SOC Planning and Performance Flashcards
What is the job of SERVICE AUDITORS in SOC 1 examinations?
Service Auditors determine if management’s description of the service organization’s system is FAIRLY STATED IN ALL MATERIAL RESPECTS, based on the criteria in management’s assertion
What is a FAIRLY STATED management description of the service organization’s system?
It is one that meets the needs of the intended report users
What does a SOC 1 EXAMINATION do?
It provides assurance about how the service organization affects user entities’ internal controls over financial reporting
What should the service auditor do to determine if MISSTATEMENTS are MATERIAL?
- Consider the effect of uncorrected mistakes
- Whether misstatements are significant enough to suggest a failure to meet specific criteria
What is an UNQUALIFIED OPINION?
- This opinion provides the reader of the financial statements assurance that the financial statements give a true and fair view, meaning they are free from misstatements or errors
- “UNQUALIFIED OPINION WITH AN EMPHASIS ON MATTER” statement is also a good opinion to have.
What is a QUALIFIED OPINION?
It is an opinion that indicates that the financial statements are true and fair, except for ONE issue
What is an ADVERSE opinion?
It is an opinion that indicates to financial statement users that the auditors conclude that the financial statements don’t give a true and fair view
What is a SCOPE LIMITATION?
This opinion is when the auditor cannot obtain enough audit evidence to conclude if the financial statements as a whole are NOT free from material misstatements
Who are the intended users of a SOC 2 report?
- Service organization management
- Specified parties who have sufficient knowledge and understanding of its system
- SOC 2 IS A RESTRICTED REPORT, meaning that intended users must have a direct relationship with the service organization
What do SOC 2 reports REPORT ON?
- They provide assurance about CONTROLS related to SECURITY, AVAILABILITY, PROCESSING INTEGRITY, CONFIDENTIALITY, AND PRIVACY (AKA SOC 2 Trust Services Criteria)
- SOC 2 reports help user entities understand a service organization’s system and controls
For each vendor that management classifies as a SUBSERVICE ORGANIZATION, management must choose to use:
- INCLUSIVE or CARVE-OUT method
- These methods provide report users with the info necessary to assess the full set of controls included in the service organiation’s system
What happens under the CARVE-OUT METHOD?
- Management explains the nature of the subservice organization’s services but not its controls, in the description of the service organization’s system
- Complementary User Entity Controls (CSOC) are reported separately after management’s system description
What do the boundaries of a service organization’s system include?
Infrastructure
Software
Data
Procedures
Employees
If a utility company provides no other services:
Management would classify it as a VENDOR
To classify a 3rd party provider as a SUBSERVICE ORGANIZATION, all of the following apply except:
- 3rd party’s services affect the delivery of the service organization’s services to user entities
- 3rd party’s services are important to user entities of the service organization’s system
- 3rd party’s controls must be combined with the service organization’s controls to provide reasonable assurance of achieving the service organization’s objectives
What is an example of when a service organization would classify the 3rd party as a vendor, and NOT a subservice organization?
- When the service organization’s controls include monitoring the 3rd party’s technology
- If the service organization’s controls are sufficient by themselves, management doesn’t need to explain the vendor’s services in the description of the system
What is DC?
Description Criteria for a Description of a Service Organization’s System in a SOC 2 report
DC Section 100
- SOC for Cybersecurity examinations
- They type of info that needs to be disclosed in this examination is to include the principal types of sensitive info created, collected, transmitted, used, or stored
DC Section 200
SOC for organization’s system description
DC Section 300
SOC for Supply Chain examinations
When do description misstatements occur?
- They occur when management improperly includes or omits information
- Statements that are not measurable increase the risk of material misstatement
What does management’s description of the service organization’s system also include WHEN the INCLUSIVE method is used for 1+ subservice organizations?
It includes the subservice organization’s control objectives and controls
In all SOC examinations (NOT SOC 1), what serves as suitable criteria for measuring/evaluating controls?
Trust Services Criteria (AICPA)
The AICPA Trust Services Criteria ___ with the COSO Framework and EXTEND the guidance to measure or evaluate controls related to security, availability, processing integrity, confidentiality, or privacy
ALIGN
Supplemental trust services criteria ____ upon COSO Internal Control, part of the control activities component
EXPAND
Supplemental trust services criteria relate to what?
Logical and physical access controls
System operations
Change management
Risk mitigation
All SOC 2 examinations must include what category?
Security
What does the Trust Services Criteria address?
They address the relevant aspects of a CYBERSECURITY PROGRAM
What are Complementary User Entity Controls?
They are controls which a service organization’s management has assumed would be implemented by user entities to provide assurance that the service organization’s objectives would be achieved
Regarding subsequent discovery of facts, the service auditor may seek the service organization’s _____ in performing additional procedures and revising the report. HOWEVER, the service organization MAY REFUSE TO notify intended users NOT to rely on the report.
COOPERATION
What is one precondition to a SOC examination?
Management must take responsibility for identifying risks (AKA service organization must perform its own risk assessment BEFORE a SOC examination)
When a service organization’s management chooses the CARVE-OUT METHOD for a subservice organization during a SOC engagement, what must management’s description explicitly state?
It must state that the description does not extend to complementary subservice organization controls (CSOCs)
During a SOC 1 examination, if a service auditor identities a misstatement, what should they do?
- They should tell the service organization management to modify the description
- This action allows the service auditor to maintain independence and allows management to explain the discrepancy
Service auditors performing SOC engagements should be___ of the service organization and any SUBSERVICE organizations using the INCLUSIVE METHOD
INDEPENDENT
Do service auditors need to be INDEPENDENT of USER ENTITIES?
NO
Who are intended users of SOC 2 reports?
User entities and business partners
To classify a vendor as a SUBSERVICE ORGANIZATION, ALL of the following must apply
- The 3rd party’s services affect the delivery of the service organization’s services to user entities
- The 3rd party’s services are important to user entities’ understanding of the new service organization’s system
- The 3rd party’s controls must be combined with the service organization’s controls to provide reasonable assurance of achieving the service organization’s control objectives
A service auditor needs a ___ from the management of the service organization during the reporting phase of a SOC engagement
REPRESENTATION LETTER
The representation letter should be the same date as the service auditor’s report
In a SOC 2 examination, what must the responsible party provide in the management representation letter?
The letter must state that the responsible party (the service organization’s management) the access to all relevant info.
If the subservice organization is not CONTRACTUALLY required to participate in the SOC engagement, what happens?
the service organization’s management must use the carve-out method for the subservice organization
Many of the trust services criteria include what phrase?
“To meet the entity’s objectives”
Where does the term “objecetive” come from?
COSO Internal Control–Integrated Framework, because the Trust Services Criteria was developed from this
Service auditors performing SOC engagements must be ___ of service organizations and ALL SUBSERVICE orgnizations under the INCLUSIVE METHOD
INDEPENENT
The boundaries of a service organization’s system includes what?
Infrastructure
Software
Data
Procedures
Employees necessary to provide services to user entities
What is INFRASTRUCTURE?
It comprises the physical and virtual IT hardware
Facilities
Servers
Storage
Networks
What is the only assertion management would make in a SOC 3 engagement?
That the controls included in the description of the system OPERATED EFFECTIVELY throughout a period based on the trust services criteria
What are 2 threats to independence?
1) Management participation
2) Self-review
What criteria must a fairly stated description in a SOC 2 examination meet?
DC 200 Description Criteria
What is materiality in the eyes of a service auditor?
- Misstatements
- Qualitative and quantitative factors
- Circumstances, nature, size, and extent of misstatements
What are service commitments?
They are promises the service organization made to customers regarding the performance of its systems
For each vendor classified as a subservice organization, the service organization must choose whether to use:
Inclusive method OR
Carve-out method
IN order for a subservice organization to be treated under the INCLUSIVE METHOD, what must happen?
- The subservice organization must agree to be a responsible party (must make written assertations, cooperate with the service auditor’s examination, and provide a management representation letter)
- IF the subservice organization refused to cooperate, then the CARVE-OUT method would be used
Trust Services Criteria is used for SOC 2 and SOC 3 for
Measuring or evaluating controls
Out of the 5 Trust Services Criteria categories, which one must be included by the SOC 2 examination?
SECURITY
Which 2 SERIES of the Trust Services Criteria apply to all 5 Trust Services CATEGORIES of Security, Availability, Processing Integrity, Confidentiality, and Privacy?
COMMON
SUPPLEMENTAL
With whom can the SOC 1 report be shared?
User entities
User auditors
Who would be an appropriate intended user of SOC 2 report?
Business partners
Who is a NONISSUER?
IT IS A COMPANY that is not subject to regulation by the SEC, but they must follow AICPA standards
Who would be interested in a SOC 2 report?
Government regulators
What are service auditors not required to do regarding subsequently discovered facts?
They are not required to perform procedures regarding subsequently discovered facts
What are the 4 phases of a SOC engagement?
1) Acceptance
2) Planning
3) Performing
4) Reporting
What does AT-C 320 list?
Control criteria to evaluate the subject matter of SOC 1 examinations
What does AT-C 205 list?
It lists performance and reporting requirements
