Assurance / Service Audits | SOC Examinations
By:
FRANCISCO ARAUJO
April 16th, 2018
Imagine this, it's a late Wednesday afternoon and you are wrapping up your previous SOC engagement while simultaneously working on your current engagement. A check of your upcoming schedule reveals that next week, yet another SOC engagement for a client in your area looms. Juggling multiple engagements can be tricky, but must less so if there’s a tried and true process that’s become routine. Here are five easy steps to help an auditor prepare for a SOC engagement.
By:
SCOTT ZELKO
June 23rd, 2017
It may come as a bit of a surprise—maybe not—but there are actually two types of SOC reports. Upon examination, the service organization is responsible for specifying whether or not a “Type 1” or “Type 2” will be performed. It’s important to note the specific use of “Type” as a distinguisher--not “SOC 1” or “SOC 2,” as the different specified “types” are options for both the SOC 1 and SOC 2 reports. For those of you that are now thinking, “that’s confusing,” I agree 100% with you. In fact, “Type 2” and “SOC 2” are not at all the same thing, and the “type” of each SOC examination presents important differences for service organizations.
Healthcare Assessments | SOC Examinations
By:
GARY NELSON
May 1st, 2017
The short answer is...yes. Now for the long answer - a SOC 2 report requires that a service organization has sufficient control activities in place to address the Trust Services Principles and Criteria (TSPC) developed by the AICPA. However, there are no stipulations by the AICPA as to what those control activities have to be. As long as the criteria are satisfactorily addressed to align with the risks that a service organization has identified, a service organization has some flexibility with the controls they implement.
SOC Examinations | Audit Readiness
By:
STEPHEN HALBROOK
December 5th, 2016
Here are five steps to help successfully prepare: 1. Validate the Nature of the Request. Does your client base understand the various SOC reporting options and what they are asking of your organization from a compliance reporting perspective? Is there a connection to internal controls over financial reporting (ICFR) of the services that you provide to your clients, or are you looking at general controls of a system that are relevant to security, availability, processing integrity, confidentiality, and/or privacy? SOC 1 can oftentimes be misused by the general public as a generic reference to third party examinations. There is misconception in the marketplace; help prevent it.
Healthcare Assessments | SOC Examinations
By:
OLIVIA REFILE
September 27th, 2016
What is the SOC 2? At a high level a SOC 2 examination is a report on internal controls of a service organization related to the Trust Service Principles and Criteria (TSPs), which include: security, availability, processing integrity, confidentiality and/or privacy. Reporting on these TSPs can provide assurance around the adequacy of your services’ security control environment.
ISO Certifications | SOC Examinations
By:
DANNY MANIMBO
September 6th, 2016
NOTE: Schellman has since updated and expanded this information in an article found here.
By:
BHARGAV ACHARYA
August 15th, 2016
Cloud computing is an efficient, conducive, and ubiquitous model for on-demand network access to a common pool of configurable computing resources, according to the National Institute of Standards and Technology (NIST) Special Publication 800-145. The goal of cloud computing is to achieve rapid provisioning with minimal service provider or management synergy. Cloud service providers typically deliver one of three types of services: