ICS 4

Question 1

Soc 1 for Service Org

Answer 1

IC over financial reporting - controls @ service org that are likely to be be relevant to user IC over financial reporting

Reports resticted to mgmt of service org, user entity and indepenent auditor

Question 2

Soc 2 for Service Or

Answer 2

Trust Service Criterai - seucirty, availablity, or processing integrityof a system, or the confidentialty or privacy of inforamation processed by the system. Reports are intended for those who have sufficient knowledge and understading of service org, services provided, and systems used. Mgmt and service auditor should agree on users of report

Question 3

Soc 3

Answer 3

Trust Services Criteria for General Use Report - controls were effective to provide ressonable assurance that service commitmentsand sytem requirements were achieved based on pplicable trsut services criteria. Report does not include description of system, test of controls or results - for general user

Question 4

Type 1 Report

Answer 4

fairness of the presentation of mgmt description of system and design of controls as a specific date. (Soc 1/2)

Question 5

Type 2 Report

Answer 5

fairness of the presentation of mgmt description of system and design and operating effecivness of controls for a period. (Soc 1/2) SOC 3

Question 6

Type 1 report contents

Answer 6

MGmt description of system, written assertation by mgmt that description fairly presents system that was deigned/implemented and controls related to control objects state in mgm description were suitably designed to achieved control objectives. - Expressed opinion

Question 7

Type 2 report contents

Answer 7

MGmt description of system, written assertation by mgmt that description fairly presents system that was deigned/implemented and controls related to control objects state in mgm description were suitably designed to achieved control objectives. - Expressed opinion anddescription of test of controls and reuslts

Question 8

5 categories of the Trust services

Answer 8

CAPPS
Confidentiality
Availablity
Processing Integrity
Privacy
Security

Question 9

Application and Use of trust services

Answer 9

• SOC for cyber security engagement (security, availablity, and control)
• SOC 2 Engagement -
• SOC 3 Engagement
  Sutiabilty of design and operating effectivness of controls of an entity over one or more sysyems relevant to trust cateogiries

Question 10

COSO Control Env.

Answer 10

Control from prospective of board/mgmt through integirty, ethics, structure, enviornment of accountability

Question 11

COSO Risk Assessment

Answer 11

identifying risks, considerations for potential fraud, changes that may impact IC.

Question 12

COSO Control Activities

Answer 12

Control activities implemented and designed to ensure the proper applicationof polices and procedures that help ensure mgmt directives and control objectives are met.

Question 13

trust services supplemental crtiera

Answer 13

logical/physical access controls, system operations, change management, risk mitigation

Question 14

COSO Information and Communication

Answer 14

obtaining, gathering, and controlling information and communication

Question 15

COSO Monitoring

Answer 15

conduct ongoing evaluations of control activities and communciate internal control deficiences

Question 16

Add’l criteria for Availablity

Answer 16

ability to ensure systems are continousy available as needed by maintinaingnd monitoring processing cabilities, identifying and responding to threats, and ensuring a recovery planis in place and tested.

Question 17

Add’l criteria for Processing

Answer 17

Consideration related to creating, using, and communicating quality info so objectives will be met regarding product/service specs, controls for completeness and accuracy, productivity, and system specs.

Question 18

Add’l criteria for Confidentiality

Answer 18

ensuring confidential info is handled approproiatly

Question 19

Add’l critieria for Privacy

Answer 19

privacy related to collecting personal data, obtaining consent, using only as intended, managing access, discolsing policies to third parties and individuals, maintaining complete and accurate records, monitoring and encofcing practices in place.

Question 20

When forming an opinion in SOC engagement what should auditor evaluate?

Answer 20

sufficiency and appropriatness of evidence, whether uncorrected misstatements, individual or in accurate are material.

Question 21

In SOC engagement what is opinion about?

Answer 21

subject matter is in accordance with (or based on) the criteria, in all material respects, or the assertion is failry stated in all material respects.

Question 22

Opinion foucses on?

Answer 22

Fair presentation of mgmt description of service orgs system, suitabilty of design of controls, effective operation of controls stated (Type 2)

Question 23

SOC Unmodified opinion

Answer 23

In all material respects based on the criteria described in management assertation;
1. Mgmt description is fairly presented. SOC2 “in accordance with description criteria”.
2. Controls stated suitabily designed - SOC2 “provide rasonabel assurance that serv. org service commitmenets and system requirements were achieved based on trust services criteria”.
3. Controls operated effectvily (Type 2) - SOC2 - “to provide resonable assurance..”

Question 24

SOC and User entity controls

Answer 24

If application of complementary user entity controls is necessary to achieve the control objective stated by mgmt, statement to that effect

Question 25

When would you modify an opinion

Answer 25

When unable to obtain suffiicent appropraite evidence (in all material respects)or subject matter is not in accorance with criteri in all material respects

Question 26

How is a modified opinion reflected in report

Answer 26

descrition of matter or matters giving rise to modification

Question 27

What is taken into consideration when modifying an opinion?

Answer 27

nature of the matter, profesional judgement on pervasivness of effects, or possible effects, of the matter on the subject matter of engagement

Question 28

Qualified opinion

Answer 28

expect for the effects of the matters, description is presented in accordnace with criteria and controls were suitabliy designed/operating effectivly in all material respects

Question 29

Adverse opinion

Answer 29

description misstatements are material and pervasiive, or defencies in designor operationo f contorlsare material and pervasive.

Question 30

Disclaimer

Answer 30

do not express an opinion

Question 31

What opinion for scope limination that is matieral but not pervaisum

Answer 31

Qualified.

Question 32

What opinion for scoep limination that is mateiral and pervasium

Answer 32

Discliamer

Question 33

Key comonents of the report

Answer 33

1. Mgmt description of system
2. Mgmt assertion
3. Independent service auditors report
4. Auditors test of controls and results

Question 34

SOC 1 - content of mgmt descirption

Answer 34

sufficient info to allow user auditor to understand how processing affects user entitiy’s FS and to assess risk of material misstatment of user entity’s FS. Common things covered include type of service provided, procedures, system functionality, subervie orgs, controls, info on control env., process to prepare reports, deficiencies in info, compelementary user entity controls, changes to sytem dring period,

Question 35

SOC 2 - content of mgmt descirption

Answer 35

descrption of system to allows user entities, business partners, etc., to understand the system and processing and flow of data - prepared to be in accordance with specific criteria and the procedures and controls in placeto mange risk. Types of info include: type of services provided, principal service committments and system reuqirements, compentents of system used, system incidents, applicale trust service criteria, complentary user entity controls, subsevice orgs, irrelevant critiera, details of system control changes.

Question 36

Inclusive method

Answer 36

nature of service provided controls with clear deliniation between service organd suborg, portionso of system attibuted to suborg.

Question 37

carve out method

Answer 37

doesn’t include contols operate only/primarlyat sub org. but should discuss contorls/criatera to be met by suborg, sub orgs responsibliy, and ndicate that related service committements/system requiremetnsonly achived by suborg contorls are suitable designedand operaing effectivly.

Question 38

Mgmt Assertation (SOC 1/2)

Answer 38

1. Mgmts description of sytesm fairly presents the system that was designed and implemented.
2. Controls state are suitabily designed
3. controls stated operated effectivly (type2)

Question 39

Mgmt Assertation (SOC 3)

Answer 39

Controls were effective throughout the period to provide resonable assurance that service commitements and system reuirements were achevied baesd on applicable trust service criteria including discrption on boundaries of ystem, service commitments and system requirements were acheived based on he applicable trust services criteria, including boundaries.

Question 40

If mgmt wont provide an asssertaiton

Answer 40

auditor required to withdraw when possible under law- or disclaim an opinion

Question 41

SOC 1 CONTENTS

Answer 41

1. Mgmt description - as of specific date (1) or period (2)
2. Mgmt assertion- key is “meet control objectives”
3. Audit report - opinion
4. test of control (type 2)

Question 42

SOC 1 Auditor report - Title

Answer 42

Must include “independent”

Question 43

SOC 1 Auditor report - Addressee

Answer 43

as reuired by engagement

Question 44

SOC 1 Auditor report - Scope

Answer 44

Mgmt description, fuctions system performs, period; critera, services performed by suborg and if carve out or inclusive method, statement that control objectives in description are those mgmt believe are likely to be relevant to user entities IC over financial reporting, wont include those not likely; if need for complementary user controls must include that auditor has not evaluated.

