SOC Planning and Performance Flashcards
What is the job of SERVICE AUDITORS in SOC 1 examinations?
Service Auditors determine if management’s description of the service organization’s system is FAIRLY STATED IN ALL MATERIAL RESPECTS, based on the criteria in management’s assertion
What is a FAIRLY STATED management description of the service organization’s system?
It is one that meets the needs of the intended report users
What does a SOC 1 EXAMINATION do?
It provides assurance about how the service organization affects user entities’ internal controls over financial reporting
What should the service auditor do to determine if MISSTATEMENTS are MATERIAL?
- Consider the effect of uncorrected mistakes
- Whether misstatements are significant enough to suggest a failure to meet specific criteria
What is an UNQUALIFIED OPINION?
- This opinion provides the reader of the financial statements assurance that the financial statements give a true and fair view, meaning they are free from misstatements or errors
- “UNQUALIFIED OPINION WITH AN EMPHASIS ON MATTER” statement is also a good opinion to have.
What is a QUALIFIED OPINION?
It is an opinion that indicates that the financial statements are true and fair, except for ONE issue
What is an ADVERSE opinion?
It is an opinion that indicates to financial statement users that the auditors conclude that the financial statements don’t give a true and fair view
What is a SCOPE LIMITATION?
This opinion is when the auditor cannot obtain enough audit evidence to conclude if the financial statements as a whole are NOT free from material misstatements
Who are the intended users of a SOC 2 report?
- Service organization management
- Specified parties who have sufficient knowledge and understanding of its system
- SOC 2 IS A RESTRICTED REPORT, meaning that intended users must have a direct relationship with the service organization
What do SOC 2 reports REPORT ON?
- They provide assurance about CONTROLS related to SECURITY, AVAILABILITY, PROCESSING INTEGRITY, CONFIDENTIALITY, AND PRIVACY (AKA SOC 2 Trust Services Criteria)
- SOC 2 reports help user entities understand a service organization’s system and controls
For each vendor that management classifies as a SUBSERVICE ORGANIZATION, management must choose to use:
- INCLUSIVE or CARVE-OUT method
- These methods provide report users with the info necessary to assess the full set of controls included in the service organiation’s system
What happens under the CARVE-OUT METHOD?
- Management explains the nature of the subservice organization’s services but not its controls, in the description of the service organization’s system
- Complementary User Entity Controls (CSOC) are reported separately after management’s system description
What do the boundaries of a service organization’s system include?
Infrastructure
Software
Data
Procedures
Employees
If a utility company provides no other services:
Management would classify it as a VENDOR
To classify a 3rd party provider as a SUBSERVICE ORGANIZATION, all of the following apply except:
- 3rd party’s services affect the delivery of the service organization’s services to user entities
- 3rd party’s services are important to user entities of the service organization’s system
- 3rd party’s controls must be combined with the service organization’s controls to provide reasonable assurance of achieving the service organization’s objectives
What is an example of when a service organization would classify the 3rd party as a vendor, and NOT a subservice organization?
- When the service organization’s controls include monitoring the 3rd party’s technology
- If the service organization’s controls are sufficient by themselves, management doesn’t need to explain the vendor’s services in the description of the system
What is DC?
Description Criteria for a Description of a Service Organization’s System in a SOC 2 report
DC Section 100
- SOC for Cybersecurity examinations
- They type of info that needs to be disclosed in this examination is to include the principal types of sensitive info created, collected, transmitted, used, or stored
DC Section 200
SOC for organization’s system description
DC Section 300
SOC for Supply Chain examinations
When do description misstatements occur?
- They occur when management improperly includes or omits information
- Statements that are not measurable increase the risk of material misstatement
What does management’s description of the service organization’s system also include WHEN the INCLUSIVE method is used for 1+ subservice organizations?
It includes the subservice organization’s control objectives and controls
In all SOC examinations (NOT SOC 1), what serves as suitable criteria for measuring/evaluating controls?
Trust Services Criteria (AICPA)
The AICPA Trust Services Criteria ___ with the COSO Framework and EXTEND the guidance to measure or evaluate controls related to security, availability, processing integrity, confidentiality, or privacy
ALIGN
Supplemental trust services criteria ____ upon COSO Internal Control, part of the control activities component
EXPAND