SOC Engagement Planning Flashcards

1
Q

What is the purpose of the risk assessment in a SOC 2 engagement?

A

To obtain an understanding of how mgmt prepares its system description, identifies the boundries of the system, assesses risk, and monitors controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is included in the “boundries” of the system”?

A

Only, the infrastructure, software, data, procedures, and employees neccesary to provide services to user entities only insofar as those components relate to the TSC under examination.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are examples of a service organization?

A

AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is an example of a user organization?

A

My Company

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is an example of a service auditor?

A

Deloitte

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the risk assessment procedures in a SOC 2 engagement?

A

Assessing the risk that controls were not suitably designed based on the trust services criteria

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are two examples of suitable criteria for SOC for Cybersecurity examinations?

A

AICPA DC 100 Description Criteria and NIST Cybersecurity Framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the 3 criteria to be considered a “subservice organization”?

A

The 3rd parties services affect the delivery of the service organizations services to user entities, they are important to the understanding of the service orgs system, and the 3rd party controls must be combined with the controls of the service org to provide reasonable assurance of achieving the serv orgs objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When do description misstatements occur?

A

When mgmt improperly includes or omits information. (ie., statements that are not measurable of not relevant to service organizations objectives increase the risk of material misstatement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When is the inclusive method appropriate?

A

When the subservice organization system or controls are pervasive throughout the service orgs system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When does management’s description of the service orgs system also include the subservice organization’s control objectives and related controls?

A

When using the inclusive method

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is meant by the “objectives” of the TSC?

A

It is the service organizations principal service commitments and system requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the focus of the confidentiality additional criteria?

A

It is the process a service org uses to identify, train, protect, and dispose of confidential data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What makes a misstatement pervasive?

A

If it affects either a sizable part of the subject matter or the report users undererstanding of the subject matter.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

AT-C 205 requires materiality be considered by the auditor during what phases of the audit?

A

Planning, performing, and reporting phases of an examination

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is examined in a SOC 2 examination?

A

Managements system description is measured and evaluated against the AICPS’s DC Section 200

17
Q

What does DC stand for?

A

Description Criteria

18
Q

Description Criteria

A
19
Q

What does DC Section 200 apply to?

A

SOC for System - Management’s Description

20
Q

What does DC Section 300 apply to?

A

SOC for Supply Chain examinations

21
Q

What does DC Section 400 apply to?

A

Does not exist!

22
Q

The Trust Service Criteria were developed using what framework?

A

COSO Internal Control - Integrated Framework

23
Q

What are the 5 components of the COSO Internal Control Framework

A

Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring (CRIME)

24
Q

How does an auditor obtain an understanding of how a service organization communicates incident reporting information to a carved-out subservice organization?

A

The service auditor would most likely inspect the contract SLA or SOC 2 report pertaining to the subservice organizations services.

25
Q

What are CUECs?

A

Complimentary user entity controls

26
Q

What is the purpose of a Walkthrough?

A

Commonly used to obtain and understanding of the system in a SOC 2 engagement.

27
Q

What procedures are commonly included as part of a walkthrough?

A

Inquiry, Inspection, Observation, and Reperformance

28
Q

When MUST the service organization use the carve out method for the subservice organization?

A

When the subservice organization is not contractually required to participate in the SOC engagements

29
Q

When the carve out method is used, what is required in management’s description?

A

Must explicitly state that the description does not extend to complementary subservice organization controls (CSOCs)

30
Q

What is a requirement in the description in a SOC for Cybersecurity (DC 100 Description Criteria)?

A

Must include what principal type of sensitive info is created, collected, transmitted, and stored.