customers and business partners. These relationships are often considered part […]
Complementary User Entity Controls (CUECs) are an important component of SOC 2 reporting and are required to be disclosed in the description of the service organization’s system. The AICPA defines CUECs as follows: “CUECs are those controls that service organization management assumed, in the design of the system, would be implemented […]
Many companies that receive SOC 1 reports use “subservice organizations” as part of their service offering. The AICPA defines a subservice organization as: “A service organization used by another service organization to perform some or all of the services provided to user entities that are likely to be relevant to those […]
It is not unusual for an organization that is engaged in its first SOC 2 audit to receive a qualified (i.e. modified) opinion from its SOC auditor as it pursues the path toward a more robust and mature set of controls. It is also common for organizations that are in the […]
A bridge letter, also referred to as a gap letter, can be used to bridge the “gap” between the service organization’s SOC report date and the user entity’s year-end (i.e., calendar or fiscal year-end). Bridge letters are used for both SOC 1 and SOC 2 reports. SOC reports typically cover a period […]
There are several factors that should be considered when determining whether a company’s internal audit function can be leveraged during a SOC 1 or SOC 2 audit: the nature of the internal audit activities the extent to which the internal audit function’s organizational status and relevant policies and procedures support the […]
Many organizations have a difficult time distinguishing between “vendors” and “subservice organizations” for purposes of their SOC 1 and SOC 2 reports. This is partially because the differentiation / classification of vendors and subservice organizations has no bearing whatsoever on day to day operations of a service provider / organization receiving […]
One of the unique aspects of SOC 2 reports is that organizations have a great deal of flexibility in determining the scope of their report. This blog post covers a few common scoping considerations that companies face. Service Provided The services included within the scope of a SOC 2 report are […]