Question 45

SOC 1 Auditor report - Serv. Org responsibilities

Answer 45

Reference ot mgmt assertion and stment mgmt responsible for: preparing descirption, assertation, services covered, control objectives, risks that threaten control objecgives, seleting criterai, controls

Question 46

SOC1 Auditors report - Auditor responsiblities

Answer 46

Statement abot expressing opinion on fairness of presentation of mgmt description and : conducted in accordanc with attestation standards AICPA, standards reuire plan/performto obtain reaonable assurance…, evidence is sufficent/appropraite for basis of opinion, proceures to btain evidence, assessing risks that descirption is not farily presented, evaluating the overall presntation descirptonin, suitabilty of controls and criteria, esting effecgivess of control (tye 2)

Question 47

SOC 1 Auditors report - test of controls

Answer 47

controls tested, if they represent all or a selection of items in population nature of tests, identifeid deviations number tested and numebr deviated, nature of deviations, if IA used to test a description of their work and service auditors procedures related to their work.

Question 48

SOC 1 Auditor report - other matter

Answer 48

Type 1 only - did not perform procedures regarding operating effectiness of controls

Question 49

SOC 1 - Auditor report - restricted use

Answer 49

the report intended soley for the info/use of mgmt of the service org, user entities and the auditors who audit and report on such user entiteis FS or IC over financial reproting. Should not be used by others.

Question 50

SOC 1 - date of report

Answer 50

no earlier thatn th date has obtain sufficeint approprite evidence

Question 51

SOC 2 CONTENTS

Answer 51

1. Mgmt description - as of specific date (1) or period (2)
2. Mgmt assertion- key is “achieved baesd on applicable trust service criteria”
3. Audit report - opinion
4. test of control (type 2)

Question 52

SOC 2 Auditor report - Scope

Answer 52

Identification or description of subject matter or assertion being reporting on, sercies/controsl rpovided by suborg and carveout or inclusion, criteria used - description evaluated against description criteria while suitabilty of design and operatinve effectivess of controls evaluated against trust services criteria applicable

Question 53

SOC 2 Auditor report - Serv. Org responsibilities

Answer 53

id’s responsible party and resonsibilty for subject matter in accordance with criteria for assertion.

Question 54

SOC2 Auditors report - Auditor responsiblities

Answer 54

express an opinion on subject matter assertations, conducted in accordance with AICPA, nature of engagment

Question 55

SOC 2 USERS

Answer 55

only for specific parties, identify specified parties,

Question 56

SOC 2 - Test of Controls

Answer 56

Descritpion of tests of controls and results - controls that were tested, all or part of population, nature of tests performed, deviations then include # items tested, umebr/natuer of devaitions, causative factors (optional)

Question 57

SOC1 - What is consider a subor

Answer 57

services provied are likely relevant to user entites IC over financial reporting, controls at suborg are necessary to achieve mgmt objectives

Question 58

SOC2/3 - What is consider a subor

Answer 58

services are relevant to report users understanding of service orgs systems as it relates the applicable trust services criteria- controsl at suborg are necessary to provide resonable assurance that service commitments and system requirements are acheived.

Question 59

When is inclusion method useful

Answer 59

services by suborg are extensive, type 1/2 report that meets needs of users is not available for suborg, and info about suborg not reasdily avaiable from other sources

Question 60

when is carve out best?

Answer 60

challenges w/ implementing inclusive method- not practical, service auditor not independent from suborg, type 1/2 is avilable, service org cant get suborg to contract/agree to be included.

Question 61

common examples of complementray user entity controls

Answer 61

security monitoring, manages service provider environment change, encypited financial data, hysical acces controls, auth. Policies

Question 62

changes to report for qualified opinionSOC !

Answer 62

seperae paragraph before opinionthat provides a descritin of the matters giving rise to modification

Question 63

Changes to report for qualified opinion materilal misstatemnt SCO 1

Answer 63

Service auditor repsonsibilty - evidence is suffficent/spparote to rpovide basis for qualified opinion.