SOC Engagement Planning

Question 1

What is the purpose of the risk assessment in a SOC 2 engagement?

Answer 1

To obtain an understanding of how mgmt prepares its system description, identifies the boundries of the system, assesses risk, and monitors controls.

Question 2

What is included in the “boundries” of the system”?

Answer 2

Only, the infrastructure, software, data, procedures, and employees neccesary to provide services to user entities only insofar as those components relate to the TSC under examination.

Question 3

What are examples of a service organization?

Answer 3

AWS

Question 4

What is an example of a user organization?

Answer 4

My Company

Question 5

What is an example of a service auditor?

Answer 5

Deloitte

Question 6

What are the risk assessment procedures in a SOC 2 engagement?

Answer 6

Assessing the risk that controls were not suitably designed based on the trust services criteria

Question 7

What are two examples of suitable criteria for SOC for Cybersecurity examinations?

Answer 7

AICPA DC 100 Description Criteria and NIST Cybersecurity Framework

Question 8

What are the 3 criteria to be considered a “subservice organization”?

Answer 8

The 3rd parties services affect the delivery of the service organizations services to user entities, they are important to the understanding of the service orgs system, and the 3rd party controls must be combined with the controls of the service org to provide reasonable assurance of achieving the serv orgs objectives.

Question 9

When do description misstatements occur?

Answer 9

When mgmt improperly includes or omits information. (ie., statements that are not measurable of not relevant to service organizations objectives increase the risk of material misstatement.

Question 10

When is the inclusive method appropriate?

Answer 10

When the subservice organization system or controls are pervasive throughout the service orgs system.

Question 11

When does management’s description of the service orgs system also include the subservice organization’s control objectives and related controls?

Answer 11

When using the inclusive method

Question 12

What is meant by the “objectives” of the TSC?

Answer 12

It is the service organizations principal service commitments and system requirements.

Question 13

What is the focus of the confidentiality additional criteria?

Answer 13

It is the process a service org uses to identify, train, protect, and dispose of confidential data.

Question 14

What makes a misstatement pervasive?

Answer 14

If it affects either a sizable part of the subject matter or the report users undererstanding of the subject matter.

Question 15

AT-C 205 requires materiality be considered by the auditor during what phases of the audit?

Answer 15

Planning, performing, and reporting phases of an examination

Question 16

What is examined in a SOC 2 examination?

Answer 16

Managements system description is measured and evaluated against the AICPS’s DC Section 200

Question 17

What does DC stand for?

Answer 17

Description Criteria

Question 18

Description Criteria

Question 19

What does DC Section 200 apply to?

Answer 19

SOC for System - Management’s Description

Question 20

What does DC Section 300 apply to?

Answer 20

SOC for Supply Chain examinations

Question 21

What does DC Section 400 apply to?

Answer 21

Does not exist!

Question 22

The Trust Service Criteria were developed using what framework?

Answer 22

COSO Internal Control - Integrated Framework

Question 23

What are the 5 components of the COSO Internal Control Framework

Answer 23

Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring (CRIME)

Question 24

How does an auditor obtain an understanding of how a service organization communicates incident reporting information to a carved-out subservice organization?

Answer 24

The service auditor would most likely inspect the contract SLA or SOC 2 report pertaining to the subservice organizations services.

Question 25

What are CUECs?

Answer 25

Complimentary user entity controls

Question 26

What is the purpose of a Walkthrough?

Answer 26

Commonly used to obtain and understanding of the system in a SOC 2 engagement.

Question 27

What procedures are commonly included as part of a walkthrough?

Answer 27

Inquiry, Inspection, Observation, and Reperformance

Question 28

When MUST the service organization use the carve out method for the subservice organization?

Answer 28

When the subservice organization is not contractually required to participate in the SOC engagements

Question 29

When the carve out method is used, what is required in management’s description?

Answer 29

Must explicitly state that the description does not extend to complementary subservice organization controls (CSOCs)

Question 30

What is a requirement in the description in a SOC for Cybersecurity (DC 100 Description Criteria)?

Answer 30

Must include what principal type of sensitive info is created, collected, transmitted, and stored.