Intro to SOC Cont'd

Question 1

What is a SOC for Cybersecurity?

Answer 1

• Examination of companies entity wide cybersecurity risk management program
• Non-restricted report
• Management s responsible party
• The purpose is to provide general users with info about the company’s cyber security risk management program for making informed decision
• AT-C section 105 Prof St
• AT- C section 205 Prof St
• Assertion Based Criteria
• The underlying subject matter of a SOC for Cybersecurity examination is the description of an entity’s cybersecurity risk management program and related controls.

Question 2

In a SOC 2 Engagement what is the “SUBJECT MATTER”?

Answer 2

The underlying subject matter of a SOC 2 engagement is management’s description of the service organization’s system and related controls.

Question 3

What are the three series of trust services criteria?

Answer 3

Common, Supplemental, and Additional Category Specific

Question 4

Which trust service category does not use additional category specific criteria?

Answer 4

Security

Question 5

What is the relationship between the COSO IC Integrated Framework and Trust Service Criteria?

Answer 5

The TSC align with and extend the COSO Framework

Question 6

What is the difference between Type 1 & Type 2 report classifications?

Answer 6

Type 1 is based on a single day/point in time and Type 2 is throughout a period

Question 7

Who is the intended user for a SOC 1 reports?

Answer 7

Restricted use report that a service organizations may only share with user entities and their auditors

Question 8

What are two threats to CPA’s independence that would prohibit them (AT-C 105) from accepting an attestation engagement? E.g. SOC 2?

Answer 8

Management participation and Self Review

Question 9

What is the assertion that Management makes in a SOC 3 report?

Answer 9

That the controls included in the description of the system operated effectively throughout a perios based on the trust services criteria.

Question 10

What source does management assert to in a SOC 2 examination?

Answer 10

AICPA TSP Section 100 TSC

Question 11

What are the two methods of examinations that service auditors use to perfom SOC 1, 2, and 3 engagements?

Answer 11

“Inclusive Method - require independent from service org and all sub service orgs
Carved-Out Method - Auditor does not need to be independent of user entities or any carved out subservice organizations.”

Question 12

Can and audit servicer firm conduct a SOC 2 engagement on a system and controls that they designed?

Answer 12

No

Question 13

What is the purpose of the TSC in a SOC 2 engagement?

Answer 13

To supply benchmarks to measure or evaluate the subject matter

Question 14

Can the TSC be used by the auditor to evaluate controls in all SOC engagements?

Answer 14

No, all except SOC 1, which related to financial reporting

Question 15

Do service auditors in SOC engagements need to be independent of user entities?

Answer 15

No, because the auditor is does not examine or attest to the controls of user entities