SOC 2

What are the SOC 2 Password Requirements? SOC 2 password requirements are a set of criteria and policies developed by the American Institute of CPAs (AICPA) to ensure the secure management and storage of passwords within organizations. These standards are a part of the SOC 2 framework that outlines secure data handling practices, and password …

What is a SOC 2 Management Assertion? SOC 2 management assertion refers to a formal statement made by the management of an organization undergoing a SOC 2 audit. This assertion plays a pivotal role in the auditing process, providing a clear representation of the organization’s commitment to security, availability, processing integrity, confidentiality, and privacy, as …

What is a System Description of a SOC 2 Report? A system description within the context of a SOC 2 (Service Organization Control 2) report is a detailed narrative that outlines the key components and operational aspects of a service provider’s system. This description is a critical element of SOC 2 compliance, providing users and …

What is SSAE 16?  SSAE 16, otherwise known as Statement on Standards for Attestation Engagements No. 16, was an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It was issued in April 2010 and was specifically designed for service organizations that provide outsourced services. SSAE 16 was introduced to enhance the …

What is SSAE 18? SSAE 18, also known as Statement on Standards for Attestation Engagements No. 18, is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It recently replaced the previous standard SSAE 16 in May 2017 and introduced several changes and enhancements to meet the evolving needs of the …

What is a system description?  Generally speaking, a system description is a section of a technical document or report that provides an overview of the system, its structure and components, and explains how it works. It may also provide information about related systems and technologies used in conjunction with the main system. System descriptions are …

Are you curious about SOC 2 bridge letters? If so, you’re in the right place. We’ll dive deep and provide you with an overview of what a SOC 2 bridge letter is, who issues them, and how long they last. A bridge letter is an important document in the world of system and organization controls …

What are SOC Trust Services Criteria? The SOC (Service Organization Control) Trust Services Criteria is a set of standards established by the AICPA (American Institute of Certified Public Accountants) for service organizations. These criteria are designed to provide assurance that a service organization has implemented proper internal controls over its operations.  The Trust Services Criteria …

What is the carved-out vs inclusive method? Simply put, these are two different methods for SOC reporting of your subservice organizations specifically. Subservice organizations include managed service organizations, data center providers, cloud providers, etc. Think about modern-day businesses. It is no longer common practice to develop your own system end-to-end. You would rather make use …

SOC 2 attestation, explained Breaking it down into definitions, an ‘attestation’ is defined as “a declaration that something exists”, and “evidence or proof of something”. A synonym for attestation is the word ‘vouch’. That is the best way to simplify this. What is a SOC 2 attestation report in the compliance and audit world? Well, …

By now, you should be very familiar with a SOC 2 report. In terms of classification of the report itself, a SOC 2 report is a private report. The nature of the report means that it contains sensitive information about the organization and their control environment, including systems used, specific control information, management assertion information, …

What SOC 2 compliance testing procedures does an auditor follow? This question can only be answered at a high-level. The reason for this is that the specific methodology of each auditing company varies. In all instances, the testing procedures that are defined, address the same requirements (i.e. a specific control is tested in a similar …

Overview of subservice organizations As part of the SOC 1 or SOC 2 process, an organization needs to go through an exercise to identify vendors that are performing a service to the organization. Once those vendors are identified, the organization needs to understand which of those services performed have an impact on the control environment …

SOC 2 standard SOC stands for Service Organization Controls (SOC). The controls that you design and implement inside your control environment will vary based upon the people, technology, and products your company develops. SOC 2 is based on five principles, which are: SOC 2 requirements When reviewing the nine SOC 2 trust service criteria (TSC) …

What is the AICPA? The AICPA (American Institute of Certified Public Accountants) is the US’s organization of Professional CPAs (Certified Public Accountants). The AICPA is the founder and originator of the SOC reporting standard and audit. Furthermore, the AICPA is a very influential body of professional accountants, and they combine the skills and expertise of …