Intro to SOC Cont'd Flashcards

1
Q

What is a SOC for Cybersecurity?

A
  • Examination of companies entity wide cybersecurity risk management program
  • Non-restricted report
  • Management s responsible party
  • The purpose is to provide general users with info about the company’s cyber security risk management program for making informed decision
  • AT-C section 105 Prof St
  • AT- C section 205 Prof St
  • Assertion Based Criteria
  • The underlying subject matter of a SOC for Cybersecurity examination is the description of an entity’s cybersecurity risk management program and related controls.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

In a SOC 2 Engagement what is the “SUBJECT MATTER”?

A

The underlying subject matter of a SOC 2 engagement is management’s description of the service organization’s system and related controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the three series of trust services criteria?

A

Common, Supplemental, and Additional Category Specific

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which trust service category does not use additional category specific criteria?

A

Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the relationship between the COSO IC Integrated Framework and Trust Service Criteria?

A

The TSC align with and extend the COSO Framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the difference between Type 1 & Type 2 report classifications?

A

Type 1 is based on a single day/point in time and Type 2 is throughout a period

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who is the intended user for a SOC 1 reports?

A

Restricted use report that a service organizations may only share with user entities and their auditors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are two threats to CPA’s independence that would prohibit them (AT-C 105) from accepting an attestation engagement? E.g. SOC 2?

A

Management participation and Self Review

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the assertion that Management makes in a SOC 3 report?

A

That the controls included in the description of the system operated effectively throughout a perios based on the trust services criteria.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What source does management assert to in a SOC 2 examination?

A

AICPA TSP Section 100 TSC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the two methods of examinations that service auditors use to perfom SOC 1, 2, and 3 engagements?

A

“Inclusive Method - require independent from service org and all sub service orgs
Carved-Out Method - Auditor does not need to be independent of user entities or any carved out subservice organizations.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Can and audit servicer firm conduct a SOC 2 engagement on a system and controls that they designed?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the purpose of the TSC in a SOC 2 engagement?

A

To supply benchmarks to measure or evaluate the subject matter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Can the TSC be used by the auditor to evaluate controls in all SOC engagements?

A

No, all except SOC 1, which related to financial reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Do service auditors in SOC engagements need to be independent of user entities?

A

No, because the auditor is does not examine or attest to the controls of user entities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly