A2

Question 1

SOC 1 report?

Answer 1

Focuses on internal controls of a company and is made for users that know about the company like management.

Question 2

SOC 2 report?

Answer 2

Focuses on financial reporting and is distributed to knowledge people of the company for example management.

Question 3

SOC 3 report?

Question 4

Type 1

Answer 4

Focuses on design of controls in a point in time

Question 5

Type 2

Answer 5

Focuses on design and operating effectiveness over a period of time.

Question 6

Trust service criteria?

Answer 6

If the company meets these goals they will meet their objectives. (confidentiality, availability, processing integrity, privacy, and security)
Set forth the outcomes that an entity’s controls should meet to achieve the entity’s objectives.

Question 7

Availability?

Answer 7

Ensuring information and systems are available for operation and use to meet the entity’s objectives.

Question 7

What engagements used Trust service criteria?

Question 8

Processing integrity?

Answer 8

Ensuring system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.

Question 9

Control activities?

Answer 9

Ensure the proper application of policies and procedures that help ensure management directives and control objectives are met.

Question 10

Control environment?

Answer 10

Which covers control from the perspective of the board and management through integrity, ethics, the proper corporate structure, and establishing an environment that holds employees accountable.

Question 10

Disclaimer Opinion?

Answer 10

Management does not provide the required information to complete the financials.

Question 11

Adverse opinion?

Answer 11

A mistake that is material and pervasive, so it occurs often.

Question 11

Qualifies Opinion?

Answer 11

Material misstatement but not pervasive so it doesn’t occur often.

Question 12

Unmodified Opinion?

Answer 12

No material deficiencies.

Question 13

System description for SOC 2 engagements?

Answer 13

The description enables report users to understand the system, the processing and flow of data throughout and from the system, and the procedures and controls in place to manage risk.

Question 14

What should be reported when deviations are found?

Answer 14

Include information on the number of items tested and the number and nature of deviations. Causative factors are optional.

Question 15

When is a service auditor supposed to be independent?

Answer 15

When performing SOC engagements but not when testing each user entity.

Question 16

What type of opinion should be issued when there is no independence?

Answer 16

Disclaimer opinion stating that the auditor is not independent.

Question 17

Privacy?

Answer 17

Has to do with the life cycle of sensitive private information from acquisition to disposal.

Question 18

Amending extent of testing?

Answer 18

Consider tolerable and expected rate of deviation.

Question 19

What happens when a control is not fully implemented?

Answer 19

You conclude that management is including controls that are not implemented and that they must exclude them.

Question 20

Complementary subservice organization controls?

Answer 20

Vendor controls that are necessary, in combination with the service organization controls, to provide reasonable assurance that service commitments and system requirements are achieved.

Question 21

Complementary user entity controls?

Answer 21

Are the controls at a user entity (or customer) of a service organization, which are necessary, in combination with the service organization’s controls, to provide reasonable assurance that the service commitments and system requirements are achieved.