Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ISC > S4-m4 > Flashcards

S4-m4 Flashcards

1
Q

The service auditor, when auditing the service organization, is required to:

A

-establish, prior to acceptance of the SOC engagement, and understanding with service organization management about its responsibilities of the service auditor
-communication with the management of the service org
-determine the appropriate persons within the service organizations management or governance structure with whom to interact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The objectives of the service auditor are to:

A

obtain reasonable assurance about whether, in all material respects, based on suitable criteria:
-managements description of the service organization system fairly presents the system that was designed and implemented
- the control related to the control objectives stated were suitably designed
-when included in the scope, the controls operated effectively
-report in accordance with the service auditors findings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

During planning of any SOC engagement, the service auditor is responsible for:

A

-determining whether to accept or continue the engagement
-agreeing on engagement terms
-reaching an understanding with management regarding a written assertion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

During planning of a SOC 1 engagement, the service auditor is also responsible for:

A

-assessing the risk of material misstatement
-obtaining an understanding of the service orgs system and assessing the suitability of the criteria used by management in preparing its system description

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

During planning of a SOC 2 & 3 engagement, the service auditor is also responsible for:

A

-establishing an overall strategy for the engagement; sets scope timing, direction
-performing risk assessment procedures; how system controls were designed, implemented, and operated to provide reasonable assurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Agreed upon engagement terms

Service auditor and service organization

A

-objectives and scope
-responsibilities of the service auditor and the responsible party, including the responsibility o management to provide a representation letter
-identification of the criteria used to measure, evaluate, or disclose information about the subject matter
-acknowledgment that the engagement will be conducted in accordance with attestation standards established

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Service Organization and Service Auditor

Independence Considertations

A

the service auditor needs to be independent with respect to the responsible party. The responsible party is most often the service organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Subservice Organization and Service Auditor

Independence Considertations

A

If management elects to use the inclusive method, then the subservice organization management is a responsible party and should be independent of the service auditor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What should the service auditor d when they lack independence?

A

when the service auditor is required by law to accept the engagement the service auditor should disclaim an opinion and should specifically state the service auditor is not independent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The service auditors consideration of materiality should include…

SOC 1

A

the fair presentation of the description of the service organizations system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Fair presentation of the description relates to…

The concept of materiality

A

the information being reported on, not the financial statements of user entities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Materiality relates to…

SOC 1

A

qualitative factors, such as whether significant aspects of the processing have been included in the description or if relevant information has been omitted or distorted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Quantitative factors

Materiallity with respect to SOC 1 T 2

A

The tolerable and observed rate of deviations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Qualitative factors

Materiallity with respect to SOC 1 T 2

A

The nature and cause of deviations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Materiality can be described as:

SOC 2

A
  • the likelihood and magnitude of the risks that threaten the achievement of the service organizations service commitments and system requirements
    -whether the controls the service organization has designed, implemented, and operated were effective in mitigating those risks to an acceptable level based on the applicable trust services criteria
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The service auditor should consider the nature of threats…

SOC 2

A

and the likelihood and magnitude of the risks arising from those threats to the achievement of the service organization service commitments and system requirements

17
Q

Description Misstatement

A

The term used when describing errors or omission in the description of the service organizations system

18
Q

Deviation Expectation

A

identified misstatements resulting from the failure of a control to operate in a specified instance. A deviation may result in a deficiency

19
Q

Deficiency in the design

A

when a control necessary to meet control objectives is missing or improperly designed so that even if it operates as designed, control objectives would not be achieved

20
Q

Deficiency in the operating effectiveness

A

when a properly designed control fails to operate as designed or when the person performing the control does not possess the competency necessary to perform the control effectively

21
Q

In a SOC 2 engagement what is a system?

A

a system is defined as the infrastructure, software, procedures, and data that are designed, implemented, and operated by people to achieve one or more of the organizations specific business objectives in accordance with management specified requirement

22
Q

What are the boundaries of a system?

A

are the specific aspects of a service organizations infrastructure, software, people, procedures, and data necessary to provide its services.
-need to be clearly defined and communicated to report users in a SOC engagement

23
Q

Service commitments are…

A

declarations made by service organization management to user entities and others about the system used to provide the service

24
Q

System requirements are…

A

specifications regarding how the system should function to meet the service organization service commitments, to comply with relevant laws and regulations and guidelines of industry groups, and to achieve other objectives of the service organization that are relevant to the trust services category or categories addressed by the description
-also define how the system should function to meet commitments, comply with laws

25
Q

Objectives and sub-objectives relate to:

A

-the achievement of service commitments made to user entities related to the system used to provide the services and system requirements necessary to achieve those commitments
-service commitments may also be established for one or more of the trust service categories addressed by the description
-compliance with laws and regulations regarding the provision of the services by the system
-the achievement of the other objectives the service org has for the system

26
Q

A service organizations management is responsible for:

A

-achieving its service commitments and system requirements
-disclosing the principal system requirements and service commitments in the system description in a manner that allows SOC 2 report users to understand how the controls operate and how management and the service auditor evaluated the suitability of the controls
-disclosing service commitments that are relevant to the common needs of the broad range of SOC 2 report users

27
Q

When deciding whether the disclosures stated in the description are appropriate, the service auditor should consider whether:

A

-the service commitments are presented in sufficient detail for report users to understand the relationship between the controls implemented by the service organization, the service commitments and system requirements
-the description summarizes the principal service commitments that are common to such reports users when the SOC 2 report is designed for a broad range of users

28
Q

In a SOC engagement, when does risk assessment begin?

A

it begins with the service organization identifying and assessing the types, likelihood, and impact of risks that affect the preparation of the description, the suitability of the design of controls, and the operating effectiveness of controls (type 2) within the system

29
Q

Risks in a SOC engagement

A

-intentional and unintentional internal and external acts
-identified threats and vulnerabilities to, and deficiencies of , the system
-use of subservice organizations that store, process, or transmit sensitive info
-type of employee personnel with access to the system
-a lack of CUECs or CSOCs

30
Q

Inherent risks

A

the risk present before the consideration of controls

31
Q

In all SOC engagements risk assessment primarily focuses on…

A

inherent risks that affect the preparation of the description of the system and the effectiveness of the service organizations controls

32
Q

In a T1 or T2 engagement, the risk of material misstatement relates to the risk that in all material respects based on the criteria in managements assertion:

A
  1. Managements description of the service org system is not fairly presented
  2. the controls are not suitably designed to provide reasonable assurance that the control objectives stated in managements description of the service org system would be achieved if the controls operated effectively
  3. The controls did not operate effectively throughout the specified period to achieve related control objectives stated in managements description of the service organizations system
33
Q

The service auditors risk assessment procedures to obtain an understanding of the service organization system may include:

A

-inquiry
-observing operations and inspecting documents
-inspecting a selection of agreements between service org and its user entities and business partners
-reperforming the application of a control
-reading relevant reports received from regulators, internal auditors, or other specialist’s

34
Q

Service auditors risk assessment procedures may be performed:

A

-within a walk-through
-concurrently with procedures performed to obtain info about whether system description is presented in accordance with the description criteria and whether the controls were suitably designed and operated effectively to meet objectives

35
Q

The service auditor should also perform risk assessment procedures to identify any fraud risk or risk of noncompliance with laws or regulations. Risk include:

A

-managment override of controls
-misappropriation of assets
-the creation of false or misleading documents or records

36
Q

Materiality definitions and interpretations vary between SOC 1 and SOC 2 engagements but in both cases, the service auditor is required:

A

to reassess materiality if the auditor obtains new information that would have caused the auditor to assess the initial materiality differently

ISC (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions