SOC Engagement Planning Flashcards
What is the purpose of the risk assessment in a SOC 2 engagement?
To obtain an understanding of how mgmt prepares its system description, identifies the boundries of the system, assesses risk, and monitors controls.
What is included in the “boundries” of the system”?
Only, the infrastructure, software, data, procedures, and employees neccesary to provide services to user entities only insofar as those components relate to the TSC under examination.
What are examples of a service organization?
AWS
What is an example of a user organization?
My Company
What is an example of a service auditor?
Deloitte
What are the risk assessment procedures in a SOC 2 engagement?
Assessing the risk that controls were not suitably designed based on the trust services criteria
What are two examples of suitable criteria for SOC for Cybersecurity examinations?
AICPA DC 100 Description Criteria and NIST Cybersecurity Framework
What are the 3 criteria to be considered a “subservice organization”?
The 3rd parties services affect the delivery of the service organizations services to user entities, they are important to the understanding of the service orgs system, and the 3rd party controls must be combined with the controls of the service org to provide reasonable assurance of achieving the serv orgs objectives.
When do description misstatements occur?
When mgmt improperly includes or omits information. (ie., statements that are not measurable of not relevant to service organizations objectives increase the risk of material misstatement.
When is the inclusive method appropriate?
When the subservice organization system or controls are pervasive throughout the service orgs system.
When does management’s description of the service orgs system also include the subservice organization’s control objectives and related controls?
When using the inclusive method
What is meant by the “objectives” of the TSC?
It is the service organizations principal service commitments and system requirements.
What is the focus of the confidentiality additional criteria?
It is the process a service org uses to identify, train, protect, and dispose of confidential data.
What makes a misstatement pervasive?
If it affects either a sizable part of the subject matter or the report users undererstanding of the subject matter.
AT-C 205 requires materiality be considered by the auditor during what phases of the audit?
Planning, performing, and reporting phases of an examination
What is examined in a SOC 2 examination?
Managements system description is measured and evaluated against the AICPS’s DC Section 200
What does DC stand for?
Description Criteria
Description Criteria
What does DC Section 200 apply to?
SOC for System - Management’s Description
What does DC Section 300 apply to?
SOC for Supply Chain examinations
What does DC Section 400 apply to?
Does not exist!
The Trust Service Criteria were developed using what framework?
COSO Internal Control - Integrated Framework
What are the 5 components of the COSO Internal Control Framework
Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring (CRIME)
How does an auditor obtain an understanding of how a service organization communicates incident reporting information to a carved-out subservice organization?
The service auditor would most likely inspect the contract SLA or SOC 2 report pertaining to the subservice organizations services.
What are CUECs?
Complimentary user entity controls
What is the purpose of a Walkthrough?
Commonly used to obtain and understanding of the system in a SOC 2 engagement.
What procedures are commonly included as part of a walkthrough?
Inquiry, Inspection, Observation, and Reperformance
When MUST the service organization use the carve out method for the subservice organization?
When the subservice organization is not contractually required to participate in the SOC engagements
When the carve out method is used, what is required in management’s description?
Must explicitly state that the description does not extend to complementary subservice organization controls (CSOCs)
What is a requirement in the description in a SOC for Cybersecurity (DC 100 Description Criteria)?
Must include what principal type of sensitive info is created, collected, transmitted, and stored.
