Performing Further Procedures in a SOC Engagement Flashcards

1
Q

What should a service auditor do if the service org refuses to cooperate with preventring reliance on a reports with a known subsequently discovered fact? A new report is also not imminent.

A

Seek legal advice aboutt he CPAs/firm obligations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What should the service auditor do if management refuses to provide an written representation letter?

A

The auditor should consider the effect of the resulting scope limitation on the type of opinion issued

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What should the service auditor do if if a subsequent event becomes known?

A

Attempt to perform additional procedures to obtain additional evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the purpose of a SOC 1 Engagement Report?

A

It provides assurance about how the service organization affects user entities’ internal control over financial reporting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the purpose of a SOC 2 Engagement Report?

A

To provides assurance about controls relevant to security, availability, processing integrity, confidentiality, or privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the responsible party required to do in a SOC 2 examination?

A

Example would be AWS, Fidelity, ADP etc. They are required to provide service auditor with a management representation letter stating that they provided the auditor access to all relavant information. This is required so that auditor can obtain sufficient and appropriate evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does a fairly stated SOC 2 description need to meet?

A

The DC 200 Description Criteria. Auditor typically does this mapping exercise on a spreadsheet. This helps the service auditor determine potential material misstatements, when considered individually or with other misstatements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When should the report disclose subsequent events even if they have not affected the examination in a SOC 2 engagement?

A

When they do not affect the the examination but are significant enough that it may be important to report users. E.g., A change in the subservice organization that supplies the cloud computing infrastructure after the examination.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does AT-C 205 require the service auditor do upon discovering a subsequent event?

A

Determine if the discovered facts existed as of the report date and determine which report users might be misled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What causes a description misstatement in a SOC 1 examination and how should the service auditor handle this?

A

A description misstatement can occur if information that is irrelevant to the service organization’s objectives is included in the description. In such a case, the service auditor should request that management revise the system description.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the significance of the service organization’s management written representation letter in a SOC engagement for a service organization?

A

It serves as the basis for the auditor’s opinion on the systems description, control design, and control effectiveness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the two different methods implemented during a SOC 2 examination when a subservice organization exists?

A

“Inclusive Method OR Carve-Out Method
Inclusive method - subservice org is a responsible party and must provide a signed representation letter asserting fairness of presentation in the description of its services, the suitability of the design of controls, and in Type? (look this up) report, the operating effectiveness of those controls”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the four phases of a SOC engagement?

A

Acceptance, Planning, Performing and Reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

At what phase should the service auditor obtain the service organizations (an subservice organization in inclusive method) management representation letter?

A

“The Reporting phase
Why so late? - Management should not provide until all its decisions have been made, and all evidence has been provided. - This is still occurring during the acceptance, planning, and performing phases.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

On what date should the written representation letter be dated?

A

On the date of the auditor’s SOC opinion — Management affirms that the information and disclosures in the report are up to date and comprehensive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly