SOC 2 Academy: Internal Control Deficiencies

by Joseph Kirkpatrick / December 16, 2022

Common Criteria 4.2 When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 4.2 says, “The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.” What will…

SOC 2 Academy: Who is Monitoring Internal Controls?

by Joseph Kirkpatrick / December 16, 2022

Establishing methods of effective monitoring is a critical component of SOC 2 compliance. During a SOC 2 audit, an auditor will not only assess whether or not an organization is effectively monitoring their internal controls but also whether or not the proper person is monitoring those internal controls. Why is that? It comes down to the need for checks and balances, so let’s discuss. Monitoring Internal Controls When deciding who…

Online Audit Manager

Choosing the Online Audit Manager: One Tool, Multiple Audits

by Sarah Harvey / February 5, 2024

Because of the complexity of today’s threats and the innovation of new businesses, it’s not uncommon for organizations to pursue multiple compliance goals at the same time. Let’s say you provide IaaS solutions – you may want not only a SOC 2 attestation, but also HIPAA compliance for the healthcare clients you serve. Let’s say you’re a payment processing SaaS who needs PCI compliance and a SOC 2 attestation. When…

5 Strategies to Keep You From Wasting Time on Security Questionnaires

by Sarah Harvey / June 15, 2023

If you’re a start-up trying to win new clients, the dreaded security questionnaires are coming your way. Or, let’s say you’re a midsize business who’s been in business for years that’s bidding on an enterprise-level prospect – a security questionnaire request is in your future. Even we, as an information security auditing firm, are frequently asked about the security of our Online Audit Manager. The questions may seem irrelevant, repetitive,…

SOC 2 Academy: Evaluations of Internal Control

by Joseph Kirkpatrick / December 16, 2022

Common Criteria 4.1 When a service organization undergoes a SOC 2 audit, auditors will look to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 4.1 (CC4.1) states, “The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” Why is it so important that organizations effectively perform evaluations…