S4-m3

Question 1

For SOC 1 engagement’s, a vendor used by a service organization is considered a subservice organization if:

Answer 1

-the services provided by the vendor are likely relevant to user entities internal control over financial reporting
-controls implemented at the subservice organization are necessary to achieve the control objectives stated in managements description of the service organizations system

Question 2

For SOC 2/3 engagements, a vendor used by a service organization is considered a subservice organization only if:

Answer 2

-the services provided by the vendor are relevant to report users understanding of the service organizations system as it related to the applicable trust services criteria
-controls at the subservice organization are necessary, in combination with the service organizations controls to provide reasonable assurance that the service commitments and system requirements are achieved

Question 3

A subservice can be a:

Answer 3

-separate entity that is external to the service organization
-a related entity, such as a subsidiary of the parent company
that owns the service organization

Question 4

CSOCs

Answer 4

Complementary Subservice Organization Controls

Question 5

Carve-out Method

Answer 5

Method of addressing the services provided by a subservice organization in which the CSOCs of the subservice organization are EXCLUDED from the description of the service organizations system and from the scope of the engagement

Question 6

The carve-out method identifies…

Answer 6

1. The nature of the services performed by the subservice organization
2. The types of controls EXPECTED to be performed at the subservice organization that are necessary in combo with controls at the service org, to provide reasonable assurance that the control objectives stated in managements description of the service organizations system SOC 1 or the service organizations service commitments and system requirements SOC 2 were achieved. These may include logical access controls, controls relevant to the completeness and accuracy of processing transactions, or controls relevant to accurate and complete reporting.
3. The controls at the service organization used to monitor the effectiveness of the subservice organization controls

Question 7

Inclusive Method

Answer 7

Method of addressing the services provided by a subservice organization in which the description of the service organizations system INCLUDES a description of:
1. The nature of the services provided by the subservice organization
2. The components of the subservice organizations system used to provide services to the service organization, including the subservice organization controls that are necessary, in combination with controls at the service organization to provide reasonable assurance that the control objectives stated in managements description of the service organizations system (SOC 1) or the service organizations service commitments and system requirements (SOC 2) were achieved

Question 8

When is an inclusive report most useful?

Answer 8

-the services provided by the subservice organization are extensive
-a type 1 or type 2 report that meets the needs of report users is not available from the subservice org
-info about the subservice organization is not readily available from other sources

Question 9

When is the carve out method most practical?

Answer 9

-challenges entailed in implementing the inclusive method are sufficiently onerous, and it is not practical to use the inclusive method
-service auditor is not independent of the subservice organization
-a type 1 or type 2 service auditors report on the subservice organization, meeting user needs is available
-the service organization is unable to obtain contractual or other commitment from the subservice organization regarding its willingness to be included in the SOC 2 engagement

Question 10

When would management not use the carve out method?

Answer 10

When the subservice organizations services and controls have a pervasive effect on the service organizations system.

Question 11

If the carve out method was used, the service auditors report should include a statement indicating:

Answer 11

-managements description of the service organizations system excludes the control objectives and related controls at relevant subservice organizations
-Certain control objectives specified by the service organization can be achieved only if complementary subservice organization controls assumed in the design of the service organizations controls are suitably designed and operating effectively
-the service auditors procedures do not extend to such complementary subservice organization controls

Question 12

If the inclusive method was used, the service auditor should include a statement that…

Answer 12

-managements description of the service organizations system includes the subservice organizations specified control objectives and related controls and
- the service auditors procedures included procedures related to the subservice org

Question 13

Common examples of Complementary User Entity Controls (CUECs)

Answer 13

-security monitoring
-managed service provider environment changes
-encrypted financial data
-physical access controls
-authorization policies

Question 14

Key differences between CSOC and CUEC

Answer 14

CSOCs are controls that a subservice organization must execute in order for a service organizations controls to function effectively, whereas, CUECs are controls a user organization must employ for the service organization controls to function.

Question 15

When and where in the auditors report will a statement be needed about the impact of the complementary User Entity Controls (CUECs) and/or CSOCs

Answer 15

if the CUECs and or CSOCs are considered necessary to achieve the related control objectives stated in managements description, the report must include a statement to that effect in the opinion of the report

Question 16

The service auditor expresses a qualified opinion if…

SOC 1

Answer 16

the misstatements in managements description of the service organizations system or deficiencies in the suitability of the design or operating effectiveness (T2) of the controls are limited to one or more, but not all, aspects of the description of the service organizations system or control objectives and do not affect the service auditors opinion on other aspects of the description of the service organizations system or control objectives

Question 17

The service auditor expresses a qualified opinion when

SOC 2

Answer 17

-the service auditor concludes that description misstatements, individually or in the aggregate, are material but not pervasive, or deficiencies in the design or operation (T2) of controls are material but not pervasive
-the service auditor is unable to obtain sufficient appropriate evidence on which to base the opinion, and the service auditor has concluded that the possible effects on the subject matter of undetected description misstatement could be material but not pervasive

Question 18

When issuing a qualified opinion, what parts of the report are modified?

Answer 18

-the service auditors opinion paragraph should be amended
-a separate paragraph describing matters giving rise to modification should be included
-the service auditors responsibilities (SOC 2) should be amended

Question 19

A disclaimer of opinion is expressed when the service auditor…

Answer 19

is unable to obtain sufficient appropriate evidence on which to base the opinion, and the possible effects on the subject matter of undetected misstatements could be both material and pervasive

Question 20

When issuing a disclaimer of opinion, which statements in the service auditors report are omitted?

Answer 20

statements
-indicating what those standards require of the practitioner
-indicating that the practitioner believes the evidence obtained is sufficient and appropriate to provide a reasonable basis for the service auditors opinion
-describing the nature of an examination engagement

Question 21

Elements of a Service Auditors Report

Qualified Opinon

Answer 21

-Title
-addressee
-scope
-service organizations responsibilities
-service auditor responsibilities
-inherent limitations
-description of tests of controls (type 2)
-Other matter (type 1)
-Qualified opinion: a separate paragraph, before the opinion that provides a description of the matters giving rise to the modification
-restricted use
- service auditor signature
- Service auditor city and state
- date of report

Question 22

Report paragraphs describing matters giving rise to modification:

Answer 22

• a separate paragraph should be added to the service auditors report to explain the matter giving rise to modification when a service auditor concludes that a modified opinion is appropriate based on the evidence obtained during a SOC engagement
• a separate paragraph would be added when the description includes controls that have not been implemented
• a separate paragraph would be added to the auditors report preceding the opinion paragraph when the auditor concludes the controls are not suitably designed

Question 23

For SOC 1 reports CUECs impact the report by

Answer 23

-any relevant CUECs that ensure control objectives are met should be described in the system description
-it is recommended that a statement be made, if applicable, that a service organizations controls could only be achieved if CUECs are designed and operating effectively

Question 24

For SOC 2 reports CUECs impact the report by

Answer 24

• description should also include relevant CUECs and a statement that user entities are responsible for those controls
  -state that the engagement did not include an evaluation of whether the CUECs were evaluated for design suitability or operating effectiveness
  -include language about how CUECs interact with the service organization controls