Advantages of SOC Reporting

Advantages of SOC Reporting

In today’s world, you would hardly find an organization that does not outsource at least one function or component of their control environment to a third-party service provider. From payroll processing to invoice creation and cloud storage to backup solutions, third party vendors have provided companies with cost-effective and efficient ways to reduce the need for internal resources for performing reoccurring or computerized tasks.

While this has helped organizations reduce headcount, stress, and certain costs, it does not eliminate the company’s responsibility to ensure their processes are functioning correctly, their data is secure, and their control environment is integrated. Since, these types of associations have become more common, the demand from clients (or “user entities”) and their external auditors for service organizations to provide assurance that their processes and controls are designed, and operating, effectively has also increased. Complying a SOC 2 audit gives your organization an edge as you can assure your customers that you are taking all necessary steps to keep their data safe and safeguard against damaging breaches.

Following are the key benefits of having a compliant SOC report:

Attracts your buyers

Organizations concerned with security are more likely to become customers if you can provide a SOC 2 report, which shows that you are following best practices for implementing and reporting on control systems.

Acts as Differentiator

Your competitors may claim to be secure, however they cannot prove that without an audit. Getting a SOC 2 report can differentiate your organization from other companies in the marketplace that have not made as significant an investment of time and capital.

Enhancing Services

As SOC audit helps you learn to be more secure and efficient. You can streamline your processes and controls based on your understanding of the risks that your customers face. This in-turn will help you improve your services.

Establish Trust

While working with other people’s financial data / sensitive information, trust is the key thing you offer to your client. A SSAE 18 report performed by an independent auditor proves to clients that the systems and controls you have in place are secure and effective.

Save Time and Money

Audits can be time consuming and utilize valuable company resources. However, if you have a current report, it can be utilized by an external auditor and will help you save a lot of re-work. If you don’t a SOC report, you could face multiple user organizations’ auditors individually, repeating the process with each and every request

Identify and Remediate Deficiencies

Apart from having an internal audit function, a third-party auditor can bring in new perspective on control environment and help catch inefficiencies or areas for improvement within your service organization that will end up saving you time and money in the long run.

Make Public Companies your client

Publicly traded companies are required to use service providers that are SSAE 16 qualified. Having a SSAE 16/SOC audit will expand your market beyond privately held companies to include public corporations.

Establish relationship with your Auditor

By the end of your SSAE 18/SOC audit, your auditors will know your business inside and out. You’ll be able to take advantage of this valuable resource long after the audit is complete. Any time you have a question you can refer to this trusted, knowledgeable resource to help navigate even the toughest business decisions.

SOC 2 Audit for Amazon AWS Environments

SOC 2 Audit for Amazon AWS Environments

With the migration to the cloud happening at record pace, thousands of companies are currently
being needed to become SOC 2 compliant every year. In this blog, we will be touching upon the key
areas and their importance from a SOC2 perspective related to Amazon Web Services (AWS) being
used as a cloud platform.
SOC 2 Scoping & Readiness Assessment: Understanding scope and also the what business
processes are to be enclosed inside your SOC 2 audit is important, and conjointly for mitigating any
kind of scope related problems. Since you’re hosting your services (i.e., your production
environment) in AWS, it would have its own variety of advantages along with your SOC 2 audit.
oFirst, a wide range of the physical security controls are lined by AWS themselves as their
personal information centers store your virtual server instances.
oSecond, AWS incorporates a decent number of audit & compliance, and management tools &
solutions that are straightforward to “spin up” in any surroundings, additional serving to
compliance needs
Leverage AWS’ SOC Reports for Scope Reduction: For the CPA firm you engaged with to
perform your SOC 2 audit, they’ll kindle you to get a replica of AWS’ most current SOC 2 report,
and for an obvious reason – scope reduction. A large range of the controls you’ll want for SOC 2
compliance are literally lined by AWS’ report. From physical and environmental controls –AWS’
SOC 2 must be leveraged.

Utilize AWS’s Security and Compliance Tools: CloudWatch logs reports on application logs,
whereas CloudTrail Logs details on specific info on what occurred in your AWS account. These are
simply some samples of the various tools that AWS has accessible for your growing security,
governance, and regulative compliance desires.

Visit and you’ll notice a list of tools and solutions for
serving to meet growing regulative compliance desires for not solely SOC 2, but HIPAA, HITRUST,
GDPR, PCI DSS, FISMA, and far a lot of. Here may be a sneak peek at the various tools accessible
for from AWS in serving to with growing regulative compliance needs:

o AWS object: The AWS object portal provides on-demand access to AWS’ security and
compliance documents, conjointly referred to as audit artifacts.
o AWS Certificate Manager: AWS Certificate Manager may be a service that permits you
to simply provision, manage, and deploy Secure Sockets Layer/Transport Layer Security
(SSL/TLS) certificates.
o AWS CloudHSM: The AWS CloudHSM service helps you meet
company, written agreement and regulative compliance needs for information security by
mistreatment dedicated Hardware Security Module (HSM) appliances inside the AWS cloud.
o Amazon Cognito: Amazon Cognito permits you to add user sign-up/sign-in and access
management to your net and mobile apps quickly and simply.
o AWS Identity and Access Management (IAM): Use AWS Identity and Access
Management (IAM) to regulate users’ access to AWS services. Produce and manage users and
teams, and grant or deny access.

There are more tools accessible from AWS once it involves security & compliance, therefore use
them as required. They’ll build life within the cloud and they’ll build your SOC 2 audit much easier.
Implement the Tools: Sounds simple, however we’ll got to with courtesy prompt you that simply
knowing that such tools are accessible isn’t enough, you would like to place them to smart use as
auditors can wish to envision proof of such. If you’re not aware of AWS in terms of their toolsets
and offerings for regulative compliance, then it’s necessary to search out for AWS security &

Develop AWS info Security Policies and Procedures: One among the foremost aspects of
turning into SOC 2 criticism is developing all the specified info security policies and procedures.
Specifically, SOC 2 is significant on documentation, and you’ll have to be compelled to place in situ
strong, literary InfoSec policies. However a lot of necessary, these policies have to be compelled to
be written specifically for your surroundings inside AWS.
Here’s simply a little sample of policy documents you’ll want for turning into SOC 2 compliant:
o Access management
o Information backup
o Incident response
o Information retention and disposal
o Security and patch management – and many more.
Perform Essential Operational Initiatives: Four key operational initiatives that you simply
should perform for SOC 2 compliance are:
o Perform annual risk assessment
o Check your incident response annually
o Implement security awareness coaching
o Conduct vulnerability scans periodically

The Audit Begins: The auditors are going to be inquiring for a wide range of evidences.
Specifically, they’ll be requesting documentation (i.e., policies and procedures), proof of varied
system settings (this can are available the shape of screenshots), proof of operational measures
undertaken, like security awareness coaching, risk assessments, and more. It’s therefor essential to
produce them with any and every one requests that return your means. In short, be clear along with
your auditors.
We believe this the article would have enhances your understanding of AWS controls from a SOC2
perspective. Please reach out to us if you would like to know more about data security or need any
help to perform a SOC/ GDPR certification for your organization.

Visit our website to read more articles related to SOC

Understanding a SOC 3 Report

Understanding a SOC 3 Report



Over the last decade, companies have started to see outsourcing as a way of reducing
costs and improving inefficiencies which lead to a rapid growth in outsourcing of
software as service and other cloud-based technologies. The change led to an
increased demand of SOC reports and has also increased the necessity for auditor
reporting at service organizations to make sure that these service providers have
appropriate internal controls in place to manage their information systems. As these
requests from customers for these reports become more frequent, it can often
become confusing on which report you ought to be providing also as which report
are going to be more useful for the Service Organization.


AICPA has 5 main Trust Services Criteria namely security, availability, processing
integrity, confidentiality and privacy. A Service Organization Control 3 (SOC 3)
report provides information related to a service organization’s internal controls
around these TSCs.
A SOC 3 is intended for a public audience. These reports are short and include lesser
details as compared to a Soc 2 report, which is distributed to a focused audience of
stakeholders. Due to generic nature, Soc 3 reports can be shared openly and posted
on a company’s website to portray their compliance. However, the report may still
be invaluable for an organization looking for insights on their current security and
control landscape.

Difference Between a SOC 2 and SOC 3 Report

Basically, both SOC 2 and SOC 3 reports revolve around same AICPA standards and
the work performed by the service auditor for the two reports is very similar. Both
reports are based on the AICPA’s TSCs and the controls identified and tested are
usually same for both the reports. Following are some key differences between both
the reports:
• SOC 2 reports can be either Type I or a Type II while a SOC 3 report is always
a Type II report
• SOC 3 report has a less detailed description of controls related to compliance
and operations. Also, it does not include detailed testing procedures or results
of testing.
• SOC 2 reports are meant for restricted use reports of the service organization’s
management, customers, and customers’ auditors. On contrary, SOC 3 reports
are general use reports that can be distributed freely as they contain
significantly less detail.
• SOC 3 report are more used as tool for attracting prospective customers but it
may not satisfy the needs of current customers and their auditors.
• A SOC 2 report is larger in size as it includes an auditor’s opinion,
management’s assertion, a detailed description of the system. It also includes
description of service organization’s internal controls and their test results
performed by the service auditors. However, a SOC 3 report is much smaller in
size and consists of a brief auditor’s opinion, management assertion, and a
brief narrative providing background on the service organization. It contains
very less detail on the specific controls operating within the service

Benefits of a SOC 3 Report

Following are some key benefits of obtaining a SOC 3 report:
• It evidences that your organization invests in security measures and portrays
customers that you’re transparent about your practices
• SOC 3 report can help enhance your company’s credibility and gain the trust of
new clients.
• Provides you an edge over competitors who do not have any third-party
• A positive report demonstrates you have a professional team and your
organization cares about clients to ensure that their data is safe from cyber


To conclude, it is relatively easier for an organization to decide if they need a SOC 1
or a SOC 2 because the key difference between being that SOC 1 is more inclined
towards impact of service organization’s controls on the customer’s internal control
over financial reporting. The decision becomes a little more difficult when deciding
between a SOC 2 and SOC 3 report.
Important thing to remember is that a SOC 2 is a restricted use report that contains
detailed information on the system, the controls in place, the service auditor’s test
procedures and the results of their test procedures. SOC 2 reports are useful for
corporate oversight, vendor management programs, internal corporate governance
and risk management processes.

A SOC 3 is a general use report that does not include much detail and is a great
marketing tool. They can be used to attract new client and induce confidence and
trust in both upcoming and existing clients.
We believe this the article would have enhanced your understanding about SOC 3
reports. Please feel free to reach out if you have any queries related to SOC reports
or need to get a SOC/ISO/GDPR certification done for your organization.
You can also visit our website to read
more articles related to SOC reporting

Learn More to visit on Audit

The US and UK attestation standards (SSAE vs. ISAE)

The US and UK attestation standards (SSAE vs. ISAE)


Usually, when you look out to get an independent controls attestation for your organization by a third party service
auditor, you may come across many ways of getting that done. You can either get a SOC 1 or SOC2 audit done (Type
I or Type II) based on your requirements and choose your attestation standards for the report i.e. either ISAE (the
UK standard, No. 3402 being the latest one) or the SSAE (the US standard, No. 18 being the latest). In this article,
we will touch upon both the standards, their managing authorities and the key differences which will help you
understand what exactly they are and identify the best one for yourself.
ISAE stands for International Standards on Attestation Engagements (the UK standard) which is
managed by IAASB (International Auditing & Assurance Standards Board) which in turn reports to IFAC
(International Federation of accountants).

SSAE stands for Statement on Standards of Attestation Engagements (the US standard) and is managed
by AICPA (American Institute of Certified Public Accountants) which reports to FASB (Financial Accounting
Standards Board).
Principally both the standards are designed to achieve the same objective in terms of reporting the establishment
of effectively designed controls over financial reporting and each service organizations may need to provide
reports to their clients (user entities) according to different standards. For the service organizations catering
services within United States, SSAE18 is best suited. While for the ones providing services outside US, reporting
can be done in accordance with the ISAE 3402 standards (termed as a combined report).
Further, there are a few key differences when it comes to performance and reporting style of both the standards.
Below are the major key differences which one should know:
 Investigation of the Intentional Acts
Both the standards require the investigation of any deviations identified during the testing. They direct the
service auditor to investigate the noted deviations that could have been caused by an intentional act of service
organization’s (SO) personnel.
The SSAE 18 directs that the auditor should receive a written representation from SO management detailing any
actual or suspected intentional acts (like employee committing frauds) that could impact the fair presentation of
management’s description of the system. However, the ISAE 3402 does not explicitly require auditors to obtain
the written representations.

 Dealing with Operating Anomalies
Any finding that deviates from the standard is an Operating Anomaly. SSAE 18 treats all deviations in the same
manner, rather than as an anomaly. However, ISAE 3402 contains a requirement that allows a service auditor to
conclude that any identified deviation while testing a sample of the control can be considered an anomaly. The
idea is that when controls are sampled, they are not necessarily representative of the entire population from the
samples drawn.

 Assistance from Internal Audit Team
SSAE 18 enables the use of direct assistance from the service organization’s internal audit function in accordance
with the U.S. audit standards guidance. ISAE 3402 does not allows the use of the internal audit function for
direct assistance.

