S4

Question 1

A SOC 1®

Answer 1

report is used to examine and report on controls at a service organization that are likely to be relevant to the user entity’s internal control over financial reporting.

Question 2

SOC 2®

Answer 2

report covering the applicable trust services criteria (security, confidentiality, and privacy). The SOC 2® report is intended for use by those who have sufficient knowledge and understanding of the service organization, the services provided, and the system used to provide such services.

will require the service auditor to provide an opinion on:
(1) whether the description of the service organization’s system is presented in accordance with the description criteria throughout a specified period of time;
(2) whether the controls stated in the description were suitably designed to provide reasonable assurance that the service commitments and system requirements were achieved based on the applicable trust services criteria throughout a period of time; and
(3) whether the controls stated in the description operated effectively throughout a specified period of time to provide reasonable assurance that the service commitments and system requirements were achieved based on the applicable trust services criteria.

Question 3

A SOC 3®

Answer 3

report on the trust services criteria (security, availability, processing integrity, confidentiality, or privacy), but it is intended for general use by those who lack an understanding of the service organization, their services, or their system.

NO OPINION- report does not include a description of the system (detailed controls within the system are not disclosed), a description of the service auditor’s tests of controls, and the results thereof.

Question 4

SOC for Supply Chain Engagement

Answer 4

used to examine and report on an entity’s controls over a system used to produce, manufacture, or distribute products.

Question 5

Service and Organization Controls (SOC)
Type 1 vs. Type 2 report :

Answer 5

A Type 1 report covers the design of controls at a given point in time, whereas a Type 2 report covers both the design and operating effectiveness of controls over a period of time.

Question 6

SOC engagement
trust services

Answer 6

Set the outcomes (confidentiality, availability, processing integrity, privacy, and security) that should be met as a result of effective controls. Effective controls help an entity to achieve its objectives.

Question 7

security trust services

Answer 7

ensuring that information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.

Question 8

privacy trust services

Answer 8

relates to ensuring personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives

I.E. collect personal data, obtain consent when collecting and using that data, using data for specific purposes only, and managing access to individuals’ data responsibly

Question 9

availability trust services

  KEY: el sistema aun esta disponible pq tienen un plan  de recovery.

Answer 9

ensuring information and systems are available for operation and use to meet the entity’s objectives.

I.E. The entity tests its recovery plan procedures to ensure system recovery meets entity objectives.

Question 10

processing integrity trust services

KEY: Integrity= ACCURATE /integra ... a tiempo

Answer 10

ensuring system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.

Question 11

trust services criteria

Answer 11

is NOT for IC over Financial Reporting (Not SOC 1)

Its applicable for SOC 2 (type 1 & 2) & SOC for cybersecurity

Question 12

trust services categories

Answer 12

A service auditor must address the common criteria for all trust services categories and additional specific criteria for availability, processing integrity, confidentiality, and privacy.

OJO: There are no additional specific criteria related to security.

Question 13

trust services criteria are NOT controls, but rather OUTCOMES

Answer 13

trust services criteria are NOT controls, but rather OUTCOMES

Question 14

Control activities

 KEY: Actividad =fisica (pysical access) y operacion

Answer 14

controls over logical and physical access, system operations, change management, and risk mitigation are classified as =CONTROL ACTIVITIES …..NOT environment.

Question 15

Adverse OP

Answer 15

material and pervasive issue is identified

Question 16

Disclaimer OP

Answer 16

when sufficient and appropriate evidence cannot be obtained on which to base the opinion & possible effects on the subject matters of undetected misstatements, if any, could be both material and pervasive

Question 17

Qualified OP

Answer 17

material but not pervasive

i.e. deficiencies in the suitability of the design of only one control had an impact on the achievement of a control objective but did not affect other controls or control objectives

Question 18

Unmodified OP

Answer 18

No issues… (not material not pervasive)

Question 19

subservice organization

Answer 19

entity used by the service organization to provide services to user entities to provide reasonable assurance that the service commitments and system requirements would be achieved

i.e. third party that provides relevant services and controls that are necessary in combination with the service organization’s controls

Question 20

system description documented by the management in a SOC 2® engagement

Answer 20

The description enables report users to understand the system, the processing and flow of data throughout and from the system, and the procedures and controls in place to manage risk.

