SOC 2/AT-C 105 and 205

SOC Vendor Due Diligence for Title Agencies

The American Land Title Association (ALTA) Best Practices Framework has been developed to assist lenders in satisfying their responsibility to manage third party vendors. ALTA members advocate a safe and efficient transfer of real estate and have high standards when searching land title records and preparing insurance documents. To provide the best possible chance of avoiding land title problems, risk should be eliminated prior to insuring. As such, effective safeguards should be in place.

Read More

Does Your SOC Report Address Subservice Organizations Using the Carve Out or Inclusive Method?

By: Peter Clarke, Managing Consultant at A-LIGN A subservice organization is an entity that is used by the service organization to perform some of the services provided to customers (user entities).  An example of a common service provided by a subservice organization would be a company that offers their data center to a cloud provider (the service organization).  The service organization relies on processes and controls implemented at the subservice organization to meet the Control Objectives or Trust Services Principles of the SOC report. When a subservice organization is utilized by the service organization, there are two methods for reporting on the processes and controls at the subservice organization.  First, the processes and controls can be included as a part of the report.  This is the Inclusive method.  Second, the processes and controls can be excluded from the report.  This is the Carve Out method.  Each method requires that the service organization take steps to determine whether controls are in place and operating effectively to meet the needs of the end user (customer).

Read More

How to Differentiate Your Title Agency for Success in a Dynamic Market

By: Blaise Wabo, Senior Consultant at A-LIGN In 2012 the Consumer Financial Protection Bureau (CFPB) released a bulletin related to service providers’ oversight, in which they expect supervised banks and nonbanks (lenders) to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial…

Read More

Understanding the Impact of Testing Exceptions in Type 2 SOC 1 and SOC 2 Reports

By: Ivan Reyes, Senior Consultant at A-LIGN Standards for Attestation Engagements No. 16 (“SSAE 16”) is an attestation standard whereby a service organization’s auditor issues an opinion on a service organization’s internal controls over financial reporting (ICFR). This is delivered in the form of a Service Organization Controls 1 (“SOC…

Read More

CSA Integrates Cloud Controls Matrix with SOC 2 Reports for Cloud Providers

By: Peter Clarke, Senior Consultant at A-LIGN The AICPA recently released an Illustrative Type 2 SOC 2 Report to assist auditors in reporting on the suitability of design and operating effectiveness on cloud security providers. The Cloud Security Alliance (CSA) Cloud Control Matrix (CCM) builds upon the AICPA’s Trust Services…

Read More

5 Steps to Succeed in Your Next Compliance Audit

By: Jay Anthony, President of Audit Liaison, PA Your organization has determined that there is a need for a compliance audit. But you have so many questions or don’t know where to start? A-LIGN has asked us to put together a short guide to help you decide the correct course…

Read More

Trust Services Principles Update and Impact on SOC 2

By: Sara McLane, Senior Auditor at A-LIGN In February of 2014, the AICPA released the new Trust Services Principles and Criteria (TSP) for Security, Availability, Processing Integrity, Confidentiality, and Privacy. The updated TSP will have a positive effect on our clients and other organizations obtaining a SOC 2 report by increasing the clarity for readers and users of the report. The updated TSP also reduces the appearance of redundancy. The TSP is now broken into two key components. The first major component is the common criteria. These criterions are applicable to Security, Availability, Processing Integrity, and Confidentiality. The Privacy criterions are set forth by the Generally Accepted Privacy Principles (GAPP) and are currently under revision to be released separately. The common criteria are now comprised of seven categories whereas the prior version of the TSP had four categories: policies, communications, procedures, and monitoring.

Read More

Ask A-LIGN: What is the difference between a SOC logo and a SOC seal?

By: Scott Price, Managing Partner of A-LIGN  Answer: Misuse of Service Organization Control (SOC) terminology is a common mishap in the marketplace. When it comes to the use of the SOC logo or seal, many tend to assume the terms mean the same thing (six of one, half a dozen of the other), but in reality they are classified as entirely different entities. Let me explain…

Read More

The Value of SOC 2

If your service organization processes customer transactions that impact financial reporting, such as payroll or other financial reporting functions, you are more than likely familiar with the SSAE 16 SOC 1 report and its predecessor the SAS 70. Your customer’s auditors request the SAS 70, now the SSAE 16, every year to fulfill your customer’s year-end financial statement audit requirements. You gladly undergo the annual SSAE 16 audit so you have the report ready for your customers each year. One SSAE16 audit is worth keeping an army of customer auditors from knocking on your door asking for the same evidence of internal controls. More than likely the SSAE 16 is also required to meet contractual obligations to your customers. So to reduce the number of audits you have to endure each year, to meeting contractual obligations and also to get an independent evaluation of your internal controls, you engaged a CPA firm to perform the SSAE 16 audit.

Read More