Reporting on Controls at Service Organizations - M5 Flashcards
1
Q
What makes a service organizations information part of a Company’s Information System?
A
When a service organization provides services that affect the initiation, execution, processing, or reporting of a user company’s transactions.
2
Q
What is a SOC 1 Report?
System and Organization Controls
A
- Report issued by the service organization auditor
- Report on controls relevant to the user entities Internal Controls over Financial Reporting.
- The entity and its Auditors uses this report to evaluate the impact that certain relevant controls at the service organization may have on the financial statements.
- Used by user management, and auditors only.
- The use of both SOC 1 and SOC 2 reports is restricted.
- Contains information regarding managers system.
3
Q
What is a SOC 2 Report?
System and Organization Controls
A
- Issued by the service auditor.
- Is a report to give assurance to a broad range of users regarding controls relevant to one or more of the Trust Services Criteria of service, availability, processing integrity, confidentiality, and privacy.
- The use of both SOC 1 and SOC 2 reports is restricted.
4
Q
What is Type 1 Report?
(Can be issued with either a SOC1 or SOC2 Report)
A
Both a SOC 1 and SOC 2 reports can include a Type 1 Report which is the testing of the design and implementation of controls of a service organization.
5
Q
What is a Type 2 report?
(Can be issued with either SOC1 or SOC2)
A
- Both a SOC 1 and SOC 2 report can include Type 2 Report.
- Report from the service auditor which will give assurance about the design, implementation, and operating effectiveness of the service organization internal controls.
- This could provide evidence that would allow a reduction in the assessed level of control risk.
- Should include a disclaimer of opinion regarding the achievement of the user organizations objectives.
