Performing Further Procedures in a SOC Engagement Flashcards
What should a service auditor do if the service org refuses to cooperate with preventring reliance on a reports with a known subsequently discovered fact? A new report is also not imminent.
Seek legal advice aboutt he CPAs/firm obligations
What should the service auditor do if management refuses to provide an written representation letter?
The auditor should consider the effect of the resulting scope limitation on the type of opinion issued
What should the service auditor do if if a subsequent event becomes known?
Attempt to perform additional procedures to obtain additional evidence.
What is the purpose of a SOC 1 Engagement Report?
It provides assurance about how the service organization affects user entities’ internal control over financial reporting.
What is the purpose of a SOC 2 Engagement Report?
To provides assurance about controls relevant to security, availability, processing integrity, confidentiality, or privacy.
What is the responsible party required to do in a SOC 2 examination?
Example would be AWS, Fidelity, ADP etc. They are required to provide service auditor with a management representation letter stating that they provided the auditor access to all relavant information. This is required so that auditor can obtain sufficient and appropriate evidence.
What does a fairly stated SOC 2 description need to meet?
The DC 200 Description Criteria. Auditor typically does this mapping exercise on a spreadsheet. This helps the service auditor determine potential material misstatements, when considered individually or with other misstatements.
When should the report disclose subsequent events even if they have not affected the examination in a SOC 2 engagement?
When they do not affect the the examination but are significant enough that it may be important to report users. E.g., A change in the subservice organization that supplies the cloud computing infrastructure after the examination.
What does AT-C 205 require the service auditor do upon discovering a subsequent event?
Determine if the discovered facts existed as of the report date and determine which report users might be misled.
What causes a description misstatement in a SOC 1 examination and how should the service auditor handle this?
A description misstatement can occur if information that is irrelevant to the service organization’s objectives is included in the description. In such a case, the service auditor should request that management revise the system description.
What is the significance of the service organization’s management written representation letter in a SOC engagement for a service organization?
It serves as the basis for the auditor’s opinion on the systems description, control design, and control effectiveness.
What are the two different methods implemented during a SOC 2 examination when a subservice organization exists?
“Inclusive Method OR Carve-Out Method
Inclusive method - subservice org is a responsible party and must provide a signed representation letter asserting fairness of presentation in the description of its services, the suitability of the design of controls, and in Type? (look this up) report, the operating effectiveness of those controls”
What are the four phases of a SOC engagement?
Acceptance, Planning, Performing and Reporting
At what phase should the service auditor obtain the service organizations (an subservice organization in inclusive method) management representation letter?
“The Reporting phase
Why so late? - Management should not provide until all its decisions have been made, and all evidence has been provided. - This is still occurring during the acceptance, planning, and performing phases.”
On what date should the written representation letter be dated?
On the date of the auditor’s SOC opinion — Management affirms that the information and disclosures in the report are up to date and comprehensive.