Intro to SOC Cont'd Flashcards
What is a SOC for Cybersecurity?
- Examination of companies entity wide cybersecurity risk management program
- Non-restricted report
- Management s responsible party
- The purpose is to provide general users with info about the company’s cyber security risk management program for making informed decision
- AT-C section 105 Prof St
- AT- C section 205 Prof St
- Assertion Based Criteria
- The underlying subject matter of a SOC for Cybersecurity examination is the description of an entity’s cybersecurity risk management program and related controls.
In a SOC 2 Engagement what is the “SUBJECT MATTER”?
The underlying subject matter of a SOC 2 engagement is management’s description of the service organization’s system and related controls.
What are the three series of trust services criteria?
Common, Supplemental, and Additional Category Specific
Which trust service category does not use additional category specific criteria?
Security
What is the relationship between the COSO IC Integrated Framework and Trust Service Criteria?
The TSC align with and extend the COSO Framework
What is the difference between Type 1 & Type 2 report classifications?
Type 1 is based on a single day/point in time and Type 2 is throughout a period
Who is the intended user for a SOC 1 reports?
Restricted use report that a service organizations may only share with user entities and their auditors
What are two threats to CPA’s independence that would prohibit them (AT-C 105) from accepting an attestation engagement? E.g. SOC 2?
Management participation and Self Review
What is the assertion that Management makes in a SOC 3 report?
That the controls included in the description of the system operated effectively throughout a perios based on the trust services criteria.
What source does management assert to in a SOC 2 examination?
AICPA TSP Section 100 TSC
What are the two methods of examinations that service auditors use to perfom SOC 1, 2, and 3 engagements?
“Inclusive Method - require independent from service org and all sub service orgs
Carved-Out Method - Auditor does not need to be independent of user entities or any carved out subservice organizations.”
Can and audit servicer firm conduct a SOC 2 engagement on a system and controls that they designed?
No
What is the purpose of the TSC in a SOC 2 engagement?
To supply benchmarks to measure or evaluate the subject matter
Can the TSC be used by the auditor to evaluate controls in all SOC engagements?
No, all except SOC 1, which related to financial reporting
Do service auditors in SOC engagements need to be independent of user entities?
No, because the auditor is does not examine or attest to the controls of user entities