A common concern being expressed by the general public and the United States government is the state of cybersecurity and the strength of the country’s ability to protect itself against a cybersecurity attack from within and without the United States. In response to this concern, the Department of Defence (DOD) has been working on the […]
About Lois Colby (Partner | CPA, CIA, CISA)
Lois started with Linford & Co., LLP in 2020. She began her career in 1990 and has spent her career working in public accounting at Ernst & Young and in the industry focusing on SOC 1 and SOC 2 and other audit activities, ethics & compliance, governance, and privacy. At Linford, Lois specializes in SOC 1 and SOC 2 audits. Lois’ goal is to collaboratively serve her clients to provide a valuable and accurate product that meets the needs of her clients and their customers all while adhering to professional standards.
Critical Audit Matters (CAMs) & SOC 1 Reports – Could They Be Related?
Auditors performing financial statement audits are already aware of the Public Company Accounting Oversight Board (PCAOB) auditing standard AS 3101, The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion effective for audits of fiscal years ending on or after December 15, 2017. Within this standard are the requirements […]
SOC 2 Audit Considerations for AI & ML Subservice Organizations
With the rise of organizations providing artificial intelligence (AI) or machine learning (ML) tools and services, one has to wonder about the risks associated with those services and the security, at the very least, of the data used for and created as a result of the AI and ML services. Data considerations include the makeup […]
2023 Trust Services Criteria (TSCs) for SOC 2 Reports
There are five Trust Service Principles (TSPs) that can be included in the scope of a SOC 2 examination.
SSAE-21: New AICPA Guidance for Assertion-Based & Examination Engagements
In September 2020, the AICPA issued a new Statement on Standards for Attestation Engagements (SSAE) labeled as SSAE No. 21, Direct Examination Engagements. You might ask, “Why do we care about it now?” We care about it now because it is effective for all practitioners’ reports dated on or after June 15, 2022. A date […]
Audit Trails for the SOC 1/SOC 2 Audit & Investigative Processes
Consider this, an organization has an internal or external audit about to start or an incident has occurred that needs to be investigated. These activities each require evidence to support the who, when, what, where, and why of the activity. One way this can be done is by tracing the activity through an audit trail. […]
SOC 2 Software Tools: How They Affect the SOC Audit Process
Over the last several years there has been a growth in the offering of SOC 2 software tools or, also thought of as SOC 2 compliance monitoring tools (of which these terms will be used interchangeably throughout this article). These tools provide functionality and support designed to help a service organization attain SOC 2 compliance. […]
Security & Privacy: You Can’t Have Privacy Without Security
In today’s world, great importance and attention are placed on personal privacy and, importantly, privacy over an individual’s personal information and data. The highly electronically connected world and easy availability of information on the internet and through information sharing between organizations raise the concern as to how individuals’ personal information and data are protected. There […]
External Penetration Testing & SOC 2 Reports: How Are They Related?
When discussing if a company has implemented the necessary controls to meet the AICPA Trust Services Criteria for a SOC 2 engagement, one of the questions that often comes up is if an external penetration test is required. To aid in the discussion, this article will focus on the makeup of an external penetration test […]
Entity-Level Controls: Impact On An Organization & The Audit Process
When considering controls for an organization, it may not be known that there are more than one level or type of control. To manage their business operations, organizations will have entity-level, divisional, regulatory, transaction-level, and process-specific controls to name a few. Of these controls, entity-level controls are considered to be a crucial part when: one […]