One of the more challenging parts of completing a SOC 1 or SOC 2 audit is distinguishing between a vendor and a subservice organization. In this blog post, we expand on blog post (https://kfinancial.com/how-to-identify-subservice-organizations-in-soc-1-and-soc-2-reports/) over subservice organizations to cover a specific type of vendor: managed detection and response (MDR) vendors. Many organizations […]
Introduction System and Organization Controls (SOC) audits have become a critical standard for service organizations seeking to demonstrate their commitment to security, confidentiality, and operational excellence. As businesses increasingly rely on third-party vendors, SOC reports—especially SOC 1, SOC 2, and SOC 3—provide assurance to clients and stakeholders regarding the effectiveness of […]
Staff augmentation is an outsourcing strategy where a company hires external professionals to supplement its existing workforce for specific projects or to meet temporary needs, rather than hiring full-time employees. This approach allows businesses to quickly scale their teams, access specialized skills, and maintain flexibility to handle fluctuating workloads without the long-term commitment […]
Some service organizations struggle with determining the types of information to include in the system description of their SOC 1 report. A useful resource for ensuring that the system description includes all of the required components is AT-C Section 320: Reporting on an Examination of Controls at a Service Organization Relevant […]
Overview In today’s environment, firewalls are an important and necessary control for organizations that are subject to SOC 1 and SOC 2 audits. In the case of SOC 1 reports, firewalls generally address network security control objectives. And in SOC 2 reports, they address CC6.6: The entity implements logical access security […]
In SOC 1 and SOC 2 audits, one of management’s primary responsibilities is to update their system description (often referred to as Section 3 of the SOC report) from the previous year. In the case of a first year SOC audit, management will be preparing the initial draft rather than updating […]
An agreed-upon procedures (AUP) engagement is an attestation engagement where a CPA or CPA firm performs specific procedures on the subject matter and issues a report of findings. The subject matter can be financial or nonfinancial. The practitioner and the client agree on the procedures to be performed. The authoritative guidance that […]
In general, organizations that receive SOC 1 or SOC 2 reports must demonstrate that they have a vendor management program and associated controls in place to address the risks associated with vendors and business partners. One of the common questions that arises during SOC audits is how to identify the “critical” […]
Companies often align their controls with specific processes or frameworks such as the International Organization for Standardization (ISO) or the National Institute of Standards and Technology (NIST). When this occurs and the company receives a SOC 2 report, the service auditor should consider if: The process or framework used is required […]
Generally, SOC 1 and SOC 2 reports include a description of complementary subservice organization controls (CSOCs) and complementary user entity controls (CUECs), which are defined as follows in the AICPA SOC 2 Audit Guide: CSOCs Controls that service organization management assumed, in the design of the service organization’s system, would be implemented […]