Latest Blogs

How regular you are required to perform a SOC 2 Audit

How regular you are required to perform a SOC 2 Audit

Typically speaking, (and whereas there's no onerous and quick rule), SOC two reports needed annually from service organizations as validation that their controls are designed and operating effectively. The once a year rule has been the agreement in this if you conduct your initial SOC two audit in year one, then or so twelve months later, a service organization ought to give one more report on the operative effectiveness of their controls. It’s a yearly method, as a result of meant users of a SOC two report (i.e., clients, prospects, etc.) can wish to achieve assurances of a service organization’s management atmosphere on a yearly basis – at a minimum.

Things to understand regarding SOC 2 Reports

Initiate with a Scoping & Readiness Assessment. It’s basically necessary to perform associate direct scoping exercise for decisive project scope, gaps that require to be corrected, thirdparties that reaching to be enclosed within the audit, and far additional.

Remediating deficiencies in policies and procedures, security tools and solutions and remediating deficiencies in terms of operational problems. Together, these 3 areas will take time – absolute confidence regarding it

Documentation is critically necessary. After we talk about documentation, we’re talking regarding policies and procedures that require to be in situ. Suppose access management, information backup, incident response, modification management, and far additional. Does one have policies and procedures in situ for these areas – if not – you’ll have to be compelled to begin documenting them, and now.

Here's a short-list of knowledge security policies and procedures you’ll would like for changing into – and staying – SOC two compliant:

     1. Access management policies and procedures

     2. Data retention and disposal policies and procedures

     3 . Incident response policies and procedures

     4. Change management policies and procedures

     5.  Contingency designing

     6.   Wireless Access

      7.  Usage policies

Security Tools and Solutions can have to be compelled to be no inheritable. The AICPA SOC framework is changing into additional technical of late that means that variety of security tools and solutions needed for SOC two compliance. Suppose File Integrity watching (FIM), Two-Factor Authentication (2FA), Vulnerability scanning, information Loss hindrance (DLP) and additional. This needs associate investment in each time and cash that several service organizations unaware of till they start the method.

Continuous watching of Controls is essential. There’s an idea known as “continuous monitoring” that’s in situ and it means that somebody must take possession of assessing one’s internal controls on an everyday basis. If not, once the auditors re-appear for the annual SOC two audits, management deficiencies might have arisen – one thing you are doing not wish.

It’s associate Annual method. Finished your initial SOC two audit – congratulations – however detain mind that as a service organization, you’ll be expected to endure associate annual SOC two compliance assessment

We believe, that the article what have enhance your understanding of the SOC audit performance. Please reach out us if you still have any queries or for any further information.


2021-04-07 21:18:02

SOC 2 for Startups

Security has been an all-time concern for the business organizations which has become more significant in rapidly changing technology world with increasing reliance on the cloud infrastructure. With growing security number of vulnerabilities, it is important to stay compliant and protect your organization from any security threats irrespective of the size of your organization.

One might think that it’s easy to obtain a SOC 2 report for a startup due to its small size, limited locations and limited number of applications. However, startups may miss on key things like elaborated policies & procedures, mature change management processes, addressing incidents in a timely manner which are important from a compliance perspective.

In this blog we will talk about why a SOC 2 compliance is important for small organizations like startups and how it can help them build a mature and robust control environment.

Following are key aspects to be taken care by a startup when planning for a SOC compliance

Starting with Scoping & SOC Readiness Assessment

The first step for a startup when planning for SOC 2 assessment is scoping & readiness assessment. This will help you obtain an end to end understanding of the SOC 2 auditing process and the intermediary phases. Following are the key points covered during a readiness assessment:

Brief overview of the AICPAs SSAE18 attestation standards and the SOC 2 framework

? Assessing the internal control, policies, procedures, and processes, and identify any gaps need that may need to be fixed before getting into an actual SOC 2 audit.

? Deciding the scope of audit including the business processes to be covered, people who will be involved, physical locations to be covered and any third-parties to include within the scope of the audit

? Preparing an engagement plan for the audit to ensure timely completion of SOC engagement

Correcting the Documentation

Startups tend to have less number of people performing a wide range of tasks, one often may find that people are more focused on business activities and may not have developed the standard set of policies and procedures (information security and operational policies). Below are some of the key policies to be taken care of:

? Logical and Physical access policies

? Application change management procedures

? Financial data backup policies and procedures

? Incident management policies and procedures

? Acceptable usage policies and procedures

Accorp also offers a service for developing your key policies and help you prepare for the SOC audit.

Fixing Security and Operational Areas

After you have your standard policies in place, it’s time to implement them and make sure that the IT systems are aligned with the standards documented in the policies. It’s important to devote time in remediating and putting in place the security and operational measures that have been found during the actual SOC 2 scoping & readiness assessment. Following are few the implementation measures to be considered:

? Reconfiguring the IT infrastructure

? Implementing two-factor authentication solutions

? Implementing vulnerability scanning and application monitoring tools

? Setting up data encryption and security solutions

? Conducting security awareness trainings

? Testing the incident response plan

Apart from the above mentioned, you can also consider implementing any other solutions that may be required to bridge the gaps identified during the readiness assessment.

Performing a demo

By this step, we have remediated any identified gaps in Step 1 with a SOC 2 scoping & readiness assessment. It’s now time to perform an official “dry run” before the actual audit starts. The best way is to follow the AICPA SOC 2 standards (SSAE18) and evaluate your internal controls and policies, procedures, and processes against the applicable Trust Services Criteria. Once you are confident enough, you are good to go ahead and get into an engagement with a CPA firm for performing the actual SOC 2 audit.

Expectations from the Audit

Generally auditors send out a standard list of deliverables for the audit. Many auditors refer to this as a PBC List (A “Prepared by Client” list of items). A fair number of these items will be asked to be provided to auditors prior to showing up onsite, just so they can get a better idea of your internal controls and relate processes.

Further, auditors look for the following types of evidences:

Policies and procedures: Having well-written information security and operational documentation is key to the success of your overall audit as mentioned earlier

Screenshots of system settings: Expect to provide screenshots of various system settings, such as server configuration, software versions etc

Proof of operational evidence: Auditors will request materials that can validate you have performed an annual risk assessment, performed security awareness training and tested your incident response plan

Interviews: Auditors will often spend a considerable amount of time interviewing personnel for finding out more about their roles, responsibilities, and related processes

Signed memos: Auditors will often ask you to document a control via a signed memo

Last but not the least, communication with your auditors is absolutely key to the success of your SOC 2 audit. Don’t make assumptions as the auditors are just doing their jobs. It’s important to be transparent with them at all times.


Since, majority of the software companies are making use of cloud solutions to store customer data. SOC 2 is one of the most important and sought after security compliances to go for. Getting SOC 2 certification for your company will not only increase credibility and trust, it will also produce security benefits that will help the organization to become mature.

Please contact us if you would like to know more about data security or need any help to perform a SOC/ GDPR certification for your organization.

Visit our website or visit to read more articles related to SOC reporting.




2021-01-20 05:33:55

SOC 2 vs. PCI DSS Compliance

In the er? ?f rising te?hn?l?gies ?nd in?re?sing de?enden?ies ?n netw?rk systems, ?n-line inf?rm?ti?n se?urity ??uld be ? m?ssive ??n?ern f?r ?ny individu?l/?rg?niz?ti?n, ??rti?ul?rly th?se wh? s?ur?e their key business ??er?ti?ns t? third-??rty sh???ers (su?h ?s S?ftw?re-?s-?-Servi?e ?l?ud-??m?uting ?r?viders). ?ny event ?f kn?wledge mish?ndling, ??rti?ul?rly the inf?rm?ti?n with ???li??ti?n ?nd netw?rk se?urity su??liers, will reve?l vulner?bilities resulting in inf?rm?ti?n thieving ?nd m?lw?re mis??ndu?t.

M?ny ?rg?niz?ti?ns ?re unsure ?n the distin?ti?n between ? S?? 2 (System ?nd ?rg?niz?ti?n ??ntr?l) re??rt ?nd ??I DSS (??yment ??rd business kn?wledge Se?urity St?nd?rd) ??m?li?n?e. H?wever, the tw? might h?ve ?verl???ing ?re?s ?f f??us, they're quite ??m?letely different. ? ??I DSS ??m?li?n?e is restri?ted t? businesses th?t settle f?r ??rd ??yments ?nd S?? 2 ??vers ? br??der v?ry ?f ?rg?niz?ti?ns th?t h?ld, st?re, ?nd/?r meth?d ?lient d?t?. Neither st?nd?rd is required by l?w, but n?n-??m?li?n?e with either ?ne h?s ??nsider?ble ??nsequen?es.

S?? 2 Re??rting

S?? 2 re??rts ?re ??m?rehensive reviews ?f y?ur ?rg?niz?ti?n’s d?t? se?urity ??ntr?ls, in line with the st?nd?rds determined by the ?meri??n Institute ?f ?ertified ?ubli? ????unt?nts (?I???). The trust servi?es ?riteri? ?f the S?? 2 ?re derived fr?m five Trust Servi?e ?riteri?:

Se?urity: Inf?rm?ti?n ?nd systems ?re ?r?te?ted ?g?inst un?uth?rized ???ess, un?uth?rized dis?l?sure ?f inf?rm?ti?n, ?nd d?m?ge t? systems th?t ??uld ??m?r?mise the ?v?il?bility, integrity, ??nfidenti?lity, ?nd ?riv??y ?f inf?rm?ti?n ?r systems ?nd ?ffe?t the entity’s ?bility t? meet its ?bje?tives.

