S4-m3 Flashcards
For SOC 1 engagement’s, a vendor used by a service organization is considered a subservice organization if:
-the services provided by the vendor are likely relevant to user entities internal control over financial reporting
-controls implemented at the subservice organization are necessary to achieve the control objectives stated in managements description of the service organizations system
For SOC 2/3 engagements, a vendor used by a service organization is considered a subservice organization only if:
-the services provided by the vendor are relevant to report users understanding of the service organizations system as it related to the applicable trust services criteria
-controls at the subservice organization are necessary, in combination with the service organizations controls to provide reasonable assurance that the service commitments and system requirements are achieved
A subservice can be a:
-separate entity that is external to the service organization
-a related entity, such as a subsidiary of the parent company
that owns the service organization
CSOCs
Complementary Subservice Organization Controls
Carve-out Method
Method of addressing the services provided by a subservice organization in which the CSOCs of the subservice organization are EXCLUDED from the description of the service organizations system and from the scope of the engagement
The carve-out method identifies…
- The nature of the services performed by the subservice organization
- The types of controls EXPECTED to be performed at the subservice organization that are necessary in combo with controls at the service org, to provide reasonable assurance that the control objectives stated in managements description of the service organizations system SOC 1 or the service organizations service commitments and system requirements SOC 2 were achieved. These may include logical access controls, controls relevant to the completeness and accuracy of processing transactions, or controls relevant to accurate and complete reporting.
- The controls at the service organization used to monitor the effectiveness of the subservice organization controls
Inclusive Method
Method of addressing the services provided by a subservice organization in which the description of the service organizations system INCLUDES a description of:
1. The nature of the services provided by the subservice organization
2. The components of the subservice organizations system used to provide services to the service organization, including the subservice organization controls that are necessary, in combination with controls at the service organization to provide reasonable assurance that the control objectives stated in managements description of the service organizations system (SOC 1) or the service organizations service commitments and system requirements (SOC 2) were achieved
When is an inclusive report most useful?
-the services provided by the subservice organization are extensive
-a type 1 or type 2 report that meets the needs of report users is not available from the subservice org
-info about the subservice organization is not readily available from other sources
When is the carve out method most practical?
-challenges entailed in implementing the inclusive method are sufficiently onerous, and it is not practical to use the inclusive method
-service auditor is not independent of the subservice organization
-a type 1 or type 2 service auditors report on the subservice organization, meeting user needs is available
-the service organization is unable to obtain contractual or other commitment from the subservice organization regarding its willingness to be included in the SOC 2 engagement
When would management not use the carve out method?
When the subservice organizations services and controls have a pervasive effect on the service organizations system.
If the carve out method was used, the service auditors report should include a statement indicating:
-managements description of the service organizations system excludes the control objectives and related controls at relevant subservice organizations
-Certain control objectives specified by the service organization can be achieved only if complementary subservice organization controls assumed in the design of the service organizations controls are suitably designed and operating effectively
-the service auditors procedures do not extend to such complementary subservice organization controls
If the inclusive method was used, the service auditor should include a statement that…
-managements description of the service organizations system includes the subservice organizations specified control objectives and related controls and
- the service auditors procedures included procedures related to the subservice org
Common examples of Complementary User Entity Controls (CUECs)
-security monitoring
-managed service provider environment changes
-encrypted financial data
-physical access controls
-authorization policies
Key differences between CSOC and CUEC
CSOCs are controls that a subservice organization must execute in order for a service organizations controls to function effectively, whereas, CUECs are controls a user organization must employ for the service organization controls to function.
When and where in the auditors report will a statement be needed about the impact of the complementary User Entity Controls (CUECs) and/or CSOCs
if the CUECs and or CSOCs are considered necessary to achieve the related control objectives stated in managements description, the report must include a statement to that effect in the opinion of the report