Chapter 1 - SOC PLANNING AND PERFORMING

Question 1

What is SOC For Cybersecurity??

Answer 1

examination that describes an entity’s cybersecurity risk management program and related controls.

Question 2

What are the 5 trust Services categories?

Answer 2

Security, Availability, Processing Integrity, Confidentiality, Privacy

Question 3

Why is disclosure important for subsequent events?

Answer 3

It is required so users of the report are not misled

Question 4

Where is the disclosure presented in the Soc report?

Answer 4

in the description of the company’s system or management’s assertion

Question 5

Who determines if Disclosure is needed if there’s a subsequent event? What should Auditor do?

Answer 5

The auditor should request that management evaluate the breach and determine if a disclosure is needed.

Question 6

Who are the intended users of a Soc 1

Answer 6

User auditor, user entities, and service org management

Question 7

What does NIST Cybersecurity Framework Profile do?

Answer 7

Identifies the outcome a company has prioritized to remediate control gaps

Question 8

What method does the Subcompany have to provide a Management representation letter? What do they both contain?

Answer 8

inclusive not carved out & description of sub companies services

Question 9

What opinion should you give if management refuses to provide a written representation letter?

Answer 9

– Provide a modified opinion because of a scope of limitation.

Question 10

What are you called if a company retains responsibility for controls and monitors you?

Answer 10

A vendor

Question 11

What should an auditor do if a subsequent event becomes known?

Answer 11

Perform additional procedures

Question 12

What is used to measure of evaluate managements description of the system?

Answer 12

Aicpa dc section 200 description criteria

Question 13

What is used to measure of evaluate managements description of the system?

Answer 13

Aicpa dc section 200 description criteria

Question 14

What criteria is used to prove controls were designed, implemented, and operated to provide assurance ?

Answer 14

Aicpa TSP section 100 trust services criteria

Question 15

How does an auditor determine materiality?

Answer 15

-Misstatements
-qualitative and quantitative factors
-the circumstances, nature, size, and extent of misstatements

Question 16

What forms the basis for the auditors opinion of the systems description, control design, and control effectiveness?

Answer 16

Managements written representation

Question 17

When is it okay to give a disclaimer of opinion? What do others get if not pervasive?

Answer 17

Scope limitation if material and pervasive, if not its a qualified opinion

Question 18

What phase does the auditor obtain a signed management rep letter?

Answer 18

Reporting

Question 19

What does the management description cover under the Inclusive METHOD?

Answer 19

Sub services org controls objectives and related controls

Question 20

What should you do regard events after the examination period but before the auditors report date in Soc 2 engagement?

Answer 20

include disclosure in the description or managements assertion so people aren’t misled.

Question 21

who are the intended users of a Soc 1 report? purpose?

Answer 21

User entities, company management, user auditors

The purpose is to assure controls relevant to user entities’ Internal control over Financial reporting

Question 22

who are the intended users of a Soc 2 report? purpose?

Answer 22

management and parties who have a direct relationship with the org and knowledge and understanding of the system

Purpose- assure controls relevant to security, availability, processing integrity, confidentiality, or privacy.

Question 23

who does the audit have to be independent of in a Soc engagement?

Answer 23

The company, Subcompany if the inclusive method is used

not user entity!

Question 24

What is included in management’s description if the Carve out method is used?

Answer 24

must explicitly state that the description does not extend to complementary sub-company controls (CSOCs

Question 25

What is included in management’s description if the Inclusion method is used?

Answer 25

explicitly state that procedures were also performed on the sub- company’s system description and controls.

Question 26

Who is responsible for defining the scope of the audit engagement? What is included in the audits scope?

Answer 26

The company is

Systems and services

Question 27

What opinion would you give for a scope limitation if it was material but not pervasive? What if it was pervasive?

Answer 27

Qualified opinion

Disclaimer of opinion

Question 28

Where does management describe Complementary user entity controls?

Answer 28

Description of the company’s system

Question 29

How does the audit determine his report date?

Answer 29

the date on which the service auditor has
1. completed audit procedures
2. received management’s finalized description, assertion
3. signed representation letter.

Question 30

What is a sub-company considered under the inclusive method? What must they prepare? Where is it located?

Answer 30

a Responsible party, Written assertion, directly behind the company’s assertion letter.

Question 31

What would an auditor inspect if evaluating confidentiality to obtain an understanding of the effectiveness of any system’s internal controls?

Answer 31

policies and procedures

Question 32

What is the most expensive test of a disaster recovery plan?

Answer 32

Preparedness test

• Each office/area will be tested to ensure that the disaster plan is adequate.

Question 33

What type of development bridges the gap between business impact analysis and continuity planning?

Answer 33

Strategy Development

by analyzing and prioritizing the risks brought forward during the business impact analysis.

Question 34

What ensures effective functioning of the system and mitigating associated risks?

Answer 34

Segregation of duties

Question 35

What is the auditors primary responsibility related to a subcompany?

Answer 35

Access the suitability of the companies controls for achieving specific goals tied to the service they provide to the user entity.

Question 36

The number of deviations is an example of what type of materiality factor

Answer 36

QUANTITATIVE

Surround issues that are numerical

Question 37

The presence of distortion or omission is an example of what type of materiality factor?

Answer 37

qualitative

involves the quality of information presented

Question 38

What should you do if you want to obtain an understanding of how a company communicates incident reporting information to a carved-out sub-company?

Answer 38

Review the company’s contractual agreement with the sub-company

• inspect the contract, SLA, or SOC 2 REPORT to understand the services.

Question 39

how should the auditor identify the boundaries of a system?

Answer 39

a risk assessment and compare it to management description of the system