SOC Planning and Performance Flashcards

1
Q

What is the job of SERVICE AUDITORS in SOC 1 examinations?

A

Service Auditors determine if management’s description of the service organization’s system is FAIRLY STATED IN ALL MATERIAL RESPECTS, based on the criteria in management’s assertion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a FAIRLY STATED management description of the service organization’s system?

A

It is one that meets the needs of the intended report users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does a SOC 1 EXAMINATION do?

A

It provides assurance about how the service organization affects user entities’ internal controls over financial reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What should the service auditor do to determine if MISSTATEMENTS are MATERIAL?

A
  • Consider the effect of uncorrected mistakes
  • Whether misstatements are significant enough to suggest a failure to meet specific criteria
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is an UNQUALIFIED OPINION?

A
  • This opinion provides the reader of the financial statements assurance that the financial statements give a true and fair view, meaning they are free from misstatements or errors
  • “UNQUALIFIED OPINION WITH AN EMPHASIS ON MATTER” statement is also a good opinion to have.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a QUALIFIED OPINION?

A

It is an opinion that indicates that the financial statements are true and fair, except for ONE issue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is an ADVERSE opinion?

A

It is an opinion that indicates to financial statement users that the auditors conclude that the financial statements don’t give a true and fair view

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a SCOPE LIMITATION?

A

This opinion is when the auditor cannot obtain enough audit evidence to conclude if the financial statements as a whole are NOT free from material misstatements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Who are the intended users of a SOC 2 report?

A
  • Service organization management
  • Specified parties who have sufficient knowledge and understanding of its system
  • SOC 2 IS A RESTRICTED REPORT, meaning that intended users must have a direct relationship with the service organization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What do SOC 2 reports REPORT ON?

A
  • They provide assurance about CONTROLS related to SECURITY, AVAILABILITY, PROCESSING INTEGRITY, CONFIDENTIALITY, AND PRIVACY (AKA SOC 2 Trust Services Criteria)
  • SOC 2 reports help user entities understand a service organization’s system and controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

For each vendor that management classifies as a SUBSERVICE ORGANIZATION, management must choose to use:

A
  • INCLUSIVE or CARVE-OUT method
  • These methods provide report users with the info necessary to assess the full set of controls included in the service organiation’s system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What happens under the CARVE-OUT METHOD?

A
  • Management explains the nature of the subservice organization’s services but not its controls, in the description of the service organization’s system
  • Complementary User Entity Controls (CSOC) are reported separately after management’s system description
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What do the boundaries of a service organization’s system include?

A

Infrastructure
Software
Data
Procedures
Employees

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

If a utility company provides no other services:

A

Management would classify it as a VENDOR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

To classify a 3rd party provider as a SUBSERVICE ORGANIZATION, all of the following apply except:

A
  • 3rd party’s services affect the delivery of the service organization’s services to user entities
  • 3rd party’s services are important to user entities of the service organization’s system
  • 3rd party’s controls must be combined with the service organization’s controls to provide reasonable assurance of achieving the service organization’s objectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is an example of when a service organization would classify the 3rd party as a vendor, and NOT a subservice organization?

A
  • When the service organization’s controls include monitoring the 3rd party’s technology
  • If the service organization’s controls are sufficient by themselves, management doesn’t need to explain the vendor’s services in the description of the system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is DC?

A

Description Criteria for a Description of a Service Organization’s System in a SOC 2 report

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

DC Section 100

A
  • SOC for Cybersecurity examinations
  • They type of info that needs to be disclosed in this examination is to include the principal types of sensitive info created, collected, transmitted, used, or stored
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

DC Section 200

A

SOC for organization’s system description

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

DC Section 300

A

SOC for Supply Chain examinations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

When do description misstatements occur?

A
  • They occur when management improperly includes or omits information
  • Statements that are not measurable increase the risk of material misstatement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What does management’s description of the service organization’s system also include WHEN the INCLUSIVE method is used for 1+ subservice organizations?

A

It includes the subservice organization’s control objectives and controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

In all SOC examinations (NOT SOC 1), what serves as suitable criteria for measuring/evaluating controls?

A

Trust Services Criteria (AICPA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

The AICPA Trust Services Criteria ___ with the COSO Framework and EXTEND the guidance to measure or evaluate controls related to security, availability, processing integrity, confidentiality, or privacy

A

ALIGN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Supplemental trust services criteria ____ upon COSO Internal Control, part of the control activities component

A

EXPAND

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Supplemental trust services criteria relate to what?

A

Logical and physical access controls
System operations
Change management
Risk mitigation

27
Q

All SOC 2 examinations must include what category?

A

Security

28
Q

What does the Trust Services Criteria address?

A

They address the relevant aspects of a CYBERSECURITY PROGRAM

29
Q

What are Complementary User Entity Controls?

A

They are controls which a service organization’s management has assumed would be implemented by user entities to provide assurance that the service organization’s objectives would be achieved

30
Q

Regarding subsequent discovery of facts, the service auditor may seek the service organization’s _____ in performing additional procedures and revising the report. HOWEVER, the service organization MAY REFUSE TO notify intended users NOT to rely on the report.

A

COOPERATION

31
Q

What is one precondition to a SOC examination?

A

Management must take responsibility for identifying risks (AKA service organization must perform its own risk assessment BEFORE a SOC examination)

32
Q

When a service organization’s management chooses the CARVE-OUT METHOD for a subservice organization during a SOC engagement, what must management’s description explicitly state?

A

It must state that the description does not extend to complementary subservice organization controls (CSOCs)

33
Q

During a SOC 1 examination, if a service auditor identities a misstatement, what should they do?

A
  • They should tell the service organization management to modify the description
  • This action allows the service auditor to maintain independence and allows management to explain the discrepancy
34
Q

Service auditors performing SOC engagements should be___ of the service organization and any SUBSERVICE organizations using the INCLUSIVE METHOD

A

INDEPENDENT

35
Q

Do service auditors need to be INDEPENDENT of USER ENTITIES?

A

NO

36
Q

Who are intended users of SOC 2 reports?

A

User entities and business partners

37
Q

To classify a vendor as a SUBSERVICE ORGANIZATION, ALL of the following must apply

A
  • The 3rd party’s services affect the delivery of the service organization’s services to user entities
  • The 3rd party’s services are important to user entities’ understanding of the new service organization’s system
  • The 3rd party’s controls must be combined with the service organization’s controls to provide reasonable assurance of achieving the service organization’s control objectives
38
Q

A service auditor needs a ___ from the management of the service organization during the reporting phase of a SOC engagement

A

REPRESENTATION LETTER
The representation letter should be the same date as the service auditor’s report

39
Q

In a SOC 2 examination, what must the responsible party provide in the management representation letter?

A

The letter must state that the responsible party (the service organization’s management) the access to all relevant info.

40
Q

If the subservice organization is not CONTRACTUALLY required to participate in the SOC engagement, what happens?

A

the service organization’s management must use the carve-out method for the subservice organization

41
Q

Many of the trust services criteria include what phrase?

A

“To meet the entity’s objectives”

42
Q

Where does the term “objecetive” come from?

A

COSO Internal Control–Integrated Framework, because the Trust Services Criteria was developed from this

43
Q

Service auditors performing SOC engagements must be ___ of service organizations and ALL SUBSERVICE orgnizations under the INCLUSIVE METHOD

A

INDEPENENT

44
Q

The boundaries of a service organization’s system includes what?

A

Infrastructure
Software
Data
Procedures
Employees necessary to provide services to user entities

45
Q

What is INFRASTRUCTURE?

A

It comprises the physical and virtual IT hardware
Facilities
Servers
Storage
Networks

46
Q

What is the only assertion management would make in a SOC 3 engagement?

A

That the controls included in the description of the system OPERATED EFFECTIVELY throughout a period based on the trust services criteria

47
Q

What are 2 threats to independence?

A

1) Management participation
2) Self-review

48
Q

What criteria must a fairly stated description in a SOC 2 examination meet?

A

DC 200 Description Criteria

49
Q

What is materiality in the eyes of a service auditor?

A
  • Misstatements
  • Qualitative and quantitative factors
  • Circumstances, nature, size, and extent of misstatements
50
Q

What are service commitments?

A

They are promises the service organization made to customers regarding the performance of its systems

51
Q

For each vendor classified as a subservice organization, the service organization must choose whether to use:

A

Inclusive method OR
Carve-out method

52
Q

IN order for a subservice organization to be treated under the INCLUSIVE METHOD, what must happen?

A
  • The subservice organization must agree to be a responsible party (must make written assertations, cooperate with the service auditor’s examination, and provide a management representation letter)
  • IF the subservice organization refused to cooperate, then the CARVE-OUT method would be used
53
Q

Trust Services Criteria is used for SOC 2 and SOC 3 for

A

Measuring or evaluating controls

54
Q

Out of the 5 Trust Services Criteria categories, which one must be included by the SOC 2 examination?

A

SECURITY

55
Q

Which 2 SERIES of the Trust Services Criteria apply to all 5 Trust Services CATEGORIES of Security, Availability, Processing Integrity, Confidentiality, and Privacy?

A

COMMON
SUPPLEMENTAL

56
Q

With whom can the SOC 1 report be shared?

A

User entities
User auditors

57
Q

Who would be an appropriate intended user of SOC 2 report?

A

Business partners

58
Q

Who is a NONISSUER?

A

IT IS A COMPANY that is not subject to regulation by the SEC, but they must follow AICPA standards

59
Q

Who would be interested in a SOC 2 report?

A

Government regulators

60
Q

What are service auditors not required to do regarding subsequently discovered facts?

A

They are not required to perform procedures regarding subsequently discovered facts

61
Q

What are the 4 phases of a SOC engagement?

A

1) Acceptance
2) Planning
3) Performing
4) Reporting

62
Q

What does AT-C 320 list?

A

Control criteria to evaluate the subject matter of SOC 1 examinations

63
Q

What does AT-C 205 list?

A

It lists performance and reporting requirements