S4-m3 Flashcards

1
Q

For SOC 1 engagement’s, a vendor used by a service organization is considered a subservice organization if:

A

-the services provided by the vendor are likely relevant to user entities internal control over financial reporting
-controls implemented at the subservice organization are necessary to achieve the control objectives stated in managements description of the service organizations system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

For SOC 2/3 engagements, a vendor used by a service organization is considered a subservice organization only if:

A

-the services provided by the vendor are relevant to report users understanding of the service organizations system as it related to the applicable trust services criteria
-controls at the subservice organization are necessary, in combination with the service organizations controls to provide reasonable assurance that the service commitments and system requirements are achieved

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A subservice can be a:

A

-separate entity that is external to the service organization
-a related entity, such as a subsidiary of the parent company
that owns the service organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

CSOCs

A

Complementary Subservice Organization Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Carve-out Method

A

Method of addressing the services provided by a subservice organization in which the CSOCs of the subservice organization are EXCLUDED from the description of the service organizations system and from the scope of the engagement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The carve-out method identifies…

A
  1. The nature of the services performed by the subservice organization
  2. The types of controls EXPECTED to be performed at the subservice organization that are necessary in combo with controls at the service org, to provide reasonable assurance that the control objectives stated in managements description of the service organizations system SOC 1 or the service organizations service commitments and system requirements SOC 2 were achieved. These may include logical access controls, controls relevant to the completeness and accuracy of processing transactions, or controls relevant to accurate and complete reporting.
  3. The controls at the service organization used to monitor the effectiveness of the subservice organization controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Inclusive Method

A

Method of addressing the services provided by a subservice organization in which the description of the service organizations system INCLUDES a description of:
1. The nature of the services provided by the subservice organization
2. The components of the subservice organizations system used to provide services to the service organization, including the subservice organization controls that are necessary, in combination with controls at the service organization to provide reasonable assurance that the control objectives stated in managements description of the service organizations system (SOC 1) or the service organizations service commitments and system requirements (SOC 2) were achieved

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When is an inclusive report most useful?

A

-the services provided by the subservice organization are extensive
-a type 1 or type 2 report that meets the needs of report users is not available from the subservice org
-info about the subservice organization is not readily available from other sources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When is the carve out method most practical?

A

-challenges entailed in implementing the inclusive method are sufficiently onerous, and it is not practical to use the inclusive method
-service auditor is not independent of the subservice organization
-a type 1 or type 2 service auditors report on the subservice organization, meeting user needs is available
-the service organization is unable to obtain contractual or other commitment from the subservice organization regarding its willingness to be included in the SOC 2 engagement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When would management not use the carve out method?

A

When the subservice organizations services and controls have a pervasive effect on the service organizations system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

If the carve out method was used, the service auditors report should include a statement indicating:

A

-managements description of the service organizations system excludes the control objectives and related controls at relevant subservice organizations
-Certain control objectives specified by the service organization can be achieved only if complementary subservice organization controls assumed in the design of the service organizations controls are suitably designed and operating effectively
-the service auditors procedures do not extend to such complementary subservice organization controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

If the inclusive method was used, the service auditor should include a statement that…

A

-managements description of the service organizations system includes the subservice organizations specified control objectives and related controls and
- the service auditors procedures included procedures related to the subservice org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Common examples of Complementary User Entity Controls (CUECs)

A

-security monitoring
-managed service provider environment changes
-encrypted financial data
-physical access controls
-authorization policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Key differences between CSOC and CUEC

A

CSOCs are controls that a subservice organization must execute in order for a service organizations controls to function effectively, whereas, CUECs are controls a user organization must employ for the service organization controls to function.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When and where in the auditors report will a statement be needed about the impact of the complementary User Entity Controls (CUECs) and/or CSOCs

A

if the CUECs and or CSOCs are considered necessary to achieve the related control objectives stated in managements description, the report must include a statement to that effect in the opinion of the report

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The service auditor expresses a qualified opinion if…

SOC 1

A

the misstatements in managements description of the service organizations system or deficiencies in the suitability of the design or operating effectiveness (T2) of the controls are limited to one or more, but not all, aspects of the description of the service organizations system or control objectives and do not affect the service auditors opinion on other aspects of the description of the service organizations system or control objectives

17
Q

The service auditor expresses a qualified opinion when

SOC 2

A

-the service auditor concludes that description misstatements, individually or in the aggregate, are material but not pervasive, or deficiencies in the design or operation (T2) of controls are material but not pervasive
-the service auditor is unable to obtain sufficient appropriate evidence on which to base the opinion, and the service auditor has concluded that the possible effects on the subject matter of undetected description misstatement could be material but not pervasive

18
Q

When issuing a qualified opinion, what parts of the report are modified?

A

-the service auditors opinion paragraph should be amended
-a separate paragraph describing matters giving rise to modification should be included
-the service auditors responsibilities (SOC 2) should be amended

19
Q

A disclaimer of opinion is expressed when the service auditor…

A

is unable to obtain sufficient appropriate evidence on which to base the opinion, and the possible effects on the subject matter of undetected misstatements could be both material and pervasive

20
Q

When issuing a disclaimer of opinion, which statements in the service auditors report are omitted?

A

statements
-indicating what those standards require of the practitioner
-indicating that the practitioner believes the evidence obtained is sufficient and appropriate to provide a reasonable basis for the service auditors opinion
-describing the nature of an examination engagement

21
Q

Elements of a Service Auditors Report

Qualified Opinon

A

-Title
-addressee
-scope
-service organizations responsibilities
-service auditor responsibilities
-inherent limitations
-description of tests of controls (type 2)
-Other matter (type 1)
-Qualified opinion: a separate paragraph, before the opinion that provides a description of the matters giving rise to the modification
-restricted use
- service auditor signature
- Service auditor city and state
- date of report

22
Q

Report paragraphs describing matters giving rise to modification:

A
  • a separate paragraph should be added to the service auditors report to explain the matter giving rise to modification when a service auditor concludes that a modified opinion is appropriate based on the evidence obtained during a SOC engagement
  • a separate paragraph would be added when the description includes controls that have not been implemented
  • a separate paragraph would be added to the auditors report preceding the opinion paragraph when the auditor concludes the controls are not suitably designed
23
Q

For SOC 1 reports CUECs impact the report by

A

-any relevant CUECs that ensure control objectives are met should be described in the system description
-it is recommended that a statement be made, if applicable, that a service organizations controls could only be achieved if CUECs are designed and operating effectively

24
Q

For SOC 2 reports CUECs impact the report by

A
  • description should also include relevant CUECs and a statement that user entities are responsible for those controls
    -state that the engagement did not include an evaluation of whether the CUECs were evaluated for design suitability or operating effectiveness
    -include language about how CUECs interact with the service organization controls