Sorry but this feels insane to me! If you're a provider of SOC 2 reports, and you allow your auditee to put periodic in their control testing for their SOC 2 Type 2 report. What exactly are you testing as part of that control that it operates in an ad-hoc manner? Am I missing something? I understand firms want to 'de-risk' their reports, but it also removes the value and validity of the control testing. How do you reviewing access quarterly or within 24 hours of a user terminating when your report states you do it periodically? #SOC2 #VendorManagement #AICPA
Director at Design Compliance and Security, LLC
1moIs this based on a report you've read or is a firm not letting you do it? Management defines the controls, the auditor determined whether the controls meet the criteria. If it's a report you're reading, then it means the auditor thinks the ad-hoc design is adequate to meet the criteria. With the direction I've seen with SOC 2 report quality over the past few years due to the VC fueled race to the bottom, I've been rejecting more reports than ever when reviewing for clients...