SOC 1 Resources

Combining SOC 1 and SOC 2 Audits

We get a lot of questions about SOC 1 and SOC 2 audits. What’s the difference between the two? Should your company do both? Are you able to consolidate multiple audits into one project? KirkpatrickPrice has developed the Online Audit Manager to make it easier to combine multiple audits into one project. Let’s talk through why and how you would take on the project of a combined SOC 1 and SOC 2 audit.


Most Common SOC 1 Gaps

If you knew a hurricane or car accident was going to happen, wouldn’t you do your best to prepare for it? You’d want to know every detail of its likelihood so your plan of action would prevent as much damage as possible. The same principle applies to information security breaches – that’s why it’s important for your organization to be aware of and remediate common security gaps so you can avoid the vulnerabilities that hackers use to breach data systems.


How to Hire a CPA Firm for Information Security Audits

Before choosing an audit firm to work with, you must understand why, for some types of audits, you need a CPA firm to perform the services. Clients and prospects ask us all the time why accountants are allowed to perform information security audits. We understand the confusion behind this sentiment and want to provide some clarity.


How to Read Your Vendor’s SOC 1 or SOC 2 Report

Most organizations outsource some aspect of their business to vendors, whether it’s to perform a specific, integral task or replace an entire business unit. Vendors can be in roles like customer support, financial technology, record storage, software development, or claims processing. Using vendors can further an organization’s business objectives, enable them to function more effectively, and may be more cost-efficient. With all these opportunities, organizations must remain aware of the risks vendors carry with them.


3 Reasons to Stop Hesitating and Complete Your SOC 1 Audit

With the compliance landscape rapidly changing, it’s important to stay up-to-date with current standards to gain trust and respect from your clients. If you’ve been considering getting a SOC 1 audit, but keep putting it off, what are you waiting for? Here are three reasons to stop hesitating and start your SOC 1 audit today.


Top 10 Things to Prepare for Your SOC 1 Audit

If your customers rely on you to protect consumer information, chances are you may be asked to produce a SOC 1 audit report. A SOC 1 audit reports on the controls at an organization that are relevant to, or may affect, a client’s financial statements. This reporting framework is designed to demonstrate that an organization has proper internal controls and processes in place to address information security and compliance risks. It’s not uncommon to have a million questions the first time you have a SOC 1 audit performed. Where do we start? What does a SOC 1 entail? Will we fail? Here are 10 things you can do to prepare for your SOC 1 audit.


Moving from SSAE 16 to SSAE 18: Upcoming Changes to SOC 1 Audits

In April 2016, the American Institute of Certified Public Accountants (AICPA) made an important update to the attestation standards that will affect your next SOC 1 audit. Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification provides changes to SOC 1 audits and how attestation engagements are categorized. What is the reason for this change and how will SSAE 18 affect you?


What is an Independent Opinion in Auditing?

In order for an audit to comply with regulations, it must be conducted by an auditor with an independent opinion. What is an independent opinion? It’s an auditor’s unbiased, objective stance towards an organization which leads to an accurate, credible report on an organization’s security and compliance.


Choosing a Higher Level of Assurance

When a quality audit is performed by KirkpatrickPrice, there are many qualified experts behind the scenes completing the documentation review, project management, onsite visit, remediation efforts, report writing, and quality assurance. These security professionals work to provide the best assurance service possible to your organization. How exactly can you finish your audit process feeling assured and secure? You need to make sure you aren’t settling for anything less than a high quality audit.


What Does Reasonable Assurance Mean?

The AICPA defines reasonable assurance as a high, but not absolute, level of assurance. In an audit, that means perfection is not the goal because absolute assurance is not obtainable. Instead, auditors use reasonable assurance in their testing to come to a practical conclusion about the details of your organization’s security controls. At KirkpatrickPrice, our Information Security Specialists provide expert audits that focus on accuracy, attention to detail, and skilled efforts to meet standards of reasonable assurance.


Explaining Audit Periods

While SOC 1 Type I audit engagements evaluate a service organization’s internal controls that could impact their user organizations’ internal control over financial reporting (ICFR) at a specific point in time, a SOC 1 Type II audit evaluates a service organization’s internal controls that could impact their user organizations’ internal control over financial reporting (ICFR) over a period of time, usually between six and twelve months. How do go about choosing your audit period? There are a few things you need to know.


What is a SOC 1 Report?

Once you’ve made it through the evidence gathering portion of the SOC 1 audit process, our specialized team of professional writers will take the information gathered by our auditors and provided by you in our Online Audit Manager to create a final SOC 1 report. What is a SOC 1 report? It is a report that is based on the Statement on Standards for Attestation Engagements Number 18, Section 320 (SSAE 18) and reports on the effectiveness of your internal controls that may be relevant to your client’s internal controls over financial reporting (ICFR). What’s included in this report? How do you use a SOC 1 report? Let’s find out.


Will I Pass or Fail the SOC 1 Audit?

If your organization is making the investment in information security audits, it’s understandable to question whether or not you will pass or fail the audit. After all, many organizations pursue compliance because they have something at stake, like a new client or big product launch, and if they do not pass the audit, there could be severe consequences. However, there’s good news when it comes to SOC 1 audits: the framework is build on the SSAE 18, a standard that is not based on a pass or fail model. Instead, your SOC 1 compliance is determined based on reasonable assurance. What exactly does that mean? Let’s take a look.


Do I Need a SOC 1 Type I or a SOC 1 Type II?

If you’ve been asked to demonstrate SOC 1 compliance, you’ll need to determine what exactly is being asked of you. For example, do you need a SOC 1 Type I or SOC 1 Type II audit? Do you need both? Let’s take a look at the difference between a SOC 1 Type I and SOC 1 Type II audit and how you can determine which is most suitable for your organization’s compliance efforts.


The Difference Between SOC 1 Type I and SOC 1 Type II

When you begin thinking about pursuing SOC 1 compliance, you’ll have the option of choosing a Type I or Type II audit. While both of these audits assess a service organization’s controls and processes that may impact their clients’ internal control over financial reporting (ICFR), the biggest difference between SOC 1 Type I and SOC 1 Type II is the audit period.


What is a SOC 1 Audit?

Often times, clients might ask you to complete a SOC 1 audit, which might leave you asking, “What is a SOC 1 audit? Why does my organization need one?” If your organization has the ability to impact your customers’ internal controls over financial reporting (ICFR), then you’re likely to be asked by those customers to undergo a SOC 1 audit. But what is a SOC 1 audit exactly?


Auditing Basics: Auditor’s Test of Controls

In order for an audit firm to be able to provide reasonable assurance and issue an opinion on an organization’s compliance with SOC 1 or SOC 2 audits, they have to test the internal controls that each organization has in place and verify that they are working as intended. To do this, auditors typically perform three types of tests of controls: interviews, reviews, and observations.


Auditing Basics: What is Scope?

Knowing where your assets reside is critical for any organization. Why? Because knowing where your assets reside and which controls apply to them is the only way you can manage and secure them from a potential data breach or security incident. During the initial phases of a SOC 1 or SOC 2 audit, an auditor will walk you through defining the scope of your audit. But what exactly does that entail?


Auditing Basics: Audit Risk, Control Risk, and Detection Risk

SOC 1 and SOC 2 audits are largely impacted by various types of risk. During a SOC 1 and SOC 2 audit, an auditor will be focused on limiting the following types of risk: audit risk, control risk, and detection risk. So, how are those risks different? How to they affect an auditor while performing SOC 1 or SOC 2 audits? Let’s discuss.


Auditing Basics: Carve-Out vs. Inclusive Vendors

During the initial scoping phases of an organization’s audit engagement, your auditor will partner with you to help you narrow down the third-party vendors to be included in your engagement. In order to ensure that your organization’s security posture is and remains strong, you need to consider the impact that the third-party vendors you’ve entrusted sensitive data with could have on your organization.

This means that you’ll need to be able to list who your third-party vendors are, what services they provide to you, and whether they’ve gone through audits themselves. Knowing this information will help you determine whether or not you need to carve them out of your audit or include them. What’s the difference between carving out or including third-party vendors in an audit? Let’s take a look.


Auditing Basics: What is a Gap Analysis?

If it’s your first time pursuing compliance for any framework – whether it’s SOC 1, SOC 2, PCI DSS, HIPAA, GDPR, etc. – we strongly recommend beginning your engagement with a gap analysis. At KirkpatrickPrice, we’re committed to helping our clients get the most out of their audit, which means that we don’t want you to fail due to lack of preparation. That’s why our gap analysis service is specifically designed to help you prepare for the audit so that you can meet your compliance goals. How does the gap analysis process work?


Auditing Basics: What are Control Objectives?

Control objectives are statements that address how risk is going to be effectively managed by an organization, and your auditor will be validating whether or not your organization meets these control objectives during a SOC 1 or SOC 2 audit.


Auditing Basics: What is an Assertion?

At the beginning stages of the SOC 1 or SOC 2 audit process, an organization will be asked to provide management’s written assertion to their auditor. This assertion lays the foundation for the audit because it is a written claim by an organization describing their systems and what it is their services are expected to accomplish for the organizations they do business with. It tells auditors how an organization’s system is designed and how it’s supposed to operate.


SOC 1 Compliance Checklist: Are You Prepared for a SOC 1 Audit?

Are you looking to begin your SOC 1 compliance journey? Are you in need of guidance to get started? Do you want to know what your auditors will be looking for? This exclusive SOC 1 compliance checklist outlines the specifics on each system component that will be evaluated by your auditor during your SOC 1 audit.


Everything You Need to Know About SOC 1 Audits

Are you being asked by a top client for a SOC 1 audit report? What is a SOC 1 report? Do you need a SOC 1 audit? In this free white paper, Everything You Need to Know About SOC 1 Audit, you’ll find answers to frequently asked questions about SOC 1 audit reports and learn how your organization can benefit from having a SOC 1 report and what you can expect from your SOC 1 audit process.