FAQ: Are Representation Letters Required in SSAE 18?

FAQ: Are Representation Letters Required in SSAE 18?

Previously in SSAE-16 a Management Representation Letter was highly recommended and common practice, however, they were not explicitly required to be obtained except in certain existing subject matter sections. This is now consistent across all sections.

Additional FAQs

Can an organization opt for both SOC2 and ISO 27001?

Yes, they can complement each other. SOC 2 may cover specific areas relevant to service organizations, while ISO 27001 provides a broader approach to information security management.

What are the SOC 2 criteria?

The five SOC 2 criteria are Security, Availability, Processing Integrity, Confidentiality, and Privacy.

SOC 1 Report – Who needs it?

Organizations that handle financial transactions, especially those impacting external financial statements, are good examples of those who need SOC1 audits.

What is a SOC 2?

The Service and Organization Controls 2 Report, formally known as a Service Organization Controls Report as of the most recent update to the SSAE 18 audit standard. A SOC 2 report

How many updates to SOC 1 have their been?

SOC 1 stemmed from the original SAS 70 report, which, once SSAE 16 was issued in April 2010, the formal report name was changed to being a SOC 1 report (but issued

Are Third Party Vendor reviews required for SOC 1 and SOC 2?

As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.)

Get Our Emails

SOC Reporting Guide