 Subsequent Events
SSAE 18 calls out that the service auditor should report any event that could be significant in order to prevent
users from being misled. A subsequent event would be something that could change management’s assertion
after the audit period has ended. However, ISAE 3402 restricts the types of subsequent events that would be
disclosed in the service auditor’s report to only those that could have a significant effect on the service auditor’s
 Statement on Restricting Use of the Service Auditor’s Report
SSAE 18 requires that the auditor’s report should include a statement restricting the use of the report to
management of the service organization, user entities, and user auditors. However, ISAE 3402 requires that the
service auditor’s report include a statement that indicates that the report is intended for the servi ce organization,
user entities & user a

uditors but does not require a statement restricting its use.
 Acceptance of Engagement and Continuation
SSAE 18 directs that management should acknowledge and accept the responsibility of providing the service
auditor with written representations at the conclusion of the engagement. However, ISAE 3402 does not
requires this acknowledgment.
 Disclaimer of Opinion
If the service provider does not provide the assessor with specific written representation, ISAE 3402 requires
that the auditor deny an opinion after discussing the concern with management. If this happens, the auditor can
carry out the required action.
SSAE 18 requires that the service auditor takes an action or withdraws from the engagement. The SSAE 18 also
contains certain incremental requirements for a situation where auditor plans to deny any opinion.
 Elements of the Section 801 Report That Are Not Required in the ISAE 3402

Learn More to visit on Taxation 

SSAE 18 contains certain requirements that are additional to those in ISAE 3402. These requirements are as
o The identification of any information included in the documentation that is not covered by the service
auditor’s report.
o A reference to management’s assertion, and a statement that management is responsible for identifying
any of the risks that threaten the fulfillment of the control objectives.
o A statement that the examination included assessing the risks that management’s description of the service
organization’s system is not fairly presented and that the controls were not suitably designed or operating
effectively to achieve the related control objectives.
o A statement that an examination engagement of this type also includes evaluating the overall presentation
of management’s description of the service organization’s system and suitability of the control objectives
stated in the description.
We believe, that the article what have enhance your understanding of the two standards and their key differences.
Please reach out us if you still have any queries or for any further information.

What is the difference between SSAE 16 and SSAE 18?

What is the difference between SSAE 16 and SSAE 18?

Nowadays, many companies are bothered by the technical and security control applications used by third-party providers/suppliers. Corporates are demanding liberated audits of the IT and security control parameters of their third-party companies. In many situations, they are asking for some type of SSAE-16 audit or an SSAE-18 audit.

What is SSAE 16 Audit?

SSAE 16 audit is the Statements on Standards for Attestation Engagements no. 16. It offers a set of conditions and advice for documentation reporting on administrative controls and actions at service organizations. Audits using SSAE 16 usually outcome in (System and Organizational Control) SOC 1 reporting. Unlike prior standards, SSAE 16 audit needs written documentation from a service company’s governance, declaring that its explanation perfectly displays organizational controls, system goals, and operational activities that influence customers. SSAE 16 audit was succeeded by SSAE 18 audit in 2017.

What is SSAE 18 Audit?

SSAE 18 audit is the ongoing set of rules and guidance for reporting on a company’s management and processes at service firms. It replaces SSAE 16 audit and is deliberated to update and clarify a prior set of standards. Like SSAE 16 audit, SSAE 18 audit is also used in SOC 1 reports, however, also in SOC 2 reports and SOC 3 reports, which were earlier directed under AT Section 101. Among other replacements, SSAE 18 audit also requires that service organizations recognize subservice firms and offer risk audits to SOC auditors.

SSAE 16 Audit vs. SSAE 18 Audit

SSAE 16 18 Audit and SOC have repeatedly been used conversely, and the audience discusses SSAE 18 reports and SOC 1 audits. But the two are different, and it’s necessary to realize the variance.

SSAE 18 — SSAE is the Statement on Standards for Attestation Engagements no. 18. As the name shows, it talks about standards and guidance for accomplishing attestation arrangements. These are the standards and methods CPAs go after when conveying out SSAE 18 audits.

SOC Report is the System and Organization Controls Report. It is the audit or report that CPAs generate after directing an attestation engagement under the SSAE 18 set of standards. Thus, SSAE 16 18 audits denote the standards, and SOC refers to the report.

In 2016, the Association of International Certified Professional Accountants upgraded the Statement on Standards for Attestation Engagements No. 16 SSAE 16 audit to No. 18 SSAE 18 audits. This transform was made to clarify and intersect attestation standards related to SOC 1 audits. SSAE 18 audit has also been enlarged to cover more kinds of SOC reports, whereas SSAE 16 was restricted to only SOC 1 reports.

How to move to the New SOC 1 Audit?

The very initial thing all companies should perform in order to get ready for the movement in the SOC 1 audit standard is to do an official risk assessment. Accorp Partners is assisting organizations to complete this by providing our expertise and resources to ease the SOC audit for them. There are also many resources handling risk assessment and equipment to assist you to get started with reporting your own.

The next thing service organizations should perform in arrangements for the new SOC 1 audit is to start vendor compliance administration. When we talk about managing your vendors, organizations must question themselves what those challenges are that your dealers or suppliers present to your company and the services you depend on them to offer. Accorp Partners is here to assist you with all SOC compliances and SOC 1 audits, SOC 2 audits, SOC reporting, and many more that service organizations are preferring to maintain and monitor vendor compliance.

If you have any queries related to the updates to SOC 1 audit, contact our financial advisors.

SOC 2 Audits & HITRUST CSF Assessments

SOC 2 Audits & HITRUST CSF Assessments

As a tending organization – or supplier of services to the broader tending arena – you’ve most likely
stumble upon the SOC 2 HITRUST topic. After all, in today’s world of ever-growing regulative
compliance mandates, as per SOC 2 HITRUST is currently front and center for thousands of companies
throughout North America.
And with HITRUST certification comes on one in every of the most important queries that tending
organizations area unit asking themselves: Should we tend to become HITRUST CSF compliant, or
have a certified public accountant firm perform a SOC 2 HITRUST assessment on my organization,
and what’s the difference?

Let’s examine this in additional detail.

• What is HITRUST?
• What is SOC 2?
• What area unit the variations Between SOC 2 and HITRUST?
• When combined, what’s a SOC 2 HITRUST Report?
• Tips in getting ready for SOC 2 HITRUST
• The Importance of Policies and Procedures for SOC 2 HITRUST

What is HITRUST?

According to, HITRUST, in conjunction with personal sector,
government, technology and data privacy and security leaders, has developed the HITRUST CSF, a
certifiable framework that may be employed by any organization that makes, accesses, stores or
exchanges sensitive info.

Furthermore, the HITRUST CSF harmonizes multiple frameworks, standards, state, federal and
International laws and leading practices into one framework. The HITRUST CSF addresses industryspecific challenges by investment and enhancing existing frameworks, standards and laws to supply
organizations of variable sizes, geographic operation and risk profiles with prescriptive
implementation necessities and pointers.

Learn More to visit on HIPPA

Lastly, the HITRUST CSF may be a climbable, prescriptive and certifiable framework that harmonizes
varied standards, laws, management frameworks and leading practices.
Specifically, HITRUST CSF Certification needs the services of a HITRUST approved CSF tax assessor
organization. The result’s a report with findings that may incline to customers, prospects,
local/state/federal agencies, and alternative applicable entities.

What is SOC 2?

SOC 2 – System associated Organization Controls (SOC) – is an auditing framework place forth by
American Institute of Certified Public Accountants for auditing service organizations. Important to
the SOC 2 framework are the following Trust Services Criteria (TSC):
• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

Specifically, in keeping with the AICPA, SOC 2 reports are intended to meet the needs of a broad
range of users that need detailed information and assurance about the controls at a service
organization relevant to security, availability, and processing integrity of the systems the service
organization uses to process users’ data and the confidentiality and privacy of the information
processed by these systems.

More merely expressed, SOC 2 audits (mainly – a SOC 2 Type 1 and a SOC 2 Type 2) effectively assert
on whether or not the controls were designed properly (Type 1) and/or such controls operated
effectively (Type 2) in accordance with the necessities place forth by the applicable trust services
criteria and therefore the connected common criteria.

As expressed earlier, there 5 trust services criteria (TSCs) that a service organization (i.e., your
business) will be assessed against during a SOC 2 audit: security, availability, processing integrity,
confidentiality, and privacy. The security TSC is required for the SOC 2 audits, with the remaining
four deemed optional, but can be added depending on the service provided.
It’s vital to recollect that SOC reports are well-known within the world of auditing, and as a result, will
meet a wide-range of control compliance news for varied industries. So, along comes HITRUST and
currently the choice of getting a SOC 2 HITRUST report, one thing that creates sense for the massive
variety of tending organizations throughout North America. Let’s take a glance currently at what
precisely SOC 2 HITRUST is.

Differences between SOC 2 and HITRUST?

Technically speaking, the most important distinction is that SOC 2 is associate AICPA “attestation”
report, whereas HITRUST may be a “certification” report. Additionally, the “attestation” side of SOC 2
compliance means management (i.e., the service organization that the SOC report is being performed
on) attests to the data contained among the particular SOC 2 report. In addition, the freelance auditor
(i.e., certified public accountant firm) ultimately confirms the attestation via associate opinion letter.
Now, there is totally different “opinions” issued by the certified public accountant firm, like
“unqualified”, that may be a clean report, or “qualified” or “adverse”, that is mostly seen as associate
adverse or suspect report on one’s control surroundings.

As for HITRUST, again, it’s a certification, and is undoubtedly a far detailed report as compared to a
typical, baseline SOC report. The HITRUST CSF framework has additional controls, additional detail,
and additional overall testing necessities than a typical, baseline SOC 2. This ultimately needs longer
and energy from businesses undergoing HITRUST CSF compliance.
Keep in mind that HIRTUST has engineered the particular CSF framework from a range of standards
– with a significant stress from ISO 27001/27002 – and therefore the result’s a collection of controls
so much larger than a typical, baseline SOC 2.

Combined SOC 2 HITRUST Report?

A SOC 2 HITRUST report is basically a SOC 2 combined with the HITRUST CSF management
necessities used because the basis of associate organization’s cyber security and data framework. To
support this approach, HITRUST and therefore the AICPA have collaborated to align the Trust
Services Principles and Criteria to the HITRUST CSF that provides customary and comparable
necessities to be used in SOC 2 report. Note that only an Certified Public Accountant (CPA) firm will
issue a SOC 2 HITRUST.

Tips in getting ready for SOC 2 HITRUST

One of the fundamentally most important measures any service organization can do in preparing to
undergo an initial SOC 2 HITRUST assessment is to perform a scoping & readiness assessment. You’ll
need to asses and identify certain scoping issues, such as what information systems, personnel,
physical locations, third-party providers – and more – are in scope. Second, you’ll want to identify
gaps and deficiencies within your control environment that require remediation, such as policies and
procedures, technical/security misconfigurations, and more.
We believe, that the article what have enhance your understanding of the two standards and their key
differences. Please reach out us if you still have any queries or for any further information.

SOC Reporting and COVID 19

SOC Reporting and COVID 19

Brief Overview

COVID-19, the most buzzed word these days, a virus that has not only impacted health of the humans
but has also affected almost each and every industry in the world including organizations (user
organization) relying on other companies (service organization) to provide their services. Companies
have either shifted their staff to remote environments or laid off their workers. Organizations looking
for a SOC (System and Organization Controls) report from their service organizations are in a dilemma
whether they will be able to get a renewed report or not for the COVID year.
SOC examinations are designed to test the information technology and business process control
systems that a company has implemented to protect the security of its customer’s data (SOC 2), or
ensure the accuracy and completeness of financial transaction processing and reporting (SOC 1). If
your customers and the related stakeholders do not perform SOC reports on a timely basis, it could
influence their business objectives.
Further, the entities who issue SOC reports (i.e. independent third party audit firms) , are anxious on
how to support the remote attestation of controls during this time where companies have a reduced
headcount, decreased revenues, ceased operations due to government / mandatory requirements to
continue operations. Remote assessment of risks and attestation either of internal controls over
financial reporting (SOC 1) or AICPA’s trust service criteria (SOC2) without being physically present at
the client location has become a big challenge. However, the business must go on so should the SOC
In this article, we will be touching upon the considerations that should be taken care by service & user
organizations as well the third party auditors during the pandemic scenario.

Service Organizations

Service organizations should evaluate their Operations and IT environments to determine if any
controls have been impacted.
 The company should examine any impact on functioning of controls caused by reduced number
of employees and any SoD (segregation of duties) conflicts should be addressed using
additional monitoring controls
 The company employees accessing the regulated data should receive appropriate trainings on
handling that data in a remote work environment.
 The new user provisioning / user termination processes should operate effectively with
sufficient authentication of remote users.
 Supplementary guidance on remote work cyber security practices should be communicated to
staff working from a remote location.
 Security of applications enabled for remote work should be taken care along with the
implementation of multi-factor authentication (MFA) which should be required for all critical
 Service organizations should discuss the procedures around video conferencing to perform
virtual walkthroughs with their service auditors. Most common procedures include physical
security walkthroughs of buildings and data centers that ensure security measures and
environmental protections are in place.

User Organizations

They as a receiver of the SOC 1 and/or SOC 2 reports, should have frequent communications with their
vendors to discuss whether COVID-19 has impacted their operations and their SOC report. Following
things should be considered as one reviews the SOC reports where evaluation period includes the
timing of the pandemic.
 The SOC report should be reviewed for any disclosures on changes to the system, operations or
controls due to the impact of COVID-19. An assessment should be done to identify if any
change impacts you and your reliance on the SOC report.
 The SOC report should also be reviewed for any exceptions and you can expect to have
increased number of exceptions within your service organizations due to the pandemic. These
exceptions and their corresponding impacts should also be evaluated.
 The complementary user entity considerations should be reviewed. Analysis should be done if
the service provider has included any additional items due to any changes in the controls or
system description.

Learn More to visit on Taxation 

Assessors / Auditors
Following key aspects should be considered by the auditor while performing a third party assessment
 Risk associated with key personnel should be evaluated and the organization should have
adequate personnel available to support critical business and IT functions.
 Changes related to the organizational structure should be assessed and their possible impact on
segregation of duties should be analyzed.
 Organization’s Disaster Recovery and Business Continuity Plans should be evaluated and
appropriate changes should be suggested as required in a pandemic situation.
 Keeping in consideration the travel restrictions, Distance Audit methods such as video
conferencing should be used to perform virtual walkthroughs like physical security
walkthroughs of buildings and data centers to ensure security measures and environmental
protection methods are adopted.
 Video conferencing can also be used to communicate with client personnel and gain an
understanding of client’s systems for a new engagement, or test the effectiveness of controls
for on-going engagements.
 For the controls not operating during the testing period due to pandemic situation, auditors
should simply add an additional rationale in the report explaining the reason. However, the
overall report opinion is not modified.

The critical functions such as review of risk assessments, reviewing policies, periodic user access
reviews, or ticketing for timely removal of terminated user access should continue to operate
uninterruptedly and should be tested as usual. For exceptional cases, an annual control can be
rescheduled to occur in future months, as long as it is still within your SOC examination period.
In other instances, those activities may can be performed virtually.

You can also visit below link to read AICPA articles related impact of COVID 19 on audit and assurance.

Please reach out to us in case you would like to discuss more on this topic or if you have any queries
related to SOC reporting.

Importance of Vulnerability Scans and Penetration tests in SOC Report

Importance of Vulnerability Scans and Penetration tests in
SOC Report


The evolvement of technology has increased the practice of outsourcing business functions to third
parties. While, the third-party service providers help in managing data and business processes, they can
also increase the vulnerabilities within the parent organization. The solution lies in having the right
controls in place to identify exposed areas, extent of exploitation and the need for security testing.
Even the smallest of vulnerabilities can lead to a cyber-attack and a data breach putting the
organization at risk. These can include use of unsecure protocols, delayed patching of identified risks,
expired licenses for antivirus software, weak passwords, and absence of QA review processes. A regular
vulnerability assessment can help in validating the effectiveness of current security practices and
identify any new risks. Following is a brief overview about the VA and PT tests
Vulnerability Assessments
A vulnerability assessment is designed to identify, measure, and classify vulnerabilities in each system
and the whole IT environment. This assessment provides a classified list of patches and systems that
require attention. An effective vulnerability assessment should include following:
• Identify the security issues and their risk impact to the organization
• Function to identify and measure vulnerabilities within the systems
• Use vulnerabilities to breach systems and circumvent security controls
• Detect, identify, define and prioritize system vulnerabilities or gaps to prioritize any security

visit HIPPA

Penetration Test
Penetration testing aims to identify weaknesses that can be exploited. An effective pen test should
include following:

• Prepare a listing of vulnerabilities based on the severity
• Assist in identifying the path of the attack used to take over a system
• Conducted after an assessment, and after the company has appropriate security practices
• Identify potential flaws on a secondary stage
• Achieve specific goals in identifying vulnerabilities.

SOC 2 and VAPT

While the SOC 2 TSCs does not specifically require companies getting a SOC 2 report to have
vulnerability scans or a pen test done, companies must consider the unmitigated risks in absence of
such reports. This more of an industry-standard for evaluating framework integrity and working with
CPA firms that do not ask for vulnerability scans or penetration tests is doubtful. The SOC 2 Trust
service criteria do mention VA and PT in the points of focus, which shows they are key components.
This avoids any confusion if the pen test and vulnerability assessments are required to become SOC 2
compliant. It is the discretion of to the management team to completely understand the criticality od a
SOC 2 certification for the organization and having the right protocols and testing in place is for
establishing benchmarks moving forward.
Addressing the ACIPA points of focuses
Although SOC 2 is less of a rule-based audit than ISO27001, CPA firms have the authority to
request vulnerability scans and penetration tests as part of a service provider’s design of
controls to meet the Trust Services Criteria. Frequent vulnerability scans and penetration tests
are required for service providers to fulfil the purpose of CC7.1 and pass a SOC 2 test.

The Approach

Even though penetration testing and vulnerability scanning are not expressly required by the
SOC 2 guidelines, they are clearly stated in the Points of Focus, and a CPA firm should avoid
issuing a SOC 2 report on an organization’s information security stance without appropriately
addressing the risk associated with misconfiguration and absence of regular patch management.
Control Objective CC7.1 from the SOC 2 Common Criteria (Security) related to vulnerability
scanning is as follows:
“To meet its objectives, the entity uses detection and monitoring procedures to identify (1)
changes to configurations that result in the introduction of new vulnerabilities, and (2)
susceptibilities to newly discovered vulnerabilities.”
Under these criteria, there is a related point of focus that states:
“The entity conducts vulnerability scans designed to identify potential vulnerabilitie s or
misconfigurations on a periodic basis and after any significant change in the environment and
takes action to remediate identified deficiencies on a timely basis.”
Given the risks associated with misconfiguration and patch management, our take is that
companies should at least practice quarterly vulnerability scanning performed either internally
or externally.
Further, in addition to scanning, we advise for vulnerability management to close any high-risk
findings from the scans and mitigate the associated risks. This can be achieved by identifying
process owners to take care of entire vulnerability management process.
CC4.1 (COSO Principle 16) notes the following about penetration testing:
” The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain
whether the components of internal control are present and functioning.”

A similar point of focus for CC4.1, which applies to all engagements involving the TSC, is as
“Management uses a variety of different types of ongoing and separate evaluations, including
penetration testing, independent certifications made against established specifications (for
example, ISO certifications), and internal audit assessments.”
Since there are so many different forms of security assessments, we believe that a penetration
test isn’t needed if the entity can show that another security assessment is performed on a
regular basis.
Based on our evaluation of the associated risk, recognition of the purpose of SOC 2 reporting,
and consideration of the needs of the general reader of the SOC 2 report, vulnerability scans are
required to meet CC7.1, but penetration tests are not required to meet CC4.1 as long as the
individual requesting a SOC 2 report is conducting another periodic security assessment.
Following are few examples of security vulnerabilities that, may not be reported in a SOC study but pose
significant security risks to all parties involved

• Weak passwords that give an intruder complete access to the system
• Open network services that reveal essential business systems, such as SQL Server
• SQL injection on a Web page that allows for remote database deletions that are undetectable.
You must search deeper before assuming all is well with security based on a vendor’s SOC reports.
Inquire about the results of their most recent penetration test or vulnerability evaluation. Take a closer
look at the technological problems than you can at the higher-level policies and procedures.
We believe this the article would have enhanced your understanding about importance of vulnerability
reports and penetration tests in a SOC report. Please feel free to reach out if you have any queries
related to SOC reports or need to get a SOC/ISO/GDPR/VA-PT certification done for your organization.
You can also visit our website to read more articles related
to SOC reporting.

How regular you are required to perform a SOC 2 Audit

How regular you are required to perform a SOC 2 Audit

Typically speaking, (and whereas there’s no onerous and quick rule), SOC two reports needed annually from service organizations as validation that their controls are designed and operating effectively. The once a year rule has been the agreement in this if you conduct your initial SOC two audit in year one, then or so twelve months later, a service organization ought to give one more report on the operative effectiveness of their controls. It’s a yearly method, as a result of meant users of a SOC two report (i.e., clients, prospects, etc.) can wish to achieve assurances of a service organization’s management atmosphere on a yearly basis – at a minimum. All you can chat with our experts for SOC Audit Compliances.

Things to understand regarding SOC 2 Reports

Initiate with a Scoping & Readiness Assessment. It’s basically necessary to perform associate direct scoping exercise for decisive project scope, gaps that require to be corrected, thirdparties that reaching to be enclosed within the audit, and far additional.

Remediating deficiencies in policies and procedures, security tools and solutions and remediating deficiencies in terms of operational problems. Together, these 3 areas will take time – absolute confidence regarding it

Documentation is critically necessary. After we talk about documentation, we’re talking regarding policies and procedures that require to be in situ. Suppose access management, information backup, incident response, modification management, and far additional. Does one have policies and procedures in situ for these areas – if not – you’ll have to be compelled to begin documenting them, and now.

Here’s a short-list of knowledge security policies and procedures you’ll would like for changing into – and staying – SOC two compliant:

1. Access management policies and procedures

2. Data retention and disposal policies and procedures

3 . Incident response policies and procedures

4. Change management policies and procedures

5.  Contingency designing

6.   Wireless Access

7.  Usage policies

Security Tools and Solutions can have to be compelled to be no inheritable. The AICPA SOC framework is changing into additional technical of late that means that variety of security tools and solutions needed for SOC two compliance. Suppose File Integrity watching (FIM), Two-Factor Authentication (2FA), Vulnerability scanning, information Loss hindrance (DLP) and additional. This needs associate investment in each time and cash that several service organizations unaware of till they start the method.

Continuous watching of Controls is essential. There’s an idea known as “continuous monitoring” that’s in situ and it means that somebody must take possession of assessing one’s internal controls on an everyday basis. If not, once the auditors re-appear for the annual SOC two audits, management deficiencies might have arisen – one thing you are doing not wish.

It’s associate Annual method. Finished your initial SOC two audit – congratulations – however detain mind that as a service organization, you’ll be expected to endure associate annual SOC two compliance assessment

We believe, that the article what have enhance your understanding of the SOC audit performance. Please reach out us if you still have any queries or for any further information.

Learn More to visit on Audit