SOC Reporting Flashcards
How does a Type 2 report provide the user with the ability to make their own risk assessment?
The Type 2 report is required to contain a detailed list of Test of Controls performed my the service auditor to obtain evidence about the operating effectiveness of controls and the results of these tests. Auditor must disclose the number and nature of all exceptions that were found and materiality does not apply.
How should the service auditor report on exceptions in a SOC 2 Type 2 examination. For example, if system changes were not all tested before implementation.
The auditor’s report should include te number of exceptions found, the sample or populations size, as well as the nature of each exception. E.g., 5 out of 25 changes tested were exceptions, or not testing prior to implementation
What are the 3 types of modified opinions?
Qualified, Adverse, Disclaimer
When is a modified opinion issued for a SOC 2 Type 2 examination?
When the service auditor cannot obtain sufficient appropriate evidence and the subject matter is not in accordance with the criteria
When is an Adverse opinion appropriate?
When the omissions, deficiencies in the design of controls, and the deviations in the operating effectiveness of controls are both material and pervasive.
What word must the service auditors report include in the title?
“Independent, Independent Service Auditor’s Report
According to AT-C 205 & AT-C 320
Statements on Standards for Attestation Engagements”
What must must the Independent Auditor’s Report included when they did not perform any procedures on complementary user entity controls?
A statement that the service auditor is not evaluate the operating effectiveness of the complementary user entity controls.
When is an unmodified opinion appropriate?
Only when the service auditor did not find any material or pervasive misstatements in managements descriptions of the service organizations systems, the suitability of controls, and in a type 2 report, the operating effectiveness of controls.
Where would a statement that management believes that complementary user entity controls (CUECs) operated effectively throughout the period?
In Management’s Assertion report section
What should be included in the service auditors report to clarify that the SOC examination provides reasonable assurance, not absolute, that the procedures performed would uncover every material misstatement?
“Thus, a service auditor’s report should include a paragraph that specifically discusses the inherent limitations in the effectiveness of any system of internal controls. This paragraph may outline inherent limitations using the following language:
Management’s description of the service organization’s system should meet the common needs of a broad range of users and may not contain all the information needed by an individual user entity
Controls may not be effective in the future if conditions change
Internal controls can be overridden accidentally by human error or intentionally circumvented
“
What must be included in the auditor’s report when the inclusive method is used by the service organization?
v
A statement that explicitly states that the procedures performed by the auditor also include the controls of the subservice organization’s system description and controls
v
What are the modified opinion types?
Look at chart in excel (session 6)
When is a qualified opinion appropriate in a SOC examination?
If the identified issues do not affect more than one control criterion meaning, they are material, but not pervasive.
What is the difference between Type 1 vs Type 2 SOC Reports?
“Type 1 - As a specified day, auditor evaluates the description of system and suitability of the design of controls
Type 2 - Throughout a period, auditor evaluates the description of the system, suitability of the design of controls, and the operating effectiveness of controls.”
What are the controls performed by a carved out subservice organization called?
CSOC’s - Complementary Subservice Organization Controls
