SOC Engagement Planning Flashcards
What is the purpose of the risk assessment in a SOC 2 engagement?
To obtain an understanding of how mgmt prepares its system description, identifies the boundries of the system, assesses risk, and monitors controls.
What is included in the “boundries” of the system”?
Only, the infrastructure, software, data, procedures, and employees neccesary to provide services to user entities only insofar as those components relate to the TSC under examination.
What are examples of a service organization?
AWS
What is an example of a user organization?
My Company
What is an example of a service auditor?
Deloitte
What are the risk assessment procedures in a SOC 2 engagement?
Assessing the risk that controls were not suitably designed based on the trust services criteria
What are two examples of suitable criteria for SOC for Cybersecurity examinations?
AICPA DC 100 Description Criteria and NIST Cybersecurity Framework
What are the 3 criteria to be considered a “subservice organization”?
The 3rd parties services affect the delivery of the service organizations services to user entities, they are important to the understanding of the service orgs system, and the 3rd party controls must be combined with the controls of the service org to provide reasonable assurance of achieving the serv orgs objectives.
When do description misstatements occur?
When mgmt improperly includes or omits information. (ie., statements that are not measurable of not relevant to service organizations objectives increase the risk of material misstatement.
When is the inclusive method appropriate?
When the subservice organization system or controls are pervasive throughout the service orgs system.
When does management’s description of the service orgs system also include the subservice organization’s control objectives and related controls?
When using the inclusive method
What is meant by the “objectives” of the TSC?
It is the service organizations principal service commitments and system requirements.
What is the focus of the confidentiality additional criteria?
It is the process a service org uses to identify, train, protect, and dispose of confidential data.
What makes a misstatement pervasive?
If it affects either a sizable part of the subject matter or the report users undererstanding of the subject matter.
AT-C 205 requires materiality be considered by the auditor during what phases of the audit?
Planning, performing, and reporting phases of an examination