Question 21

SOC description criteria includes :

Answer 21

factors that have a significant effect on inherent cybersecurity risks along with the nature of business and operations, nature of information at risk, cybersecurity risk management program objectives (cybersecurity objectives), cybersecurity risk governance structure, cybersecurity risk assessment process, cybersecurity communications and the quality of cybersecurity information, monitoring of the cybersecurity risk management program, and cybersecurity control processes.

Question 22

SOC
application of complementary user

Answer 22

Both the scope and opinion sections should be modified when the service auditor determines that the application of complementary user entity controls is necessary to achieve the related control objectives stated in management’s system description and the carve-out method is applied.

Question 23

SOC
scope paragraph of the service auditor’s report.

Answer 23

Both the description criteria and applicable trust services criteria should be included

I.E. The description criteria used to evaluate the suitability of the design and operating effectiveness of controls and the applicable trust services criteria.

Question 24

SOC 2® Type 2
deviations noted

Answer 24

The service auditor is required to disclose the # OF deviations and the number of items tested . Causative (CAUSE) factors are optional.

Question 25

A SOC 2® Type 2 report should include:

Answer 25

The controls that were tested, whether the items tested represent all or a selection of items within the population, and the nature of tests performed in sufficient detail to enable report users to determine the effect of such tests of their risk assessments.

Question 26

SOC 2® Type 1 vs. SOC 2® Type 2

Answer 26

Type 1: Obtaining an understanding of the system and the service organization’s service commitments and system requirements

Type 2: Testing the operating effectiveness of controls stated in the description

Question 27

carve-out method = exclude (out)

Answer 27

Exclude the complementary subservice organization controls from the description of the service organization’s system.

but the service organization management should still identify the services provided by the subservice organization, the complementary user entity controls necessary, and the controls in place at the service organization to monitor the effectiveness of the complementary subservice organization controls.

Question 28

Complementary subservice organization controls (CSOCs)

Answer 28

Controls at a vendor used by a service organization that are necessary, in combination with the service organization’s controls, to provide reasonable assurance that the service commitments and system requirements

Question 29

Complementary user entity controls

Answer 29

controls at a user entity (or customer) of a service organization, which are necessary, in combination with the service organization’s controls, to provide reasonable assurance that the service commitments and system requirements are achieved.

Question 30

SOC engagement
Inclusive method

Answer 30

The more significant and complex the services provided by the subservice organization to the service organization, the more likely a SOC report using the inclusive method may be necessary.

Question 31

complementary user entity controls

Answer 31

include only those controls at a user entity that are necessary, in combination with the service organization’s controls, to achieve the control objectives stated in management’s system description.

Question 32

explanation of matters should be added to the SOC 1® report… what type of opinion should be issued ?

Answer 32

A qualified opinion is issued,

and the opinion section of the SOC 1® report is amended to include the explanation of matters.
NOT THE SCOPE SECTION …. the OP Section YES

Question 33

TYPE 1 SOC reports don’t look at operating effectiveness.

Answer 33

TYPE 1 SOC reports don’t look at operating effectiveness.

Question 33

The service auditor is not required to be independent from each user entity.

Answer 33

When a service auditor performs an engagement on controls at a service organization, the service auditor is Not required to be independent of the user entity.

Question 34

SOC engagement
lack of independence (= scope limitation) so what OP to provide?

Answer 34

DISCLAIM OP

A lack of independence is a scope limitation and therefore an auditor required by law or regulation to report on a service entity from which it lacks independence should disclaim an opinion and specifically state their lack of independence in a SOC engagement.

Question 35

When determining materiality in a SOC 2® engagement

Answer 35

The service auditor should consider the common information needs of a broad range of report users.

Question 36

SOC 2® Type 2 engagement related to the processing integrity trust services criteria

Answer 36

includes ensuring the system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.

i.e. Be within the boundaries of the system for purposes of the SOC engagement, as processing integrity extends to ensuring that transactions within the system are properly authorized.

Question 36

Risk assessment in a SOC 2® Type 2 engagement should cover the risks that affect which of the following?

Answer 36

I. Preparation of the system description.
II. The design of the service organization’s controls.
III. The operating effectiveness of the service organization’s controls.

NEVER:
The sufficiency and appropriateness of the procedures performed during the engagement.

Question 36

defining the system relevant to the SOC 2® engagement:

Answer 36

A system is defined as the infrastructure (individual physical or virtual resources), software, procedures, and data that are designed, implemented, and operated by people to achieve one or more of the organization’s specific business objectives.

i.e. The application, the Top Claims’ employee who initiates the automated process, and the patient medical data are all components of the description of the system.

Question 37

When performing risk assessment procedures, the service auditor should obtain an understanding of the service organization’s system and controls, and should:

Answer 37

Understand the service organization’s process and procedures used to prepare the description of the system.

OJO: Service organization management, not the service auditor, is responsible for determining control objectives.

Question 38

Amending the extent of testing… service auditor needs to consider

Answer 38

Consider both the tolerable and expected rate of deviation.

Question 39

The procedures, within both automated and manual processes, by which services are provided should be included in management’s system description regardless of the type of SOC report issued

Answer 39

The procedures, within both automated and manual processes, by which services are provided should be included in management’s system description regardless of the type of SOC report issued

Question 40

Management’s system description should describe the system that the service organization has implemented, not aspects of the system that have not yet been implemented.

Answer 40

The service auditor may request that the controls not yet implemented are removed from the system description.
If management will not modify the description to exclude the controls, the auditor should consider the implications on the auditor’s report.

Question 41

When a Type 2 engagement is performed, tests of controls over the operating effectiveness of controls must be performed.

Answer 41

These tests would extend to the relevant controls of a subservice organization when the service organization uses the inclusive method to present its services and controls.

Question 42

trust services criteria of confidentiality and privacy
A service auditor should ensure that appropriate controls are in place to allow external and internal users to report failures, incidents, or concerns related to the applicable trust services criteria.

Answer 42

A service auditor should ensure that appropriate controls are in place to allow external and internal users to report failures, incidents, or concerns related to the applicable trust services criteria.

Question 43

design of the controls vs. Operating effectiveness

Answer 43

seek out internal and external documentation of responsibilities, policies, and procedures related to reporting and escalating system incidents would provide insight on the design of the controls

The reperformance of a sample of calculations would provide insight on the operating effectiveness

Question 44

The service auditor has the responsibility to review relevant information related to subsequent events in both a SOC 1® and SOC 2® engagement.

Answer 44

The service auditor has the responsibility to review relevant information related to subsequent events in both a SOC 1® and SOC 2® engagement.

Question 45

service auditor
Upon becoming aware of a subsequent event that is of significance, the service auditor should…

Answer 45

request that management disclose the event in either management’s assertions or the description of the system.

If the subsequent event has been appropriately disclosed by service organization management, an unmodified opinion would still be appropriate.

Question 46

When subsequently discovered facts become known by a service auditor after the date of the service auditor’s report, the service auditor should first:

Answer 46

Determine whether the facts existed at the date of the report and whether they would be relevant to report users.

Question 47

When a subservice organization is used and the inclusive method is used :

Answer 47

Written representations from subservice organization management are required when the inclusive method is used for management’s description of the system.

OJO: NO REP from subservice is needed if CARVE OUT METHOD is applied

Question 48

If service organization management refuses to provide written representations to the service auditor:

Answer 48

A scope limitation may exist, and the service auditor may be precluded from issuing an unmodified opinion (or may withdraw from the engagement if permitted by law or regulation.).