Latest Blogs

What You Need to Know About GDPR

What Exactly Is GDPR?

General Data Protection Regulation (“GDPR”) was instituted by the European Union to protect the data privacy of its citizens, allow individuals to regain control over their personal data, and level the playing field for businesses. GDPR became effective May 25, 2018. As of that date, all organizations that process EU citizens’ general data—regardless of the location of operation—are required to comply with the new regulation. General data includes any information that is related to a living individual (specifically in the EU) and affects any organization that processes general data of EU residents. Examples of personal data type identified on the European Commission website include name, home address, email address (as long as it is not anonymous in nature) and location data. Examples of personal data processing include collection, recording, storage, use, dissemination or otherwise making it available, erasure or destruction. 

Path to Compliance

What should your organization do to become GDPR compliant? First and foremost, implement and strengthen appropriate organizational controls to ensure that employee, customer, and third-party data is appropriately secured. Proper implementation of controls surrounding data minimization, data encryption and data retention are all imperative to the security of personal data. If your organization is not currently performing tasks such as backing up data, collecting and reviewing logs, and reviewing access and activity for key systems containing this information, you run the risk of a data breach.

Next, evaluate these controls to confirm they were designed properly and are operating effectively. Finally, create and implement remediation plans for controls with design and/or operating issues.

Required Steps

What should you do in the event of a data breach? The organization must notify the proper Data Protection Authorities within 72 hours of a breach. In addition, if the breach is significant in its size or impact on individuals, the organization must also notify those individuals directly.


There are consequences for failing to take the appropriate action. At minimum, these may include a warning to your organization, a temporary or permanent ban on processing, and/or fines of up to 4% of the organization’s revenue. Your organization may also be liable for compensating individuals involved in the breach.

Not only should you put the proper controls in place to efficiently mitigate a breach, but you need to thoroughly prepare and train employees to handle any data breaches.

2020-05-05 01:42:25


Microsoft Dynamics NAV is an Enterprise Resource Planning (ERP) software solution for Mid-sized
companies whether in the business of Manufacturing, Trading or Services .Additionally it offers
companies complete accounting and financial management capabilities along with other modules like
HRMS for attendance , payroll & the same can be integrated with its finance function . Since it is
populated & designed at global standards so Foreign Companies can also use NAV as a complete ERP
solution to their businesses reason being it is:


Brief about functions : • Financial Management: NAV as an ERP manages its Receivables , Payables , Invoice Payments , Manages Bank Accounts , Managing Inter Company Accounts , Multi Currency Accounting , Employee expenses reimbursements , Allocation of costs & income to Branches or subsidiaries Cash flow Statement , Statement of Profit & Loss , Balance Sheet , Tax Managements like GST Reports , TDS Reports etc. Moreover, it can be specifically used for:

? Stock Management in trading entities

? Raw Material to WIP to Finished Goods management in Manufacturing entities ,

? Loans & NPA Management in Small Banks & Non-Banking Finance Companies • Customer Relationship Management : NAV as an ERP manages CRM via its

? Campaign Management ? Relationship Management

? Contacts Classifications

? Contact Management

? Document Management

? Opportunity Management the more details of which can be accessed at below link • Project Management : Navision as a product management tool can be used widely in different industries as depicted in below chart at all three levels i.e.


• Supply Chain Management : This solution gives the control needed over your supply chain by providing customized & detailed view of supply chain activities such as inventory levels , trend reports , forecasts & transportation plans—in real time. NAV 2016 offers following supply chain features : ? Alternative order Addresses in case of more than one location. ? Alternative Ship to Addresses who have more than one address to where orders are shipped ? Alternative vendors in case purchases of same item from different vendors ? Drop Shipment handles order shipments from vendor to customer through automation ? Location transfers, track inventory as it is moved from one location to another & accounts for inventory in transit & multiple locations ? Assembly Management allows for specifications like raw materials , WIP & finished goods • Human Resource Management & Payroll


• Management Info System : Navision is having a feature called “ Analysis by dimensions “ where we can any number of dimensions & can do analysis on same like :

? Branch Wise Profitability reports can be extracted .

? Useful for Segment reporting i.e. requirements of IFRS 8

? Employee wise expenses can be triggered.

? Can be integrated with Microsoft Power BI for MIS reports.

? Vendor Wise purchase reports can be extracted.

? Customer wise sales report can be generated .

? Small Banks & Non-Banking Finance Companies can extract loan account wise data

Microsoft Dynamics Navision: A Multi-Platform Software Solution It’s a multi-platform software & can be used with a contemporary user interface & touch Screen so that we can operate it with a finger , So there is no need to use the web browser version of Dynamics NAV on our Mobile Devices . We can flexibly use it on

• Desktop

• Laptop

• Mobile Phone

Navision Application Availability Application for Mobile & Tablets can be easily dowloaded from :

? Windows Store for Windows users

? Google Play Store for Android users

? App Store for IOS users

Seamless Integration with Data Quality:

• No Modification in data at local level .

• Changes done at central level will be done automatically accross all the levels.

• Increased level of control over data & the ability to manage it .

• A Foreign company or a Multi National Company can efficiently manage its branches at global level. Change friendly organization

• Upgrade & process changes becomes easier as same process , functionalities & processes have used everywhere accross the branches

• Easy to modify NAV if same template is used across all branches , segments & Subsidaries

• With the collaboration and workflow capabilities, the company gains the ability to act faster as an organization. License & Infrastructure optimization • With consolidated ERP system, it is possible to reduce the number of concurrent users per license, if there is one database environment.

• One stable environment for all entities is developed. There is no need to create separate environment for each location at which a consolidated ERP Microsoft Dynamics NAV is implemented.

• Hence , gobal company does not need to pay the same costs of system installation in a subsidiary over and over again.

• The quality of data at the system level is much improved – with master data management, or internal EDI

. • At the level outside the system – with standardized data, processes and settings – users are able to communicate more easily and effectively. All subsidiaries use the same tool. Thus, ERP systems are no longer an obstacle to successful communication. • Employees have identical tools regardless of the department, participate in the same trainings and use the same documentation.

Business Process Standarization

• Easier creation of new subsidiaries or adding newly acquired companies to the organization.

• Reduced risk of errors during implementation in subsidiaries.

• Transparency when comparing the performance of respective subsidiaries – easier management, control, comparisons across subsidiaries

• Transparency of the supply chain –especially the relations between companies within the group.

• Reducing average costs and improving quality – the ability to prepare the process for a greater number of entities.

• Reduced risk of errors during implementation in subsidiaries. Cost Reduction dskfdknfjdn • Economies of scale

• Decreased license and management costs.

• Streamline global supply chain management;

• Avoiding the „reinvent the wheel” effect – the same modifications made by different partners in different locations;

• Reduced support costs – subsidiaries use the same systems so it is easier to support the end users.

• Reduced management costs with more stable and simple IT systems and infrastructure.

• Roll-outs – their average cost goes down as the project of ERP global consolidation progresses.

• More information about cost reduction during global roll-out can be found in the post:


2020-05-08 03:13:17

How the Tableau Tool Can Be Widely Useful for Data Analytics

Tableau is one of the most popular tools used for business intelligence. This data visualization tool is growing fast. The reason for this is that this tool is trendy and can help with various actions in terms of data. 

What fascinates so many people about it is that it can crunch down raw data into a simple format that’s easy to understand. Tableau offers high-speed analytics, and it provides visualizations in the form of worksheets or dashboards. 

What’s great about any data crunched through this tool is that it can be sent to other organizations. Professionals through various levels of the organization can easily understand this data and use it properly. In this post, we will talk about how you can use Tableau for data analytics

Tableau can be used for generating customized data reports

Data reporting is a vital part of data analytics. A lot of people neglect just how important it is. Every piece of data has its purpose, and it needs to be passed on to someone. With proper reporting options, you can understandably represent data. 

This is how you can ensure accountability and compliance. Tableau gives a lot of customization options when it comes to data reports. They allow you to manipulate the way data is represented according to the needs of your clients, managers, or customers. 

This is how you can make their life more comfortable and move on to the next step, no matter what it might be. Data analysts need to come up with valuable conclusions. However, if they aren’t able to represent these conclusions to others, all of their work is in vain.

It Can Pull Data From Multiple Sources for Further Analysis

Data often needs to be extracted from different sources for the same task. Pulling data with Tableau is very flexible and easily adjustable. This means that you can easily target various data sources to gather new information. 

Tableau has a feature for sourcing configuration that can be connected to several data sources for pulling or crawling. This is particularly good if you are looking to analyze and compare different entities of data. 

You can quickly draw valuable conclusions and run further analytics to compare various aspects of those data entities. One of the critical advantages of Tableau compared to other analytics and business intelligence tools is that it can be connected to different data sources and various types of data. 

At the same time, it can blend all of the different data into one place through helpful visualizations.

Tableau Can Process Data Quickly

The more data a tool can handle, the better. The longer a company is operating, the more volumes of relevant data it will have. This is why there is a constant need for data analytics tools that can process large amounts of data. Tableau can deliver this as it can go through millions of data rows.

This tool can also create many different visualization representations that contain a lot of data while not losing dashboard performance. Additionally, Tableau has an option that allows users to create “live” connections with various data sources. The visualizations will change in near real-time based on the data that is being sourced.

2020-05-05 01:37:20

SOC 2 Compliance Audit

As per AICPA guidelines SOC 2 report is intended to meet the needs of a broad range of users (user entity) that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.


In short, the goal of SOC 2 Audit is to assess the processes or systems which manage or process customer data in such a way that they ensure the security, availability, processing integrity, confidentiality, and privacy of the user entities’ provided services.

Who should go for SOC 2 compliance?
SOC 2 applies to technology-based service organizations that keep client’s customer information on the cloud or used cloud based solutions to process the customer data. So, if any organization uses cloud solutions such as cloud based CRM, Salesforce solutions etc. which are generally based on SAAS cloud platform then these service organizations should adhere to SOC 2 compliance.

There are two types of SOC 2 reports:

 SOC 2 - Type I report on the fairness of the presentation of service organization management’s description of the system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date

 SOC 2 Type II report on the fairness of the presentation of service organization management’s description of the system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

Generally SOC 2 reports cover one year period, but there are times when service organizations may need to conducts this audit every six months, depending on the client’s requirements. The Accorp Partners help in providing Auditing SOC 1 and SOC 2 audit to companies. A service organization will have to demonstrate (and document) that they have adequate policies and controls in place to achieve the selected trust service principles and the IT and process Controls that address the related Criteria should be properly designed and implemented.

Our vast experience with different industry verticals and commitment to enterprise-grade security, availability, and performance is a reason why many leading software companies and service organizations rely on Accorp to help them enhance their service experiences and client’s confidents.

Should Start-ups or Medium size companies go for SOC 2 compliance ?

It is normally seen that start-ups and medium sized companies at their early stage have neither the budget nor the zeal to undergo such an endeavour, so they thought that they should wait until the company get large and get more established.

But I think this is not a right approach, even the real benefit is to start with the SOC 2 compliance process as early as possible. When you get your company compliance and certified then it will becomes easier to get regulated industries, banks, Fintech or these types of organizations to work with you as customers or partners. This compliance will give them comfort to rely on your security and process controls and do business with start-ups or medium sized organizations.

2020-05-05 01:33:26

How organizations comply with SSAE 18 i.e. SOC Compliance?

As per AICPA, ‘The Service Organization Control (SOC) reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service’ .


The service organizations which are like to compliant with ‘Statement on Standards for Attestation Engagement’ [SSAE 18] standards and SOC compliance, the type of Audit they need to undergo are depends on the services which they provides to their user entities. Irrespective of whether a company go for a SOC 1 Audit report or SOC 2 Audit report, these reports are signed by licensed CPA and they (service organization) can go for the auditing process by providing a description of the system and a written statement of attestation to the licensed CPA (Accorp Partners). The description of the system should includes information such as the services which the organization provides, their organization’s IT policies and procedures and the personnel who are involved in the scoped services of the Business process. As per the written statement of service organization’s attestation, the organization’s management team should put together a document to assert that their organization’s system and IT controls are designed and implemented in a way that achieves the goal of the organization.

Now under the SOC, there are two subtypes of reports — Type I and Type II. The simple difference between the two is that the SOC 1 Type I audits report is solely on the controls of a company at a specific point in time, while SOC Type II audits requires a more meticulous, thorough and time-taking review and analysis.

 SOC 1 is a control report for service organizations, which pertains to internal control over financial reports.

 SOC 2 is based on service system trust principles and evaluates the business information system that relates to security, availability, processing integrity, confidentiality and privacy.

 SOC 3 is also based on system trust principles but does not go into as much detail as SOC2 and is primarily used as marketing material.

2020-05-05 01:29:34

GDPR Data Protection

GDPR applies to all companies, no matter where they are based, who collect and process personal data on EU residents. Non-EU companies have to appoint a GDPR representative and will be liable for all fines and sanctions. Some of the key requirements of the GDPR are:


Consent: Organizations must get consent to collect personal data, with the level of consent varying according to the type of personal data being collected.

Data minimization: Responding to years of gratuitous collection of personal data by apps, with no clear purpose in mind, the GDPR stipulates that organizations can only collect personal data that is clearly related to a well-defined business objective. If an organization gathers personal data for one purpose but then decides it wants to use it for another purposes (such as consumer profiling), that could be considered non-compliance.

Individual rights: Another key feature of the GDPR is the very clear rights that it gives data subjects (i.e., the individuals whose personal data is being collected) to understand why their data is being collected and how it is being processed. They have the right to object, to correct—and they have the right to be erased/forgotten.

2020-05-05 01:27:57

Who Can Perform a SOC Audit?

As the requirement to receive SOC 1 or SOC 2 reports as part of a contract, request for proposal (RFP), or security program increases as a barrier to receiving major clients, it’s important to understand who can perform these audits. This post will identify a number of questions to answer who exactly can perform SOC 1 and SOC 2 audits.

Can a Non-CPA Organization Perform a SOC 1 & SOC 2 Audit?

No. If a firm is not a certified CPA firm, then they cannot complete a SOC 1 or SOC 2 audit that will be acceptable in the eyes of the AICPA and users of the report cannot rely on the contents provided within.

A SOC 1 and SOC 2 examination has at least four main sections that users of the report should look for. Those include the following:

  • Management’s Assertion
  • Auditor’s Opinion
  • Description of Services
  • Results of Testing

If a firm completes a SOC audit that is not a certified CPA firm, then they cannot provide an opinion of the contents detailed within the Description or Services and Results of Testing. Because of this, it is imperative to confirm that the firm your organization chooses to perform the SOC audit, meets this fundamental requirement.

Can Non-CPA Organizations Partner with CPA firms to Perform SOC 1 & SOC 2 Audits?

No. If you think otherwise, contact any member of the AICPA Trust Information Task Force. Any one of them would be more than happy to take down your information and have a dialogue with you about this topic.

With that said, the AICPA requires that team members that work on engagements have a certain level of competence and capabilities. While a non-CPA organization may have the technical capability to perform a review of the services or system being examined, they must also have experience with the following:

  • Evaluating the design of controls and the operating effectiveness to confirm that they have functioned over a period of time and meet the applicable trust service criteria included in the report.
  • Understand professional standards that are required by the AICPA such as the AICPA Code of Conduct along with other audit standards that allow auditors to apply professional skepticism and judgment as required

This, however, does not mean an auditor cannot enlist the use of a specialist, if required, to complete an audit. This question will be addressed in question number five.

Yes. As part of the AICPA Code of Conduct, CPA firms MUST be independent before they can engage with a client to perform an audit. The AICPA requires that “a member in the public practice should be independent in fact and appearance when providing auditing and other attestation services,” such as a SOC 1 or SOC 2 examination.

What are the Ramifications to the Service Organization if One of the Above has Happened?

Any user organization and/or user auditor that relied on the SOC 1 or SOC 2 examination report from the service organization may have placed unwarranted reliance on that SOC report. In other words, the user organization’s financial statement audit may have to be performed again for each period in which there was unwarranted reliance. Moreover, it is illegal to depart from state laws in regard to performing attestation services.

SOC 1 and SOC 2 follow the guidance found within the Statement on Standards for Attestation Engagement (SSAE 18). SSAE 18 is meant to be a clarification and recodification which replaces SSAE 16 as the standard for SOC 1 reports. SSAE 18 has integrated concepts found in AT-C section 105, Concepts Common to All Attestation Engagements; AT-C section 205, Examination Engagements; AT-C section 210, Review Engagements; and AT-C section 215, Agreed Upon Procedures. These standards together are now the standards for both SOC 1 and SOC 2 reports. For more information on SSAE 18, check out other posts linked within the summary section.

Guidance also exists that states that the only type of organization that may perform a SOC 1 and SOC 2 audits is a licensed CPA firm. The following bullets are selected excerpts from authoritative sources listing some, but not all, of the relevant guidance supporting the comments above:

  • “[A]uditor should not assume responsibility for the predecessor auditor’s work or issue a report that reflects divided responsibility” (AICPA, AU315.16).
  • “The independent auditor also has a responsibility to his profession, the responsibility to comply with the standards accepted by his fellow practitioners” (AICPA, AU110.10). This includes adherence to CPE, Ethics, and licensing requirements.
  • “No person, partnership, professional corporation, or limited liability company shall, without an active certificate of certified public accountant or a valid registration: Attest or express an opinion, as an independent auditor” (Colorado Revised Statute 12-2-120 Unlawful Acts (6)(II)(B)).
  • “The practitioner must adequately plan the work and must properly supervise any assistants” (AICPA, AT101.42).
  • “Attest services may only be rendered through firms holding permits from the state” they are performing attest services. (Uniform Accountancy Act, Section 7).

Can a Firm Use the Work of a Specialist to Perform a SOC 1 or SOC 2 Examination?

Yes. When engaging to perform a SOC 1 or SOC 2 examination, the auditor may decide it is necessary to enlist the use of a specialist. AT-C 205, Examination Engagements requires that auditors assess the following items:

  • Does the specialist have the required skills to understand the service or system and do they have the required independence to complete the required work?
  • Is enough evidence available to the auditor to determine whether the specialist has the necessary proficiency to understand the nature of the specialist’s work along with the scope of their expertise, and determine whether the objective of their work meets the needs of their expected role as a specialist?
  • Will the auditor and the specialist be able to come to an agreement on the expected work (i.e. nature, scope, and objectives) to be completed by the specialist, the roles and responsibilities that will be required of the specialist, when and the extent of work expected by the specialist, and the duties and any confidentially requirements that are expected of the specialist.

Through consideration and documentation of the items listed above, an auditor can engage the use of a specialist.


The overall goal of an attestation engagement is to provide users of the report or clients of subservice organizations, in this case, with an opinion on the assertions made by management. As a result, report users can place reliance on the information before deciding whether they want to put an agreement or contract in place to use that system or service. Because reliance is placed on these reports to enter into or agreement often times, it is important to understand who exactly can perform a SOC 1 and SOC 2 audit.

The main take-away from this post is this: if the report is not completed by a CPA firm, the report should not be relied on.

2020-05-05 01:25:59

What is a SOC 2 Report? Expert Advice You Need to Know

In this article, we will cover some common questions that come up related to SOC 2 reports. SOC 2 compliance does not have to be difficult although with some of the terminology, it can initially be confusing. So what are SOC 2 reports and examinations? Let’s dive in!

What is SOC 2 Certification or Attestation?

While there is no such thing as a SOC 2 certification, many still refer to a SOC 2 certification. One of our clients recently received a request from a prospective client asking whether they were a SOC 2 certified data center. Our client, being more savvy than most, said, “We don’t have a SOC 2 certification. We have a SOC 2 attestation.” Our client’s prospect, or user organization, in SOC language, wanted to hop on a call to discuss.

The prospect was considering backing out of the deal because our client was not SOC 2 “certified.” We joined on the call and told our client’s prospect that our client did in fact have a SOC 2 report, but they were not SOC 2 “certified.” The prospect then said, “oh, so you are SOC 2 certified” and the deal moved forward. We laughed afterwards with our client because our client’s prospect could not grasp the terminology.

What is a SOC 2 Report?

SOC 2s differ from some other information security standards and frameworks because there is not a comprehensive list of “thou shalt” requirements. Instead, the AICPA provides criteria that can be selected by a service organization to demonstrate they have controls in place to mitigate risks to the service they provide. This can be a bit annoying for some first time clients since there isn’t one right answer for how to address the applicable criteria. Instead, a good auditor’s job is to identify what is already being done by their clients to meet the applicable criteria. In some cases, there are gaps and clients must implement new controls. In other cases, existing controls need to be tweaked slightly to better address the criteria. Our goal is for our clients to meet the criteria selected, but to create the least impact and additional overhead when remediating controls as possible.

SOC 2 reports are considered attestation reports. For a SOC 2 attestation, management of a service organization asserts that certain controls are in place to meet some or all of the AICPA’s SOC 2 Trust Services Criteria (TSC). Management also selects which of the five TSCs best address the risk of the services provided by the service organization.
See the AICPA page related to attestation reports for more information.
When a service organization completes a SOC 2 report, the report contains an opinion from a CPA firm that states whether the CPA firm agrees with management’s assertion. The opinion states that the appropriate controls are in place to address the selected TSCs and the controls are designed (Type I report) or designed and operating effectively (Type II report). In many cases, the opinion is positive and the CPA firm agrees with management’s assertion. In other cases, the CPA firm does not agree with management’s assertion and provides a qualified or adverse opinion. See past blog post on qualified opinions.

What Does SOC 2 Stand For?

A SOC 2 is a System and Organization Control 2 report. There are three types of SOC reports. See this AICPA whitepaper comparing the reports. Some companies struggle with the differences between SOC reports, and whether they should get a SOC 1, SOC 2, or SOC 3. We start by asking prospective clients about the type of clients and stakeholders asking for the report as well as the type of services provided to clients. This allows us to assess whether prospective clients may impact the internal controls over financial reporting (ICFR) of our prospective clients’ user organizations.

If a service organization can impact the ICFR of its user organizations, a SOC 1 report may be the best report option. If a service organization cannot impact its user organizations’ ICFR, but they can impact the security, availability, processing integrity, confidentiality, or privacy of their user organizations, then a SOC 2 may be the best report for the service organization’s clients.

SOC 2 Report Structure

The SOC 2 report structure is similar to a SOC 1 report structure, which we outlined in our SOC 1 article, and consists of:

  • The Opinion Letter
  • Management’s Assertion
  • Description of the System
  • Description of Tests of Controls and Results of Testing
  • Other Information

Who Needs a SOC 2 Report?

Service organizations that do not materially impact the ICFR of their user organizations, but do provide key services to user organizations may need a SOC 2 report.

SOC 2 Report Example

Many companies outsource IT infrastructure to service organizations, such as data centers and cloud hosting providers (e.g., Amazon’s AWS). What do these service organizations do to prove to clients and stakeholders that they are adequately protecting their servers and sensitive data? Service organizations receive SOC 2 reports to demonstrate they have certain controls in place to mitigate security, availability, confidentiality, processing integrity, or privacy risks. A SOC 2 report will include a CPA firm’s opinion on controls design and potentially operating operating effectiveness over a period of time.

Using AWS as an example, many companies use AWS and request assurance from AWS that there are controls in place to mitigate the risk of AWS’ systems and data being compromised. AWS could attempt to provide different answers to every single client that asks security related questions, but that would take too much time. Instead, AWS has selected an independent CPA firm to perform a SOC 2 examination (among many other AWS compliance exams). Then, rather than respond to all the questions regarding AWS’ security posture, AWS provides its SOC 2 report, which answers many of the common questions asked by its user organizations related to security, availability, confidentiality, processing integrity, and privacy.

Learn more in our article, Leveraging the AWS SOC 2: How to Build a SOC 2 Compliant SaaS.

What is SOC 2 Compliance? The Trust Services Criteria (TSC)

A service organization should choose the SOC 2 TSCs that mitigate the risk of their user organizations use of the service organization’s services. At a minimum, SOC 2 reports must include the Security or Common Criteria. The other TSCs can be added depending on the needs of user organizations.

Recently we had a prospective client say they wanted all of the TSCs included within their report because they wanted it to be the strongest report possible. Unfortunately, not all TSCs may apply to a particular client’s service. For example, if your company does not process transactions, processing integrity is probably not applicable. I’ve heard of firms including TSCs when they are not applicable within a report and then explaining why they are not applicable within the report. That’s not advised. Your best bet is to select criteria that is applicable to your services and answer the questions you hear most from your clients and prospective clients.

The Trust Services Criteria are noted below:

  • Security – The system is protected against unauthorized access (both physical and logical).
  • Availability –b> The system is available for operation and use as committed or agreed.
  • Processing Integrity – System processing is complete, accurate, and authorized.
  • Confidentiality – Information that is designated “confidential” is protected according to policy or agreement.
  • Privacy – Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA.

Other Common Questions About SOC 2 Reports

Is There a SOC 2 Checklist?

There is no checklist, but the AICPA’s SOC 2 criteria can be obtained and reviewed. So how do you get it? You can buy it from the AICPA or contact us for a consultation. The criteria contains requirements related to each of the TSCs outlined above. The requirements may be met in a variety of ways, so there is not a one size fits all checklist for SOC 2 compliance. It is dependent on the services provided by a service organization. The SOC 2 criteria is also going through an update. See our blog post on the updated SOC 2 criteria which now more closely aligns with COSO.

Should You Get a SOC 2, Type 1 or Type 2 Report?

SOC 2 reports can be Type 1 (aka Type I) or Type 2 (aka Type II) reports.
SOC 2 Type 1 reports reports are as of a particular date (sometimes referred to as point-in-time reports) that include a description of a service organization’s system as well as tests to help determine whether a service organization’s controls are designed appropriately. They test the design of a service organization’s controls, but not the operating effectiveness.

SOC 2 Type 2 reports cover a period of time (usually 12 months), include a description of the service organization’s system, and test the design and operating effectiveness of key internal controls over a period of time.

Learn more in our article, SOC Report Types: Type I vs Type II.

How Much Does a SOC 2 Report Cost?

SOC 2 examinations are not cheap and fees depend on a number of factors. Factors include the scope of services included within the report, the TSCs included, the size of the organization, and the number of in scope systems and processes. For example, if a company has 3 different patch management processes to ensure servers and workstations stay up-to-date, the auditor will need to gain assurance that each of those processes is designed operating effectively. Learn more in our article, How Much Does A SOC Audit Cost?

Who Can Perform a SOC 2 Audit?

Licensed CPA firms that specialize in information security audits are the only organizations that should perform SOC 2 examinations. There are some companies that perform SOC 2 audits and have a CPA firm sign off on their report even though the CPA firm did not perform the audit. We recommend staying away from that approach. We also recommend selecting a firm that has experienced IT auditors and not financial audit CPAs only. When selecting a firm to perform a SOC 2, we recommend asking for the resumes or bios for any of the auditors that will complete the work. Then, ensure the firm you select has auditors with the appropriate skills and expertise. Certifications such CISA or CISSP are good to look for. Also, check references and ensure the firm you select has experience in the field you are in.

Updated SOC 2 Guidance

On December 15, 2018, new SOC 2 guidance went into effect and all reports following that date must include the updated criteria. See our previous blog post related to the latest SOC 2 criteria update.

2020-05-05 01:23:49

Testing & Audit Exceptions

If you are reading this article, chances are that your auditor has told you that you have an audit exception or, even worse, multiple “audit exceptions.” Hearing that phrase strikes fear and panic into the hearts of many. While some of those reactions may be justified, I have found that many suffer more than necessary because they are not familiar with the vocabulary used in these discussions, do not really know what an exception is, or do not understand the audit process.This article will briefly summarize the purpose and process of an audit, define what audit exceptions are, and clarify what to look for when discussing the results of an audit.

Realizing that there are many types of audits, I will use SOC 1 or SOC 2 audits as the basis for this discussion. While other audits may be assessing different things and may have different types of exceptions, the basic principles and process described here can be applied across broad range of audits.

What is the purpose of SOC Audit?

System and Organization Control (SOC) audits are designed to provide an independent and objective assessment of a service organization to users of the services or system that the service organization provides. There are three things an auditor of the service organization is trying to determine:

  • Is the service organization’s description of its system and services accurate or presented fairly?
  • Are the controls described by the service organization suitably designed to achieve the related control objectives or criteria?
  • Did the controls described by the service organization operate effectively during the period covered by the assessment to achieve the related control objectives or criteria?

An auditor must gather sufficient evidence to evaluate and answer these questions with reasonable assurance to support the unqualified or qualified opinion to be written in the audit report. The process of gathering evidence is called auditing and will include a number of different activities.
For example, auditors may gather information by inquiring of appropriate personnel (management, supervisors, and staff); inspect documents and records; observe activities and operations being performed; and tests of controls. All of these activities used to gather and evaluate evidence are often referred to as audit procedures or audit tests.

What are Audit Exceptions? A Definition

Audit exceptions are simply deviations from the expected result from testing one or more control activities. Each control in a service organization’s description must be tested by an auditor to validate that the description is accurate and that controls are suitably designed and operating effectively to achieve the related control objectives or criteria. An auditor may use one or more tests to evaluate each control. As with any test, there are expected outcomes or responses.

Consider the following example that you might see in a SOC audit:

  • Control Objective: Controls provide reasonable assurance that statement processing is appropriately scheduled and that deviations in processing are identified and resolved.
  • Control Activity: Statement batch totals are used in order to identify and resolve deviations in processing.
  • Testing Performed: Inspected a sample of batches used to process statements and noted that batch control totals were used to help maintain the integrity of the statements processed.

Using this example, if an auditor performed this test and found that one or more of the batches selected for testing did not use batch control totals, as expected and indicated in the service organization’s description, the auditor would note a deviation. These deviations go by many names: audit exceptions, test exceptions, control exceptions, deficiencies, findings, misstatements, and so on.

The Cause & Nature Audit Exceptions

  • The identified exceptions are within the expected rate of deviation and are acceptable.
  • Additional testing of the control or of other controls is necessary to reach a conclusion about whether the controls related to the control objectives or criteria stated in management’s description of their system or services operated effectively throughout the specified period.
  • The testing that has been performed provides appropriate basis for concluding that the control did not operate effectively throughout the specified period.

What to Look for When Discussing Audit Exceptions in SOC Audit Results

Auditors have their own vernacular that may cause confusion and worries. I like to compare audits to taking a trip to the doctor’s office:

Imagine after suffering with an illness for a few days, you finally go in and see a doctor. The doctor visits with you, inspects you by doing a few checks personally, and may even orders a few tests (i.e., blood work) before coming back to share the prognosis at the conclusion of your visit. The doctor sits down in front of you and stoically shares that you are suffering from nasopharyngitis or acute coryza. You don’t necessarily know what that is, but it sounds horrible—much more serious than you had thought. In the moments after hearing the initial prognosis, your heart rate starts to pick up, you begin to sweat (if you weren’t already), and mind begins to race. Seeing your reaction, doctor quickly clarifies, “That means you’ve got a cold. You need to get some rest, stay hydrated, and take some pain medication.”

That’s kind of what it’s like when you are visiting with your auditors after an audit. You know there were a few exceptions, but you’re not sure what it means or just how bad is. Well, not all audit exceptions are created equal.

Types of Audit Exceptions

Audit exceptions can be intentional or unintentional, qualitative or quantitative, and include omissions. Auditors are required to make sure a service organization’s description is accurate and to include all design and operating deficiencies in the report—they no longer have discretion in determining whether or not to include exceptions.

There are three basic types of exceptions when it comes to SOC audits:

  • Misstatements: a misstatement is used to refer to an error or omission in the description of the service organization’s system or services.
  • Deficiency in the Design of a Control: a design deficiency is used when a control necessary to achieve the control objective or criteria is missing or an existing control is not properly designed, even if the control operates as designed, to achieve the control objective or criteria.
  • Deficiency in the Operating Effectiveness of a Control: an operating deficiency is used when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.

As your instinct would suggest, an exception is not a good thing. However, having an exception does not necessarily mean that a control fails, nor does a control failure mean that an objective or criteria is not met.

It is actually quite common for a SOC report to have some exceptions. Some user entities and auditors reading an audit report actually like to see one or two exceptions in a report because it gives them some comfort that the auditor is doing a thorough job.

Review Audit Exceptions for Errors

It is important for you to review any audit exceptions. Auditors may mistakenly believe an error has occured because they:

  • misunderstood the documentation provided;
  • did not ask the right question; or
  • did not ask the right person.

Spending a little time with your auditors to understand the exceptions and confirming them internally can pay big dividends. In some cases, you will be able to find and provide the “missing” evidence to your auditors can clear the exceptions. In other cases, you may be able to identify another control activity that your organization performs that mitigates the risk. Often, the risk raised by an audit exception is mitigated by other controls within the environment.

Stay Diligent When Reviewing Audit Exceptions

Try not to get bogged down in the weeds when discussing audit results with your auditors. If there are control exceptions, ask them:

  • Does the exception constitute a control failure?
  • If there is a control failure, was it a design or operating deficiency?
  • Do any of the deficiencies that impact, in their opinion, the organization’s ability to meet their control objectives or criteria specified for the audit?
  • Do they feel that the exceptions or deficiencies, individually or collectively, could result in a qualified opinion on the audit?

These questions will allow you to understand just how bad the exceptions are. You don’t really need to worry about a variance that will be noted in the report, but is not considered a control failure. If a control has an exception, knowing if it is a design or operating deficiency will help you understand what type and level of corrective action is needed.

Qualified vs Unqualified Opinions

Another important pair of terms to keep straight when discussing audit results are ‘qualified’ and ‘unqualified.’ Unlike how most uses of these terms has ‘qualified’ as a positive term and ‘unqualified’ as a negative, auditors use them differently.

For example, I am qualified for a job. However, we auditors like to be different. So, your ultimate goal in audit is to get an unqualified or clean opinion. A qualified opinion is not good in that it means that there is at least one control objective or criteria that the auditor believes the organization was not able to achieve.

No matter how serious or not serious the exceptions may be, remember to always ask your auditor what they might recommend that you do to correct the exception(s) going forward.


Hopefully this blog helped you better understand the purpose and process of an audit, what audit exceptions are, and clarified what to look for when discussing the results of an audit

2020-05-05 01:21:38

SOC 1 & SOC 2

What is SOC 1?

These reports covers internal controls over financial reporting. These reports are restricted use reports intended only for existing customers or the general public.

What is SOC 2?

These reports covers internal controls, policies, and procedures directly related to AICPA’s trust service principles – Security, Availability, Privacy, Confidentiality and Integrity of the customer information handled by service organization. SOC 2 repots are unique to each organization. It is shared under NDA by management, regulators and external auditors.


Similar to SOC 1, the SOC 2 offers a Type 1 and Type 2 report. The Type 1 report is a point-in-time snapshot of your organization’s controls, validated by tests to determine if the controls are designed appropriately. The Type 2 report looks at the effectiveness of those same controls over a more extended period - usually 12 months.

When to Get SOC 2 Certification

Your organization should pursue SOC 1 if your services impact your clients’ financial reporting. For example, if your organization creates software that processes your clients’ billing and collections data, you are affecting your client’s financial reporting, and thus a SOC 1 is appropriate. Another reason organizations pursue SOC 1 vs SOC 2 is if their clients ask for a “right to audit.” Without SOC 1, this could be a costly and time-intensive process for both parties, especially if several of your clients ask to submit a similar request. You may also need to comply with SOC 1 as part of a compliance requirement. If your company is publicly traded, for example, you will need to pursue SOC 1 as part of the Sarbanes-Oxley Act (SOX).

SOC 2, on the other hand, is not required by any compliance framework, such as HIPAA or PCI-DSS. But if your organization doesn’t process financial data but processes or hosts other types of data, SOC 2 makes sense. With today’s business climate being extraordinarily aware and sensitive to data breaches, your clients may want proof that you are taking reasonable precautions to protect their data and stop any leaks. We built an open source template for SOC 2 teams.

The choice to pursue SOC 1 vs SOC 2 depends on your organization’s situation. One critical determining factor when choosing between SOC 1 or 2 is whether your organization’s controls would affect your client’s internal control over financial reporting. You may want to engage with an audit firm to determine which SOC type (or both) is the right fit for your organization.

In certain circumstances, it may be appropriate for companies to obtain both a SOC 1 and a SOC 2 report. Typically, this occurs when a company has multiple service offerings – one service may involve processing financial information on behalf of clients (payment processor) and another service may be more focused on the storage or transmission of sensitive client data (cloud-based data storage). In this case, getting both reports from the same CPA firm can go far to lessen the financial burden on you while ensuring you have advice from a trusted provider who knows your organization.

2020-10-26 06:01:23