FAQ: Are Representation Letters Required in SSAE 18?

FAQ: Are Representation Letters Required in SSAE 18?

Previously in SSAE-16 a Management Representation Letter was highly recommended and common practice, however, they were not explicitly required to be obtained except in certain existing subject matter sections. This is now consistent across all sections.

Additional FAQs

What are the SOC 2 criteria?

The five SOC 2 criteria are Security, Availability, Processing Integrity, Confidentiality, and Privacy.

What is covered in the Availability criteria?

The availability criteria addresses how you go about ensuring the in-scope data and systems stay online and recoverability should go awry.

Are Third Party Vendor reviews required for SOC 1 and SOC 2?

As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.)

How often is a SOC 2 audit required?

SOC 2 Type II audits should be performed annually, however, there are times you may choose to perform them twice a year. Additionally, if recently completing a SOC 2 Type

SOC 1 Report – Who needs it?

Organizations that handle financial transactions, especially those impacting external financial statements, are good examples of those who need SOC1 audits.

What is SSAE 18 (formerly SSAE 16)?

A SOC 1 Type 1 report typically costs on average anywhere between $10,000 and $20,000 USD, without the readiness assessment project which most Organizations benefit from and can be an

Get Our Emails

SOC Reporting Guide