About Lois Colby (Partner | CPA, CIA, CISA)

There are five Trust Service Principles (TSPs) that can be included in the scope of a SOC 2 examination.

In September 2020, the AICPA issued a new Statement on Standards for Attestation Engagements (SSAE) labeled as SSAE No. 21, Direct Examination Engagements. You might ask, “Why do we care about it now?”  We care about it now because it is effective for all practitioners’ reports dated on or after June 15, 2022.  A date […]

Consider this, an organization has an internal or external audit about to start or an incident has occurred that needs to be investigated. These activities each require evidence to support the who, when, what, where, and why of the activity. One way this can be done is by tracing the activity through an audit trail. […]

Over the last several years there has been a growth in the offering of SOC 2 software tools or, also thought of as SOC 2 compliance monitoring tools (of which these terms will be used interchangeably throughout this article). These tools provide functionality and support designed to help a service organization attain SOC 2 compliance. […]

In today’s world, great importance and attention are placed on personal privacy and, importantly, privacy over an individual’s personal information and data. The highly electronically connected world and easy availability of information on the internet and through information sharing between organizations raise the concern as to how individuals’ personal information and data are protected. There […]

When discussing if a company has implemented the necessary controls to meet the AICPA Trust Services Criteria for a SOC 2 engagement, one of the questions that often comes up is if an external penetration test is required. To aid in the discussion, this article will focus on the makeup of an external penetration test […]

When considering controls for an organization, it may not be known that there are more than one level or type of control. To manage their business operations, organizations will have entity-level, divisional, regulatory, transaction-level, and process-specific controls to name a few. Of these controls, entity-level controls are considered to be a crucial part when: one […]

When presented with the task of an audit being performed, the questions that the auditor and auditee have are: What is the objective of the audit? What is to be achieved? What is the need of the users of the output of the audit?   Identifying Suitable Criteria Every audit is an evaluation of subject […]

In the world of accounting and audit services, assurance, attest, and audit play key roles. The question often arises: What is audit assurance? What is the difference between these three terms? How do they relate or complement each other? A definition check with Merriam-Webster provides the following: Assurance: the state of being assured: such as […]

Every organization should design a control structure to identify and address risks related to internal and external forces that impact an organization.  This control structure includes four main types of Internal Controls: Manual Controls IT Dependent Manual Controls Application Controls IT General Controls Preventive and Detective controls can be found within each of these four […]