What Will Be in My SOC 2 Report?

by Maggie Austin / December 20, 2022

The Seven Components of a SOC 2 Report You’ve partnered with a licensed CPA firm, you’ve properly scoped your environment, you’ve conducted a SOC 2 gap analysis, you’ve remedied any non-compliant findings, you’ve worked with your auditor, you’ve completed your SOC 2 audit and achieved SOC 2 compliance, and now you’re finally receiving your SOC 2 report. Congratulations! You may be wondering, what will be in my SOC 2 report?…

What is the Purpose of the SOC 2 Privacy Principle?

by Sarah Harvey / December 20, 2022

 Why Choose the Privacy Principle? Once you’ve determined you are ready to pursue a SOC 2 audit report, the first thing you have to decide is which of the five Trust Services Criteria you want to include in your SOC 2 audit report. Typically, service organizations that are concerned about the Privacy Principle are collecting, using, retaining, disclosing, and/or disposing of personal information to deliver their services. A classic…

Understanding Your SOC 1 Report: What is a SOC 1 Report?

by Joseph Kirkpatrick / February 22, 2023

What is a SOC 1 Report? Has a prospect recently asked if your organization has a SOC 1 report? Has a top client requested that you begin completing annual SOC 1 audits? Meanwhile, you're just wondering, what is a SOC 1 report? Does your service organization affect user organization’s financial reporting? A SOC 1 would apply to you. SOC 1 engagements are based on the SSAE 18 standard developed by…

Understanding Your SOC 1 Report: How Does Sampling Work?

by Joseph Kirkpatrick / December 20, 2022

Sampling During a SOC 1 Audit When an auditor performs a test of control during a SOC 1 audit, it may be appropriate to apply sampling. Sampling is applying audit procedures to less than 100% of a population. The types of populations that could need to be tested include new hire training forms, employee acknowledgements of policies and procedures, antivirus reports, or access control logs. The PCAOB states that sampling…

PCI Requirement 9.10 – Ensure Policies and Procedures for Restricting Physical Access to Cardholder Data are Documented, In Use, and Known to All Affected Parties

by Randy Bartels / December 20, 2022

 Implementing PCI Requirement 9.10 PCI Requirement 9 states, “Restrict physical access to cardholder data.” Complying with PCI Requirement 9 is critical to ensuring that cardholder data is physically accessed only by authorized personnel. For this requirement, we’ve discussed aspects of physical security such as facility entry controls, visitor identification and access controls, how to physically secure media, controlling the distribution of media, how to destroy media, and more. But,…