How bad is a qualified report? This question comes up almost every time a qualified report is issued to a service organization.

“What are the responsibilities of management and the auditor in relation to internal control?” is a question we often hear from our clients and potential clients. We’ve talked a lot about what the auditor’s responsibilities are in an audit, but what about company management’s responsibilities in an audit? If you sign up for a SOC […]

When presented with the task of an audit being performed, the questions that the auditor and auditee have are: What is the objective of the audit? What is to be achieved? What is the need of the users of the output of the audit?   Identifying Suitable Criteria Every audit is an evaluation of subject […]

The Oxford dictionary defines an assertion as “a confident and forceful statement of fact or belief.” Making an assertion is often used synonymously with stating an opinion or making a claim. While assertions are made in all aspects of life, most people think of a company’s financial statements or the financial statements audit when they think of assertions in an accounting or business setting.

If you are being asked to obtain a System and Organization Controls (SOC) report by your existing user entity or a potential user entity, you may question whether you should obtain a SOC 1, SOC 2, or SOC 3 report. You may also wonder whether it should be a Type 1 or a Type 2 […]

Compliance with the requirements of the HIPAA Security Rule starts with understanding how it is constructed. The HIPAA Security Rule is part of the overall HIPAA Privacy and Security Rule and consists of standards and implementation specifications. Per HIPAA Security Safeguards: Each Security Rule standard is a requirement: a covered entity must comply with all […]

In this blog, we will be discussing the concept of reasonable assurance, what reasonable assurance means, absolute assurance, and how they both relate to SOC report opinions. Understanding the meaning of reasonable assurance is useful to both management of the service organization and also the users of the SOC report. In relation to SOC reports, […]

Many U.S. companies receive what, until recently, were called SAS 70 audit reports from certain types of vendors. These reports come out once a year, typically in the late Fall. While most organizations do a good job of recognizing the need to request these reports, often they are not properly reviewed and evaluated when received. So, what do you do with the report once it has been received other than give it the internal and external auditors?

A SOC (System and Organization Controls) report is a report on controls at a service organization related to various types of subject matter, for example: controls that affect user entities’ financial reporting; controls that affect the security, availability, and processing integrity of the systems; or the confidentiality or privacy of the information processed for user entities’ clients.

Determining materiality in an attestation audit can be challenging when the scope of the audit cannot be quantitatively measured. As stated in an AICPA Discussion Paper, “When providing assurance services, it’s important that practitioners understand what information will most significantly impact stakeholders’ decision-making process, which is central to a practitioner’s consideration of engagement materiality.” In […]