Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ISC > S4-m1 > Flashcards

S4-m1 Flashcards

1
Q

Outsources Payroll Processors

A

Service organization that provide payroll services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Financial IT Outsourcing Services

A

Financial institutions that provide IT based transaction processing services such as servicing loans, payment processing, and asset management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the purpose of a SOC engagement?

A

to assess the effectiveness of a service organizations controls. These engagements, which result in the issuance of a SOC report, promote reliance by third parties on service organizations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

SOC 1 for Services Organizations

A

Internal Control over Financial Reporting:
The examination and reporting on controls at a service organization that are likely to be relevant to user entities internal control over financial reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Are SOC 1 reports restricted?

A

They are restricted to management of the service organization, user entities of the service organization system, and the independent auditor. Does not include potential users of the service organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SOC 2 for Service Organization

A

Trust Services Criteria:
The examination and reporting on the security, availability, or processing integrity of a system, or the confidentiality or privacy of the information processed by the system (AICPA 5 trust service criteria)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who are SOC 2 reports intended for?

A

Intended for use by those who have sufficient knowledge and understanding of the service organization, the services it provides, and the system used to provide those services, among other matters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does it mean to have sufficient knowledge?

A

knowledge of:
-nature of the service provided by the user organization
-service organizations system interactions with user entities, subservice organizations, and other parties
-Internal control and its limitations
-complementary user entity controls
-complementary subservice organizational controls
-user entity responsibilities and their impact to effectively use the service organizations services
-the applicable trust services criteria
-risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

SOC 3 for the Service Organization

A

Trust Service Criteria for General Use Report:
Similar to the requirements and guidance for performing a SOC 2 engagement, the service auditor reports on whether controls within the system were effective to provide reasonable assurance that the service organization service commitments and system requirements were achieved based on the applicable trust service criteria

-ordinarily for general users who need assurance about controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy, but lack the knowledge and understanding for a SOC 2

ALWAYS A TYPE 2 REPORT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the reporting difference between a SOC 2 and a SOC 3?

A

a SOC 3 report does not include a description of the system (detailed controls within the system are not disclosed), a description of the service auditors tests of controls, and the results thereof.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SOC for Cybersecurity Engagement

A

Examine and report on a description of the entities cybersecurity risk management program and the effectiveness of controls with that program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

SOC for Supply Chain Engagement

A

Examine and report on an entity’s controls over the security, availability, processing integrity, confidentiality, or privacy of a system used to produce, manufacture, or distribute products

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Type 1 Report

A

a report on the fairness of the presentation of managements description of the service organizations system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Type 2

A

A report on the fairness of the presentation of managements description of the service organizations system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a Type 1 & 2 report comprised of?

A
  • managements description of the service organizations system
  • written assertion by management of the service organization about whether, as of a specified date on the criteria
  • a report that expresses an opinion on matters described above
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Criteria for written assertion by management

A

-managements description of the system fairly presents the service organizations system that was designed and implemented
-controls related to the control objectives stated in the managements description of the system were suitably designed to achieve those control objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Key difference between Type 1 and Type 2 SOC reports?

A

A type 1 covers the system design as of a given point in time whereas a Type 2 covers both the design and operating effectiveness over a period of time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

AICPA trust service criteria CAPPS

A

-security
-availability
-processing integrity
-confidentiality
-privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What trust service criteria is addressed in most trust service engagements?

A

Security because security controls are generally a primary area of focus for system users because organizations and their customers and business partners have an increased dependence on technology and concerns about cybersecurity risks and their impact on operational processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Confidentiality

A

Information designated as confidential is protected to meet the entity’s objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Availability

A

Information and systems are available for operation and use to meet the entity’s objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Processing integrity

A

System processing is complete, valid, accurate, timely, and authorize to meet the entity’s objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Privacy

A

Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives

24
Q

Security

A

Information and systems are protected against unauthorized access; unauthorized disclosure of information; and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meets its objectives.

25
Q

SOC for cybersecurity engagement

Application and Use of Trus Services Criteria

A

the effectiveness of controls within an entity’s cybersecurity risk management program to achieve the entity’s cybersecurity objectives using the trust services criteria relevant to security, availability, and confidentiality as control criteria

26
Q

SOC 2 Type 1

Application and Use of Trus Services Criteria

A

same subject matter as a SOC 2 Type 2 engagement; however, a Type 1 SOC 2 report does not contain an opinion on the operating effectiveness of controls nor a detailed description of tests of controls performed by the service auditor and the results of those tests

27
Q

SOC 2 Type 2

Application and Use of Trus Services Criteria

A

the suitability of design and operating effectiveness of controls included in managements description of a service organizations system relevant to one or more of the trust services criteria over security, availability, processing integrity, confidentiality, or privacy throughout a period
-includes an opinion on the operating effectiveness of controls and a detailed description of tests of controls performed by the service auditor and the results of those tests

28
Q

SOC 3

Application and Use of Trus Services Criteria

A

The design and operating effectiveness of a service organizations controls over a system relevant to one or more of the trust services criteria over security, availability, processing integrity, confidentiality, and privacy. A SOC 3 report contains an opinion on the operating effectiveness of controls but does not included a detailed description of tests of controls performed

29
Q

Control Environment

A

Tone at the top
1. Entity demonstrates a commitment to integrity and ethical values
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in pursuit of objectives
5. Entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives

30
Q

Risk Assessment

A

Focus on identifying risk, considering the potential for fraud, and understanding changes that could impact internal controls
6. The entity specifies objectives with sufficient clarity to enable the identification and assessment of risk relating to objectives
7. The entity identifies risks to achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
8. The entity considers the potential for fraud in assessing risks to the achievement of objectives
9. The entity identifies and assess changes that could significantly impact the system of internal control

31
Q

Control Activities

A

Relate to the control activities implemented and designed to ensure the proper application of policies and procedures that help ensure management directives and control objectives are met
10. selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
11. The entity also selects and develops general control activities over technology to support the achievement of objectives
12. The entity deploys control activities through policies that establish what is expected and procedures that put policies into action

32
Q

Logical and Physical Access Controls

Trust Service Supplemental Critera (Principle 12)

A

Relates to how an entity restricts, provides, and removes access and prevents unauthorized access

33
Q

System Operations

Trust Service Supplemental Critera (Principle 12)

A

Relates to how an entity detects and mitigates processing deviations, including logical and physical security deviations

34
Q

Chang Management

Trust Service Supplemental Critera (Principle 12)

A

Relates to how an entity manages changes and prevents unauthorized changes from being made

35
Q

Risk Mitigation

Trust Service Supplemental Critera (Principle 12)

A

Related to how an entity manages risk mitigation activities arising from potential business disruptions and the use of vendors and business partners

36
Q

Information and Communication

A

Focus on obtaining, generating, and controlling information and communication
13. The entity obtains or generates and uses relevant, quality information to support the functioning of internal control
14. the entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control
15. Then entity communicates with external parties regarding matters affecting the functioning of internal control

37
Q

Monitoring Activities

A

Outline how an organization should conduct ongoing evaluations of control activities, and communicate internal control deficiencies
16. entity selects, develops, and performs ongoing and or separate evaluations to ascertain whether the components of internal control are present and functioning
17. The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action

38
Q

A1.1

Additional Criteria for Availability

A

Entity maintains, monitors, and evaluates current processing capacity and use of system components to manage capacity and demand and to enable the implementation of additional capacity to meet entity objectives

39
Q

A1.2

Additional Criteria for Availability

A

the entity ensures systems are available by identifying environmental threats, designing detection measures, implementing protection mechanisms and alerts, responding to environmental threats, communicating threat events, performing data backup, ensuring there is offsite storage, implementing an alt infrastructure

40
Q

A1.3

Additional Criteria for Availability

A

Then entity tests its recovery plan procedures to ensure system recovery meets entity objectives

41
Q

PI1.1

Additional Criteria for Processign Integrity

A

The entity obtains or generates, uses and communicates relevant, quality information regarding processing objectives to support the use of products and services

42
Q

PI1.2

Additional Criteria for Processign Integrity

A

The entity implements policies and procedures over system inputs to result in products, services, and reporting that meet entity objectives

43
Q

PI1.3

Additional Criteria for Processign Integrity

A

The entity implements policies and procedures over system processing to result in products, services, and reporting the meet entity objectives

44
Q

PI1.4

Additional Criteria for Processign Integrity

A

The entity implements policies and procedures to make available or deliver output completely, accurately, and timely that meet entity objectives

45
Q

PI1.5

Additional Criteria for Processign Integrity

A

The entity implements policies and procedure to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives

46
Q

CI1.1

Additonal Criteria for Confidentiality

A

The entity identifies and maintains confidential information to meet the entity’s confidentiality objectives

47
Q

CI1.2

Additonal Criteria for Confidentiality

A

The entity disposes of confidential information to meet the entity’s confidentiality objectives

48
Q

P1.0

Additional Criteria for Privacy

A

Notice and Communication of objectives related to privacy

49
Q

P2.0

Additional Criteria for Privacy

A

Choice and consent

50
Q

P3.0

Additional Criteria for Privacy

A

Collection

51
Q

P4.0

Additional Criteria for Privacy

A

Use, retention, and Disposal

52
Q

P5.0

Additional Criteria for Privacy

A

Access

53
Q

P6.0

Additional Criteria for Privacy

A

Disclosure and Notification

54
Q

P7.0

Additional Criteria for Privacy

A

Quality

55
Q

P8.0

Additional Criteria for Privacy

A

Monitoring and Enforcement

ISC (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions