Auditwerx Answers | What is the minimum duration period for a SOC report?

While the AICPA does not define a minimum duration period for a SOC report, Auditwerx encourages our clients to conduct a Type 2 engagement for a period of at least 6 months. The reason behind this is that a period of less than 6 months may not be as useful for a user organization or the user auditor looking to gain comfort of controls over a typical 12 month period. Often times when a client comes to us needing a SOC report for the first time, they need it as soon as possible. Auditwerx does require a minimum of a 3 month testing cycle to ensure our engagements are useful and reliable for our clients and the users of the reports. 

Contact us today to discuss our proven SOC reporting process. 



Auditwerx Managing Partner, David Mills, Appointed to AICPA SOC Committee

David Mills, the Managing Partner at Auditwerx, has been selected to serve on the American Institute of Certified Public Accountants (AICPA) committee focused on SOC reporting. 

David was selected to serve on the AICPA’s SOC Peer Review Oversight Committee and the SOC Task Force. The SOC Peer Review Committee handles the selection of SOC peer reviewers and oversight of the SOC peer review process nationally. The SOC Task Force recommends changes to the SOC process and standards, as well as testing recommendations of SOC reporting.

Congratulations David! 



Top 5 mistakes after a data breach

A data breach affects more than your organization’s bottom line. The negative sentiment of experiencing a data breach affects relationships with your current clients and how others view your organization. In certain cases your organization may be legally responsible to your customers as well. Recovering from a data breach is a long but attainable process. Following a few recommended actions after your initial discovery can help your business avoid potential issues in the future.

1.    Enlist Expert Help
Depending on the size or type of breach you experience, your organization may need to enlist external help. While external assistance is an added cost, you should evaluate your options with professional Incident Response teams to determine if an ongoing relationship is needed after the breach has been resolved. Partnering with an Incident Response Team can help protect your organization from future attacks.

2.    Elect a Leader
Managing a data breach is never an easy task. There are several parties within an organization that will be responsible for resolving the breach, including IT staff and executive management. Electing a strong leader will help ensure all team members are updated and held responsible for their duties. Any external parties involved in the resolution should also have one point of contact. A strong leader will drive the response plan and keep the organization and customers updated on all steps taken to resolve the breach.

3.    Communication Plan
Along with electing a strong leader, establishing a communication plan to external parties like the media can help to mitigate negative coverage. Over the years we’ve seen numerous international companies like Target and Premera Blue Cross experience data breaches and release statements to the media and their customers. Responding to these incidents quickly with a detailed action plan has proven to be an effective tactic for organizations to reassure partners and customers that the data breach is being resolved as efficiently as possible. Your organization should consider drafting statements and other materials to release quickly in light of a data breach.

4.    Waiting for Perfect Information
It may be tempting to wait for the right information from your Incident Response team before taking action against a data breach. However waiting for the right, or “perfect information” can cause delays in meeting certain requirements and communicating to external parties like the media and consumers. It’s important for your organization to take action immediately after a breach. Begin executing the first steps in your data breach recovery plan, should your organization have one. It may also be wise to consult with an external partner to get started immediately. 

5.    Plan Post Breach
Having a Post Breach Plan of Action is vital to the recovery process. Your organization should release details on how consumers can contact your organization to voice their concerns and monitor their financial security, if applicable. You may also consider investing into additional security measures such as outside consultants or improved technology to avoid issues in the future. It’s also important to update your internal procedures on managing a data breach, and meeting regularly with your team to ensure everyone is kept up to date.

While recovering from a data breach is possible, your organization should look to establish the proper policies, procedures, and technology to ensure your risk is kept to a minimum. Our team of experienced auditors work with numerous organizations ensuring that the organizational controls in place are accurate. Call us today to learn more about how Auditwerx can help your organization prepare for a data breach through our SOC reporting process




Auditwerx Answers | Can a SOC 1 be used as a SOC 2?

The standards and objectives for SOC 1 and SOC 2 Reports differ greatly. The difference in professional standards makes it impractical for an organization to use a SOC 1 Report in place of a SOC 2 Report, and vice versa. It’s important to know what the goals of your organization are before engaging with an auditor.

A SOC 1 Report evaluates your organization’s internal controls over financial reporting and transaction processing. In the U.S., SOC 1 reports use the Statement on Standards for Attestation Engagements, or SSAE 16 guidelines as the professional standard for the engagement. SOC 1 reports are generally intended for the management of the service organization, its user entities’ management and auditors of user entities.

A SOC 2 Report focuses on data security and is intended for your organization’s management team, regulators, business partners and suppliers. IT service organizations, data centers, and software as a service vendors are likely candidates for a SOC 2 Attestation Report. Section AT 101 on Attestation Engagements is the professional standard used for engagement for SOC 2 Reports. A SOC 2 report can be issued on a single Trust Service Principle or a combination of the following: Security, Availability, Processing Integrity, Confidentiality and Privacy. 

Regardless of what SOC Report your organization selects, being prepared can make a huge difference in the audit process. Organizing your information and providing a clear explanation how your specific organization operates are good steps to take before engaging with your auditor. 

Contact us to learn more about SOC 1 and/or SOC 2 Reporting.