Isaac Clarke

If you are reading this post, chances are you’ve recently learned that your company needs a SOC 2 report (or a SOC 1 report). Your first thought was probably, “What is a SOC 2?” Which was quickly followed by “How much is this going to cost?” This is a perfectly normal and reasonable question to [...]

Picture this. It’s the middle of a SOC 2 readiness assessment, and a SaaS company – let’s call them BrightCloud – discovers that their cloud provider’s physical security controls aren’t auditable. The team panics. Suddenly, they’re staring down the decision: carve out method vs inclusive method. It’s not a theoretical question anymore. It’s a fire [...]

Defining the scope of a SOC (System and Organization Controls) assessment is often the starting point for any meaningful audit preparation. The scope is critical because it determines which systems, services, and periods will be evaluated, impacting the value and usefulness of the SOC audit report to stakeholders. In this article, we’ll walk through essential [...]

How do companies keep track of who’s supposed to see what information? What if a disgruntled ex-employee still had access to sensitive files? Or a hacker could easily impersonate the CEO? Identity and Access Management (IAM) is the answer, ensuring the right people (and only the right people) get access to the right systems and [...]

What is an Internal Audit? The Institute of Internal Auditors (IIA) defines internal audit as the “independent, objective assurance, and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and [...]

Having the right controls in place is critical for an organization to protect its systems and safeguard its clients’ data. Identifying, designing, and implementing an appropriate set of controls is quite an accomplishment for most young companies. If you have implemented controls within your organization to maintain security, the next question to ask is: How [...]

For many people, the words "internal audit" conjure a sense of fear and anticipation of high cost. Even under the best circumstances, having someone review your activities can be intimidating, but internal audit provides an unbiased, independent review of data and business processes. [...]

When we are approached by a prospective client to perform a SOC 1 (f. SSAE 16) audit, we will ask what control objectives they want to include in the scope of the examination. In some cases, they have responded with their own question: What is a control objective? This blog will address that question, as [...]

We often meet with executives of small and medium-sized companies who are debating whether or not they need a System and Organization Controls (SOC) report. The decision comes down to one simple question: “Are your customers asking for a SOC report?” If they are, you will need to get one or be prepared to lose [...]

Service organizations often ask our firm if they have to give out their SOC 1 (formerly SSAE 16) or SOC 2 report to user organizations or prospective user organizations [...]