Availability:- Inf?rm?ti?n ?nd systems ?re ?v?il?ble f?r ??er?ti?n ?nd use t? meet the entity’s ?bje?tives.

Processing integrity: System ?r??essing is ??m?lete, v?lid, ???ur?te, timely, ?nd ?uth?rized t? meet the entity’s ?bje?tives.

Confidentiality:Inf?rm?ti?n design?ted ?s ??nfidenti?l is ?r?te?ted t? meet the entity’s ?bje?tives.

Privacy: ?ers?n?l inf?rm?ti?n is ??lle?ted, used, ret?ined, dis?l?sed, ?nd dis??sed t? meet the entity’s ?bje?tives..

The TS? th?t must be in?luded in ? S?? 2 re??rt is Se?urity (?ls? kn?wn ?s the ??mm?n ?riteri?). ?ther TS?s (?v?il?bility, ??nfidenti?lity, ?r??essing Integrity, ?nd ?riv??y) ??n be in?luded ?t the dis?reti?n ?f m?n?gement ?t the servi?e ?rg?niz?ti?n de?ending ?n the ?riteri? ???li??ble t? the ?rg?niz?ti?n’s system ?nd servi?es. The servi?e ?udit?r ??n ?ls? ?ssist m?n?gement in determining wh?t ?riteri? ?re ???li??ble ?n?e the s???e ?f the ex?min?ti?n h?s been set.

Gener?lly, S?? 2 ex?min?ti?ns ?re ?erf?rmed by ? li?ensed ??? ?uditing firm with ex?erien?e in Inf?rm?ti?n Se?urity ?udits.

PCI DSS Certification

The ??yment ??rd Industry D?t? Se?urity St?nd?rd (??I DSS) is ? set ?f se?urity st?nd?rds est?blished j?intly by ?meri??n Ex?ress, VIS?, M?ster??rd, Dis??ver Fin?n?i?l Servi?es ?nd J?B Intern?ti?n?l. The ?ertifi??ti?n ?ims t? se?ure ?redit ?nd debit ??rd tr?ns??ti?ns ?g?inst ??ssible d?t? theft ?nd fr?ud. It hel?s ?r?te?t sensitive d?t?, ?nd ?ssist businesses in building ? trust rel?ti?nshi?s with ?ust?mers.

??I-??m?li?nt se?urity servi?es ?r?vide businesses d?t? se?urity st?nd?rds, ?nd en?bles ?ust?mers kn?w th?t their ?ers?n?l d?t? is ?r?te?ted. ? ??I ??m?li?n?e is kn?wn f?r ?ffering se?ure tr?ns??ti?ns t? its ?ust?mers.

??I ??m?li?n?e ??nsists ?f f?ur levels b?sed ?n the t?t?l number ?f ??rd su???rted tr?ns??ti?ns f?r business ?r??esses ?n ?n ?nnu?l b?sis. The ?l?ssifi??ti?n level determines wh?t ?n enter?rise needs t? d? t? rem?in ??m?li?nt.

Level 1 – ???lies t? mer?h?nts ?r??essing m?re th?n six milli?n re?l-w?rld ?redit ?r debit ??rd tr?ns??ti?ns ?er ye?r. They must underg? ?n intern?l ?udit ?n?e ? ye?r ?nd must ?erf?rm ? ??I s??n by ?n ???r?ved S??nning Vend?r ?n?e ? qu?rter.

Level 2 – ???lies t? mer?h?nts ?r??essing between ?ne ?nd six milli?n re?l-w?rld ?redit ?r debit ??rd tr?ns??ti?ns ?nnu?lly. They’re required t? ??m?lete ?n ?ssessment ?n?e ? ye?r using ? Self-?ssessment Questi?nn?ire. In ?dditi?n ? qu?rterly ??I s??n m?y be required.

Level 3 – ???lies t? mer?h?nts ?r??essing between 20,000 ?nd ?ne milli?n e-??mmer?e tr?ns??ti?ns ?er ye?r. ? ye?rly ?ssessment using the relev?nt S?Q must be ??m?leted, ?nd ? qu?rterly ??I s??n m?y ?ls? be required.

Level 4 – ???lies t? mer?h?nts ?r??essing fewer th?n 20,000 e-??mmer?e tr?ns??ti?ns ?nnu?lly, ?r th?se th?t ?r??ess u? t? ?ne milli?n re?l-w?rld tr?ns??ti?ns. ?n ?ssessment using the relev?nt S?Q must be ??m?leted ?nnu?lly, ?nd ? qu?rterly ??I s??n m?y be required.

In line with these compliance standards, PCI CSS has identified 12 additional requirements for cardholder data management and network security. Below is a brief overview:

1. Secure network - Firewall configuration must be installed and saved

2. Safe card holder information - Cardholder data stored should be protected

3. The transfer of cardholder information to social networks must be encrypted

4. Risk management

5. Antivirus software should be used and updated regularly

6. Secure programs and applications must be designed and maintained properly

7. Access control - Cardholder data access must be restricted and each user with access must be given a unique ID

8. Physical access to cardholder information should be restricted

9. Network monitoring and evaluation

10. Access to details of card holders and network equipment should be monitored and monitored

11. Security systems and procedures should be monitored regularly

12. Information security policy relating to data security must be adhered to

The key differences

In summary, SOC 2 and PCI DSS are two different levels that work for different types of organizations. The following are the main differences between the two certificates:

SOC 2 Report PCI DSS Compliance
SOC 2 reporting is performed in accordance with SSAE 18 standard issued by AICPA PCI DSS standard is administered by the PCI SSC
SOC audits are performed by licensed CPA firms PCI DSS assessments are performed by qualified security assessors.
Applicable to organizations that hold, store, and/or process customer data Applicable to organizations that accept, store, process, or transmit cardholder data
SOC 2 allows much more flexibility in adhering to its trust service principles. A company striving to meet SOC 2 compliance standards can tailor its business and security strategies to meet its specific needs. PCI DSS standard is more detailed about what a business must do to secure payment card transactions.



Please contact us if you would like to know more about data security or need any help to create an SOC / GDPR / certificate for your organization.

Visit our website or to read more articles related to SOC reporting.

2021-03-15 01:11:46

Difference between CSAE 3416 and AT-C Section 320

  • Sampling :

Sampling Requirements are not included in AT-C Section 320 only if requirements in AT –C Section 105 and 205 are sufficient. Requirements which are derived from Canadian Auditing Standard (CAS) 530, 13 are still included in paragraph 34 of CSAE 3416 as no specific requirement related to sampling is stated by CSAE 3416.       

  • Written representations:

Certain representations from the extant standards which are no longer      included in AT-C-section 320 and also not addressed by CSAE 3000 are retained by Paragraph 41 of CSAE 3416.       

  • Extant terminology differences:

When compared with AT-C Section 320, certain terminology differences are still included by CSAE 3416, consistent with those in extent CSAE 3416. For example, Management’s Statement replaced management assertion.       

  • Using the work of internal audit function:

All requirements who dealt with use of internal audit are removed by AT-C Section 320. The basis of which is that all requirement in AT-C Section 105 and 205 are sufficient. Several requirements of CSAE 3000 dealing with internal audit were previously included in extant CSAE 3416. Depending on the above, extant requirements dealing with the use of internal audit are retained by paragraphs 39-40 of CSAE 3416. 

  • Identified or suspected instances of non-compliance with laws and regulations:

The service auditor, aware of any identified incidents of non- compliance with laws and regulations to determine the effect on the engagement.14 is required by AT-C Section 320. An auditor who determines the effect of both suspected and identified instances of non-compliance is required by CAS 25015. A similar addition which dealt with written representations from management was made to paragraph 41(b)(i) of CSAE 3416.




2020-12-07 03:43:22

Taxability of Alimony in USA

  1. What is Alimony: - Alimony is payment made by a spouse to his/ her former spouse as per the clauses made under the “divorce or separation instrument”. Payments made to former spouse as per the written separation agreement subject to the State Laws will be treated as alimony whether or not the same are specifically mentioned in the divorce decree.

Divorce or separation instrument is defined as under: - 

  • A decree of divorce or separate maintenance or a written instrument incident to that decree.

  • A written separation agreement

  • A decree or any type of court order requiring a spouse to make payments for the support or maintenance for the other spouse. This includes a temporary decree, an interlocutory (not final) decree, and a decree of alimony pendente lite (while awaiting action on the final decree or agreement).


  1. Do all payments under divorce or separation agreement are Alimony?

NO, all payments done as per the divorce or separation agreement are not Alimony and following are the certain payments which are expressly excluded from the definition of Alimony by the Internal Revenue Service (IRS):



*1 Payment specifically designated or treated as specifically designated as child support in divorce or written separation agreement is not treated as Alimony. 

*2 Transfer of services or property (including a debt instrument of a third party or an annuity contract) & Execution of a debt instrument by the payer are not included in Alimony. 


Cash payments to third party on behalf of the formers spouse under the terms of divorce or separation agreement can be Alimony, if they otherwise qualify. These include medical expenses, housing cost (rent, utilities, etc.), taxes, tuition etc.


  1. Conditions to be fulfilled for consideration of the payment made to former spouse under the head of “Alimony”

The first and foremost requirement to qualify the payment as Alimony is that Payer and Recipient Spouse must not file Joint Return with each other. Following are the other rules for alimony apply to payments under divorce or separation instruments executed after 1984: -

  • Payments should be made in Cash (including checks or money orders). Cash payments made to third party under the terms of divorce can qualify as cash payments to the former spouse.

  • Payments made to former spouse is required to be paid under the divorce or written separation agreement. Voluntary payments will not qualify for Alimony.

  • Payments isn’t designated in the divorce or written separation agreement as “NOT Alimony”. Spouses have the option to include the provision in the instruments that the payments made to former spouse aren’t treated as Alimony.

  • Payments made to former spouse while you both are the members of the same household aren’t qualified for Alimony if you are legally separated under the instrument. If the spouses are legally separated under the divorce decree or written separation agreement, the payment made to former spouse may be qualify as Alimony even if you both are the members of the same household.

  • Spouse is not liable to continue the payments even after the death of the former spouse. If s/he is doing so, then such payments aren’t qualified as Alimony, even if any such amount is paid before the death of the former spouse. 

  • Payments made under the divorce agreement for the child support aren’t treated as Alimony.


  1. Taxability of Alimony 

Payments qualify for Alimony (if the above conditions are fulfilled), made under the divorce or written separation agreement executed before 1st January 2019, are deductible by payer and same is taxable in the hands of the recipient. Post 2018, that is instruments executed after 31st December 2018, alimony paid by the spouse isn’t deductible by payer nor the same is included in the gross income of the spouse who is receiving the payment. If the divorce or written separation agreement is executed before 2019 while the same is modified after 31st December 2018, and the modification changes the terms of the alimony or separate maintenance payments and it expressly states that the payments aren’t deductible by the payer, only then the Post 2018 Alimony rules are applied to that payments. 


Tax Treatment

For Payer Spouse

For Recipient Spouse

Original Agreement

- Executed before 1st January 2019



- Executed after 31st December 2018

Not Deductible

Not Taxable

Agreement Modified after 31st Dec’18 made before 1st Jan’19

-Terms of payments modified and expressly states that new rule applies

Not Deductible

Not Taxable

-Terms of payments modified but expressly doesn’t states that new rule applies




2020-11-23 23:39:29

Understanding a SOC Report

Understanding a SOC Report 

In current scenario of emerging technologies, most of the organizations outsource few aspects of their business to vendors which can either include performing a specific task or replacing an entire business function. Vendors can handle various functions like customer support, financial technology, data storage, software development etc. With all these advantages, organizations should also consider various inherent risks associated with outsourcing. 
To get a comfort on the vendor’s environment and internal controls, organizations usually ask them for a either SOC 1 or SOC report. However, on receiving a SOC 1 or SOC 2 report, most of the organizations do not know how to read it, what exactly a qualified opinion is and whether the risks you are looking to mitigate are addressed in the report. SOC 1 and SOC 2 reports are lengthy and complex, but play extremely important role in understanding the risks to your organization. In this article, we will touch upon some key components of SOC 1 and SOC 2 reports that will help you analyze the security of your vendors. 

Categories and Types of SOC Reports 

SOC reports are majorly of two categories i.e. SOC 1 & SOC 2 each of either Type I or Type II.  
The SOC 1 report attests the company’s financial reporting. IT is particularly important for a service organization that impacts the user entity’s financial reporting. Some examples of organizations which may require SOC 1 reports are: 

? Payroll processors

? Medical claims processors

? Data center companies

? Lending services

? Data centers

? Cloud service providers

? Human resources support services 

A SOC 2 report highlights the security and protection of customer data. A SOC 2 report follows a similar approach as SOC 1, but includes the controls over IT and systems processing confidential client data. SOC 2 audits focus on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy. A SOC 2 audit is one of the best practice for any servicebased organizations that store, manage, or process client information in the cloud. The report is beneficial for any service organization processing or maintaining information that requires a controlled or secure system. 


Further, each of the above reports can be of following two types: 
Type I – A report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date. 
Type II – A report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. 

Structure of a SOC Report 

A SOC report broadly consists of following sections each having its own purpose and containing specific information about the client’s environment. 

Section 1: Independent service auditors’ report 

This section generally starts with ‘To the management’ and is signed by the service auditor /CPA. It is more of the service auditor oriented and contains following key aspects related to service organization: 

? Scope explaining the type of report, testing date/duration (Type I or Type II) , in scope locations and any omissions

? Responsibilities pertaining to both the service organization and the service auditor

? Inherent Limitations

? Service auditor’s opinion on the system description, design, and operating effectiveness to meet the control objectives ? Statement around the restricted user of the report and the intended users

Section 2: Management’s assertion regarding the effectiveness of its controls 

This section provides the reader the facts and assertions made by the service organization’s management related to the system(s) under audit

? It provides the contents that will be covered in the description, i.e. the types of services provided, the components of the system, how the system captures and processes significant events, any applicable trust services criteria, and etc., as well as make the statement that the controls described are suitably designed and are operating effectively

.  ? It also provides the signed Management Assertion letter accepting responsibility for the description provided

Section 3: Management’s description of its system and controls 

This section is the heart of the report and provides the details of the systems being reported on (written by management). Following are the key components of Section 3:

? Scope and purpose of the report explaining the type of report, testing date/duration (Type I or Type II) , in scope locations and any omissions

? Company overview and background and Overview of products and service which provides a brief introduction about the organization, it’s background and the products / services company offers

? Details related to company’s IT infrastructure including the network overview, servers, tools & softwares used and the data management

. ? Company’s organizational structure, policies & procedures, risk assessment, governance & oversight and details about the control environment. ? All the control descriptions with their functioning, subservice organizations, user entity controls, and other system information

? Inclusions in this section should be capable of being audited to meet the control objectives 

Section 4: Applicable trust services principles’ criteria and control activities 

This section depicts the test results and the overall effectiveness of the control objectives. For a type 1 report, you can only see the conclusion and for a type 2 report both the test procedures and the conclusions. It shows the following four columns of information: 

? Control objective (related to the applicable trust service principles/ controls over financial reporting)

? Controls in place at the service organization to meet the objectives

? Auditor's tests (explaining the test procedures performed)of the controls

? Overall results and conclusion of the tests 

Section 5: Other information provided

Lastly, we come to Section 5, which is other information not covered by the auditor’s report.  This section is available for any additional information that you would like to provide to the users of the SOC report concerning your services system. In this Section, management can discuss items such as a strategic plan or a business continuity plan, or any other items that they feel would be beneficial for the report users. All sections listed above apart from the Independent Service Auditors Report (Section 1), are the responsibility of management of the service organization. It is important to be as detailed as possible when creating your SOC report in order to explain the services system and the controls over that system in way that is helpful to the report users, and supportive in trying to arrive at a desired audit opinion. 
You can also visit below link to read AICPA articles related impact of COVID 19 on audit and assurance.  

2020-09-11 06:29:46

SOC Reporting and COVID 19

Brief Overview 

COVID-19, the most buzzed word these days, a virus that has not only impacted health of the humans but has also affected almost each and every industry in the world including organizations (user organization) relying on other companies (service organization) to provide their services. Companies have either shifted their staff to remote environments or laid off their workers. Organizations looking for a SOC (System and Organization Controls) report from their service organizations are in a dilemma whether they will be able to get a renewed report or not for the COVID year.  

SOC examinations are designed to test the information technology and business process control systems that a company has implemented to protect the security of its customer’s data (SOC 2), or ensure the accuracy and completeness of financial transaction processing and reporting (SOC 1). If your customers and the related stakeholders do not perform SOC reports on a timely basis, it could influence their business objectives. 
Further, the entities who issue SOC reports (i.e. independent third party audit firms) , are anxious on how to support the remote attestation of controls during this time where companies have a reduced headcount, decreased revenues, ceased operations due to government / mandatory requirements to continue operations. Remote assessment of risks and attestation either of internal controls over financial reporting (SOC 1) or AICPA’s trust service criteria (SOC2) without being physically present at the client location has become a big challenge. However, the business must go on so should the SOC reporting.  
In this article, we will be touching upon the considerations that should be taken care by service & user organizations as well the third party auditors during the pandemic scenario. 

Service Organizations 

? The company should examine any impact on functioning of controls caused by reduced number of employees and any SoD (segregation of duties) conflicts should be addressed using additional monitoring controls 

? The company employees accessing the regulated data should receive appropriate trainings on handling that data in a remote work environment. 

? The new user provisioning / user termination processes should operate effectively with sufficient authentication of remote users. 

? Supplementary guidance on remote work cyber security practices should be communicated to staff working from a remote location. 

? Security of applications enabled for remote work should be taken care along with the implementation of multi-factor authentication (MFA) which should be required for all critical systems.

? Service organizations should discuss the procedures around video conferencing to perform virtual walkthroughs with their service auditors. Most common procedures include physical security walkthroughs of buildings and data centers that ensure security measures and environmental protections are in place.  

User Organizations 

They as a receiver of the SOC 1 and/or SOC 2 reports, should have frequent communications with their vendors to discuss whether COVID-19 has impacted their operations and their SOC report. Following things should be considered as one reviews the SOC reports where evaluation period includes the timing of the pandemic. 

? The SOC report should be reviewed for any disclosures on changes to the system, operations or controls due to the impact of COVID-19. An assessment should be done to identify if any change impacts you and your reliance on the SOC report.

? The SOC report should also be reviewed for any exceptions and you can expect to have increased number of exceptions within your service organizations due to the pandemic. These exceptions and their corresponding impacts should also be evaluated. 

? The complementary user entity considerations should be reviewed. Analysis should be done if the service provider has included any additional items due to any changes in the controls or system description.

Assessors / Auditors 

Following key aspects should be considered by the auditor while performing a third party assessment remotely. 

? Risk associated with key personnel should be evaluated and the organization should have adequate personnel available to support critical business and IT functions. 

? Changes related to the organizational structure should be assessed and their possible impact on segregation of duties should be analyzed. 

? Organization’s Disaster Recovery and Business Continuity Plans should be evaluated and appropriate changes should be suggested as required in a pandemic situation. 

? Keeping in consideration the travel restrictions, Distance Audit methods such as video conferencing should be used to perform virtual walkthroughs like physical security walkthroughs of buildings and data centers to ensure security measures and environmental protection methods are adopted. 

? Video conferencing can also be used to communicate with client personnel and gain an understanding of client’s systems for a new engagement, or test the effectiveness of controls for on-going engagements.

? For the controls not operating during the testing period due to pandemic situation, auditors should simply add an additional rationale in the report explaining the reason. However, the overall report opinion is not modified.

? The critical functions such as review of risk assessments, reviewing policies, periodic user access reviews, or ticketing for timely removal of terminated user access should continue to operate uninterruptedly and should be tested as usual. For exceptional cases, an annual control can be rescheduled to occur in future months, as long as it is still within your SOC examination period. In other instances, those activities may can be performed virtually.  

You can also visit below link to read AICPA articles related impact of COVID 19 on audit and assurance. 

Please reach out to us in case you would like to discuss more on this topic or if you have any queries related to SOC reporting.  

2020-09-11 06:30:43

The US and UK attestation standards SSAE and ISAE

Usually, when you look out to get an independent controls attestation for your organization by a third party service auditor, you may come across many ways of getting that done. You can either get a SOC 1 or SOC2 audit done (Type I or Type II) based on your requirements and choose your attestation standards for the report i.e. either ISAE the UK standard, No. 3402 being the latest one or the SSAE (the US standard, No. 18 being the latest). In this article, we will touch upon both the standards, their managing authorities and the key differences which will help you understand what exactly they are and identify the best one for yourself.

ISAE stands for International Standards on Attestation Engagements (the UK standard) which is managed by IAASB (International Auditing & Assurance Standards Board) which in turn reports to IFAC (International Federation of accountants).

SSAE stands for Statement on Standards of Attestation Engagements (the US standard) and is managed by AICPA (American Institute of Certified Public Accountants) which reports to FASB (Financial Accounting Standards Board).

Principally both the standards are designed to achieve the same objective in terms of reporting the establishment of effectively designed controls over financial reporting and each service organizations may need to provide reports to their clients (user entities) according to different standards. For the service organizations catering services within United States, SSAE18 is best suited. While for the ones providing services outside US, reporting can be done in accordance with the ISAE 3402 standards (termed as a combined report).

Further, there are a few key differences when it comes to performance and reporting style of both the standards. Below are the major key differences which one should know:

• Investigation of the Intentional Acts

Both the standards require the investigation of any deviations identified during the testing. They direct the service auditor to investigate the noted deviations that could have been caused by an intentional act of service organization’s (SO) personnel. The SSAE 18 directs that the auditor should receive a written representation from SO management detailing any actual or suspected intentional acts (like employee committing frauds) that could impact the fair presentation of management’s description of the system. However, the ISAE 3402 does not explicitly require auditors to obtain the written representations.

• Dealing with Operating Anomalies

Any finding that deviates from the standard is an Operating Anomaly. SSAE 18 treats all deviations in the same manner, rather than as an anomaly. However, ISAE 3402 contains a requirement that allows a service auditor to conclude that any identified deviation while testing a sample of the control can be considered an anomaly. The idea is that when controls are sampled, they are not necessarily representative of the entire population from the samples drawn.

• Assistance from Internal Audit Team

SSAE 18 enables the use of direct assistance from the service organization’s internal audit function in accordance with the U.S. audit standards guidance. ISAE 3402 does not allows the use of the internal audit function for direct assistance.

• Subsequent Events

SSAE 18 calls out that the service auditor should report any event that could be significant in order to prevent users from being misled. A subsequent event would be something that could change management’s assertion after the audit period has ended. However, ISAE 3402 restricts the types of subsequent events that would be disclosed in the service auditor’s report to only those that could have a significant effect on the service auditor’s report.

• Statement on Restricting Use of the Service Auditor’s Report

SSAE 18 requires that the auditor’s report should include a statement restricting the use of the report to management of the service organization, user entities, and user auditors. However, ISAE 3402 requires that the service auditor’s report include a statement that indicates that the report is intended for the service organization, user entities & user auditors but does not require a statement restricting its use.

• Acceptance of Engagement and Continuation

SSAE 18 directs that management should acknowledge and accept the responsibility of providing the service auditor with written representations at the conclusion of the engagement. However, ISAE 3402 does not requires this acknowledgment.

• Disclaimer of Opinion

If the service provider does not provide the assessor with specific written representation, ISAE 3402 requires that the auditor deny an opinion after discussing the concern with management. If this happens, the auditor can carry out the required action. SSAE 18 requires that the service auditor takes an action or withdraws from the engagement. The SSAE 18 also contains certain incremental requirements for a situation where auditor plans to deny any opinion.

• Elements of the Section 801 Report That Are Not Required in the ISAE 3402 Report

SSAE 18 contains certain requirements that are additional to those in ISAE 3402. These requirements are as follows:

o The identification of any information included in the documentation that is not covered by the service auditor’s report.

o A reference to management’s assertion, and a statement that management is responsible for identifying any of the risks that threaten the fulfillment of the control objectives

o A statement that the examination included assessing the risks that management’s description of the service organization’s system is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives.

o A statement that an examination engagement of this type also includes evaluating the overall presentation of management’s description of the service organization’s system and suitability of the control objectives stated in the description.

We believe, that the article what have enhance your understanding of the two standards and their key differences. Please reach out us if you still have any queries or for any further information.

2020-09-11 06:31:11

Advantages of SOC Reporting

In today’s world, you would hardly find an organization that does not outsource at least one function or component of their control environment to a third-party service provider. From payroll processing to invoice creation and cloud storage to backup solutions, third party vendors have provided companies with cost-effective and efficient ways to reduce the need for internal resources for performing reoccurring or computerized tasks.

While this has helped organizations reduce headcount, stress, and certain costs, it does not eliminate the company’s responsibility to ensure their processes are functioning correctly, their data is secure, and their control environment is integrated. Since, these types of associations have become more common, the demand from clients (or “user entities”) and their external auditors for service organizations to provide assurance that their processes and controls are designed, and operating, effectively has also increased. Complying a SOC 2 audit gives your organization an edge as you can assure your customers that you are taking all necessary steps to keep their data safe and safeguard against damaging breaches.

Following are the key benefits of having a compliant SOC report:

Attracts your buyers

Organizations concerned with security are more likely to become customers if you can provide a SOC 2 report, which shows that you are following best practices for implementing and reporting on control systems.

Acts as Differentiator

Your competitors may claim to be secure, however they cannot prove that without an audit. Getting a SOC 2 report can differentiate your organization from other companies in the marketplace that have not made as significant an investment of time and capital.

Enhancing Services

As SOC audit helps you learn to be more secure and efficient. You can streamline your processes and controls based on your understanding of the risks that your customers face. This in-turn will help you improve your services.

Establish Trust

While working with other people’s financial data / sensitive information, trust is the key thing you offer to your client. A SSAE 18 report performed by an independent auditor proves to clients that the systems and controls you have in place are secure and effective.

Save Time and Money

Audits can be time consuming and utilize valuable company resources. However, if you have a current report, it can be utilized by an external auditor and will help you save a lot of re-work. If you don’t a SOC report, you could face multiple user organizations’ auditors individually, repeating the process with each and every request

Identify and Remediate Deficiencies

Apart from having an internal audit function, a third-party auditor can bring in new perspective on control environment and help catch inefficiencies or areas for improvement within your service organization that will end up saving you time and money in the long run.

Make Public Companies your client

Publicly traded companies are required to use service providers that are SSAE 16 qualified. Having a SSAE 16/SOC audit will expand your market beyond privately held companies to include public corporations.

Establish relationship with your Auditor

By the end of your SSAE 18/SOC audit, your auditors will know your business inside and out. You’ll be able to take advantage of this valuable resource long after the audit is complete. Any time you have a question you can refer to this trusted, knowledgeable resource to help navigate even the toughest business decisions.

2020-08-10 09:02:28