Intro to SOC Engagements

Question 1

What are the 5 Trust Services Categories?

Answer 1

Security, Availability, Processing Integrity, Confidentiality, and Privacy

Question 2

Who are the intended users of SOC 2 reports?

Answer 2

• SOC 2 reports contain sensitive and complex information
• Restricted to users that have sufficient knowledge about the services organizations, the services it provides, and the systems it uses.
  -Typically this includes organizations with direct relationships with the company - auditors, business partners and their auditors, prospective user entities, and regulators.
• NOT the general public!

Question 3

What are the AICPA SOC Suite of Services

Answer 3

SOC for service organizations
SOC for cybersecurity
SOC for supply chain

Question 4

What does SOC stand for?

Answer 4

System & Organization Controls

Question 5

What are the 3 types of SOC for service organizations engagements?

Answer 5

SOC 1. SOC 2, SOC 3

Question 6

What is a SOC for Cybersecurity?

Answer 6

An entity’s cybersecurity risk management program.

Question 7

What is a SOC for Supply Chain?

Answer 7

System-level controls at an entity that produces, manufactures, or distributes products.

Question 8

What is the purpose of the AICPA’s Statements on Standards for Attestation Engagements (SSAE Nos. 18, 20, 21)?

Answer 8

They are the standards that are used to conduct attestation engagements for the SOC Suite of Services.

Question 9

What are the relevant attestation standards for the AICPA’s Statements on Standards for Attestation Engagements

Answer 9

AT-C 105, ATC-205, and AT-320 (specific to SOC 1 and may be helpful in other type of SOC engagements)

Question 10

What is the primary intention of the SOC for Service Organization report?

Answer 10

Give report users info to understand the service orgs system and controls.
AND
Get an independent CPA’s opinion about whether the service org has:
1. Completely and accurately described their system and controls based on criteria.
2. Suitably designed their controls based on criteria.
3. When included in the engagement, designed controls that operate effectively.

Question 11

What is the objective of SOC 1 reports?

Answer 11

To provide assurance about controls relevant to user entities’ internal control over financial reporting (ICFR). e.g., a report on Oracle as a subservice org to my company. User orgs and Auditors use SOC 1 reports in a financial statement audit. e., Deloitte.

Type 1 - at a point in time
Type 2 - over a period

Question 12

Who is responsible for understanding the service organization’s system and how it impacts the user organizations?

Answer 12

The user auditor
e.g. Deloitte

Question 13

What is the most practical report for a user auditor to obtain evidence about the services provides and that controls are suitably designed, implemented, and operated effectively?

Answer 13

SOC 1 Type 2

SOC 1 - Control Objectives
Type 2 - Over a period

Question 14

What are the 3 characteristics of a SOC 1 examination?

Answer 14

Responsible Party - Service organization
Subject Matter - Management’s description of the service orgs system and controls relevant to user entities’ internal control over financial reporting.
Suitable Criteria - Description criteria and control criteria listed in AT-C Section 320.

Question 15

What are the 5 definitions from ATC - 320 that apply to SOC 1 enagagements?

Answer 15

1. Management assertions
2. Management’s description of the system
3. Service organization’s system
4. Control Objectives
5. Controls at service organization - relevant to user entities’ internal control over financial reporting.

Question 16

What are the types of SOC engagements?

Answer 16

SOC1 - Type 1 & 2, SOC2 - Type 1 & 2, and SOC3

Question 17

Why are there Type 1 & Type 2 engagements?

Answer 17

There is a difference on the subject matter of management’s assertions
SOC 1 - provides assurance about controls relevant to user entties internal controls over financial reporting
SOC1 - provides info to user entities and their financial statement auditors
SOC 1 - Suitable criteria for controls is management assertions, NOT trust services criteria.
Type 1 - As of a Specific Day
Type 2 - Throughout a Period

Question 18

Who are the intended users of SOC 2 reports?

Answer 18

• SOC 2 reports contain sensitive and complex information
• Restricted to users that have sufficient knowledge about the services organizations, the services it provides, and the systems it uses.
• Typically this includes organizations with direct relationships with the company - auditors, business partners and their auditors, prospective user entities, and regulators.
• NOT the general public!

Question 19

What is the purpose of a SOC 2 Engagement/Report?

Answer 19

SOC 2® reports help users understand how the service organization’s system and controls achieve its principal service commitments. Must include security category. Others are optional

Question 20

What is the purpose of SOC 3 Engagements?

Answer 20

• Purpose is to provide assurance about controls relevant to security, availability, processing integrity, confidentiality, or privacy.
• General Use Report
• Public is Intended User
  -Prepared only after SOC2 Type 2 engagement completed.
• Contains less info then SOC2 (need less expertise to understand) so distribute freely to GP
• Management makes NO specific assertion about the design of controls
• A SOC3 is ALWAYS throughout a period and NOT as of a specified date.
• Not a restricted report
• AT-C section 105 and 205 professional standards apply

Question 21

What are Trust Services Criteria?

Answer 21

(TSC) address the relevant aspects of a cybersecurity program (i.e., trust services categories of information processed by an entity’s systems). These criteria make up the framework for measuring the subject matter of SOC for Cybersecurity

Question 22

SOC 2 Engagement

Answer 22

Includes managements description of the service orgs systems and related controls

Question 23

What is management’s assertion for a SOC1 Type 1 examination?

Answer 23

• As of a SPECIFIED DATE - Mgmts description of the system, written description is a fair representation of the systems, mgmts assertion that controls were suitably designed, report expressing an opinion on managements description on the system and the suitability of controls.
• Management makes NO specific assertion about the operating effectively of controls in a Type 1 report, only does this in a Type 2

Question 24

What is management’s description of the service organizations system and controls relevant to security, availability, processing integrity, confidentiality, or privacy?

Answer 24

Subject Matter

Question 25

How do supplemental trust services criteria expand on COSO Internal Control Framework? (CRIME)

Answer 25

As part of the Control Activities - Bases controls on thorough policies and procedures.

Question 26

What is the primary purpose of the additional criteria in the TSC?

Answer 26

To assess controls related to specific trust services categories that are not covered by common and supplemental criteria.

Question 27

Why did the AICPA develop the trust service criteria (TSC)?

Answer 27

To align and extend the principles of the COSO Internal Control - Integrated Framework (CRIME). Mgmnt and CPA use the criteria to evaluate controls related to the TSC - security, availability, processing integrity, confidentiality, or privacy.

Question 28

Which SOC Report is intended for general use?

Answer 28

SOC3 - can be shared publicly

Question 29

Which SOC Reports are restricted reports?

Answer 29

SOC1 and SOC2