Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

ISC > S4 > Flashcards

S4 Flashcards

1
Q

Opinion Issued

A
  • Disclaimer: sufficient and appropriate evidence cannot be obtained (limit scope limitation)
  • Adverse: Material and pervasive
  • Qualified: Material and not pervasive
  • Unmodified: No material deficiencies identified
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

System Infrastructure component

A
  • Obtain understanding of the newly enhanced physical security measures
    -individual physical or virtual resources
  • collection of resources that supports a service org’s environment.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

in determining the method for SOC reporting

A

The goal:
- management’s description of the service org’s system includes enough info to be useful to intended users of the report.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

subsequent facts after auditor’s report:

A
  • the service auditor:
    determine whether or not the facts existed at the date of report and relevant enough to be reported to users.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Subservice organization

A
  • in a SOC 2/ SOC 3 engagement
  • a separate entity that is external to the service org, or it may be a related entity.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Complementary user entity controls

A
  • referenced in the opinion section of the SOC 1 report when necessary, with service org controls to meet the stated control objectives.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Cybersecurity risk management program

A
  • include: the cybersecurity risk governance structure, risk assessment process, and the monitoring of the cybersecurity risk management program.
  • Identify the nature, extent, and timing of system incidents in the service org’s system description.
  • Management is not required to include details of control tests performed by the service auditor.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SOC reports

A
  • SOC 1 type 2: a written assertation from management that the controls stated in management’s descript of the system were suitably designed and operated effectively throughout the specified period to achieve the control objectives.
  • SOC 1 type 1: written assertation from management at a specified date, rather than covering a period of time, and would not include a reference to the operating effectiveness of the controls.
  • SOC 2 type 1: written assertion from management at a specified date, rather than covering a specified period of time. An assertion for a SOC 2 type 1 report also references the applicable TSC and would not include a reference to the operating effectiveness of the controls.
  • SOC 3: can only be issued as type 2, not type 1.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Tests of operating effectiveness

A
  • Type 2 engagement: tests of controls over the operating effectiveness of controls must be performed. These tests would extend to relevant controls of subservice org when the service organization uses the inclusive method to present its services and controls.
  • Type 1 engagement: covers the suitability of design and implementation.

Carve-out method: no tests of operating effectiveness of controls in place at the subservice org would be performed as these controls would be excluded from the scope of the engagement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Def of system relevant to SOC 2

A
  • includes the infrastructure, software, procedures, data, and people.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

ISC (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions