1
Q
what creates the need for a SOC engagement?
A
outsourcing
2
Q
a service organization provides the user entity with what 4 benefits?
A
personnel
expertise
equipment
technology
3
Q
what are 6 examples of the types of services provided by service organizations?
A
payroll services
cloud service providers
credit card processors
enterprise IT outsourcing services
FinTech services
customer support
4
Q
SOC engagements assess what?
A
the effectiveness of a service organization’s controls
5
Q
what are the 3 main types of SOC engagements? what do they focus on?
A
SOC 1 (internal control over financial reporting (ICFR))
SOC 2 (trust services criteria)
SOC 3 (trust services criteria for general use)
6
Q
SOC 1 reports are limited to what 3 groups?
A
management of the service org.
user entities of the service organization’s system
independent auditors of such user entities
7
Q
SOC 2 reports are limited to what 2 groups?
A
management
other specified parties (knowledge of the system, the org, and their services)
8
Q
what 2 things does a SOC 3 report not have that is in a SOC 2?
A
description of the system
description of the service auditor’s test of controls and results thereof
9
Q
what are 2 other SOC engagements?
A
SOC for cybersecurity engagement
SOC for supply chain engagement
10
Q
SOC reports differ depending on what 2 things?
A
type of SOC engagement
whether the report issued is a Type 1 or 2 report
11
Q
what 2 points are included in a Type 1 and 2 report?
A
- fairness of presentation of mgmt’s description of service org’s system
- suitability of the design of the controls to achieve the related control objectives
12
Q
what are the 2 differences between a type 1 and 2 report?
A
- type 1 is AS OF a specified date, while type 2 is THROUGHOUT a specified period
- type 2 looks at the operating effectiveness of controls on top of the design of them
13
Q
a SOC 3 report is always issued as what type of report (type 1 or 2)?
A
type 2
14
Q
what 3 things are typically in a type 1 and type 2 report?
type 2 has 2 additions
A
- management description of the system
- assertion by management of the service organization based on if system if fairly representative and suitably designed and operating effectiveness (type 2 only)
- report that expresses an opinion on the matters above and description and results of tests of controls (type 2 only)
15
Q
what are the 5 trust services criteria?
CAPPS
A
Security
Availability
Processing integrity
Confidentiality
Privacy
16
Q
what does processing integrity refer to?
A
system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives
17
Q
a SOC 3 engagement does not have what that a SOC 2 type 2 report has?
A
description of tests of controls performed by auditor and the results
18
Q
what are the 5 COSO components?
CRIME
A
Control environment
Risk assessment
Existing control activities
Information and communication
Monitoring
19
Q
trust services criteria expands on COSO principle 12 with what 4 criteria?
A
logical and physical access control
system operations
change management
risk mitigation
20
Q
what is the only trust service criteria that does not need additional category-specific criteria?
A
security
21
Q
what are the 4 additional criteria for trust services?
A
A series
PI series
C series
P series
22
Q
what does the A series focus on? what 3 things does it do to ensure this?
A
an entity’s ability to ensure all systems are continuously available
1) maintaining and monitoring processing capacity
2) identify and respond to threats
3) ensure a recovery plan is in place and tested
23
Q
the PI series focuses on what?
A
considerations related to creating, using, and communicating quality information so objectives will be met
24
Q
what does the C series focus on?
A
ensuring confidential information is handled appropriately
25
what does the P series focus on?
proper collection, use, storage, access, and accuracy of data/records
26
when forming an opinion in a SOC engagement, the auditor should evaluate what 2 things?
1) subject matter is in accordance with the criteria
2) assertion is fairly stated in all material respects
27
the opinion of the service auditor focuses on what 3 things?
1) fair presentation of mgmt's description of the service org's system
2) are the controls designed effectively
3) do controls operate as intended(type 2 only)
28
what are the 4 potential audit opinions?
unmodified (unqualified)
qualified
adverse
disclaimer of an opinion
29
what are 2 circumstances in which the auditor would have to modify their opinion?
1) could not get the evidence needed to make an opinion
2) get the evidence but it is not adequate
30
what 2 things effect what type of modified opinion will be given?
nature of the matter giving rise to the modification
auditor's professional judgment
31
if material and not pervasive what opinion would be given? material and pervasive? anything else?
not pervasive: qualified
pervasive: adverse
anything else: disclaimer
32
what are the 4 key components of the SOC report?
management's description of the system
management's assertion
independent auditor's report
auditor's test of controls and results of the tests
33
what are 8 (9) common sections of a system description in SOC 1 report?
types of services provided
procedures performed
system functionality
subservice organizations
controls
prepare reports
deficiencies in information
complementary user entity controls (CUECs)
relevant changes during the period (type 2 only)
34
what are complementary user entity controls (CUECs)?
controls that must be implemented by the user entity in combination with the service org's controls to meet control objectives
35
what are 8 (9) common sections of a system description in SOC 2 report?
types of services provided
principal service commitments and system requirements
components of the system used to provide the services
identified system incidents
applicable trust services criteria
complementary user entity controls (CUECs)
subservice organizations
irrelevant trust services specific criteria
relevant changes during the period (type 2 only)
36
what is a subservice organization?
an entity used by the service organization to provide services to users to provide reasonable assurance that the service commitments and system requirements would be achieved
37
what are the 2 approaches to deal with mentioning subservice organizations in a report?
inclusive method
carve out method
38
what is the inclusive method?
describe the service of the subservice org. with a clear differentiation between the controls at the service org. and the subservice org.
39
what is the carve out method?
mgmt does not include a description of the controls that operate only at subservice org. but rather the applicable trust service criteria met by the subservice org. through complementary subservice organization controls (CSOCs)
40
what are the 9 categories in a description of a cybersecurity risk management program?
nature of business and operations
nature of information at risk
cybersecurity objectives
factors that have significant risk on cybersecurity risks
cybersecurity risk governance structure
cybersecurity risk assessment process
cybersecurity communications and the quality of info
monitoring the cybersecurity objectives
cybersecurity control processes
41
if management refuses to provide a written assertion, what is service auditor required to do by law?
withdraw from engagement unless specifically not allowed to by law
42
what are the 7 main elements in a service auditor's SOC 1 & 2 report?
differentiate the element that is different between type 1/2 report
scope
service organization's responsibilities
service auditor's responsibilities
inherent limitations
description of tests of controls (type 2) OR other matter (type 1)
opinion
restricted use
43
if deviations are identified in describing the tests of controls and results in a SOC engagement, what 3 things must be included? what is the 4th optional thing?
number of items tested
number of deviations
nature of deviations
causative factors (optional)
44
for SOC 1 engagements, what 2 things would make a vendor be considered as a subservice organization?
- services provided by the vendor are relevant to the user entities internal control over financial reporting
- controls implemented at subservice org. are necessary to achieve control objectives stated in mgmt's description of the service org.
45
for SOC 2 & 3 engagements, what 2 things would make a vendor be considered as a subservice organization?
- services provided by the vendor are relevant to users' understanding of the service org's system as it relates to trust service criteria
- controls at subservice org. are necessary to provide reasonable assurance the service commitments and system requirements are achieved
46
can a subservice org. be a third party or related party?
yes
47
what 3 things are identified by the service org. when using the carve out method?
1) nature of the services performed by the subservice org.
2) types of controls expected to be performed at subservice org.
3) controls at the service org. used to monitor effectiveness of the subservice's controls
48
what 2 things are identified by the service org. when using the inclusive method?
1) nature of the services provided by the subservice org.
2) components and controls of the subservice org's system used to provide services to the service org.
49
when there are more than one subservice org's do they have to use the same method for all of them?
no
50
if carve out method was used, the service auditor's report should include a statement indicating what 3 things?
1) mgmt's description of service org. excludes the control objectives of subservice orgs
2) certain control objectives can be achieved only if subservice controls are there too
3) service auditor's procedures do not extend to subservice controls
51
if inclusive method was used, the service auditor's report should include a statement indicating what 2 things?
1) mgmt's description of service org. included control objectives of subservice org.
2) service auditor's procedures DO extend to subservice organization
52
what are 5 common examples of CUECs?
security monitoring
managed service provider (MSP) environment changes
encrypted financial data
physical access controls
authorization policies
53
what are complementary subserivce organization controls (CSOCs)?
controls that a subservice org must execute in order for a service org's controls to function effectively
54
if a CUEC and/or CSOC is included in the report, where should a statement to their effect be included?
in the auditor's opinion
55
what aspects are changed in SOC 1 report if a qualified or adverse opinion is issued? SOC 2?
SOC 1: opinion part
SOC 2: auditor's responsibilities and opinion part
56
what are 2 requirements that would result in a disclaimer of opinion?
1) unable to obtain sufficient evidence to base the opinion
2) concludes the possible effects of undetected misstatements could be both material and pervasive
57
when disclaiming an opinion what should the first sentence of the report be revised to?
"we were engaged to examine"
58
what 3 things are omitted when a disclaimer of opinion is issued?
1) explanation of what is required by the standards of the practitioner/auditor
2) statement that sufficient and appropriate evidence was obtained
3) describing nature of the examination engagement
59
when a modified opinion is given, what needs to be added to the report?
a separate paragraph on why the modified opinion is being issued
60
for SOC engagements, management is responsible for what 8 things?
defining the scope of the engagement
the report type (1 or 2)
determine the as of date (type 1) or specified period (type 2)
identifying subservice orgs
description of the system
reasonable basis for written assertion
stating the control objectives and risks
provide service auditor with all relevant info and disclosures
61
in SOC 3 engagements, does management prepare a system description?
no
62
during planning for SOC engagements, service auditor is responsible for what 5 things?
determining whether to accept or continue the engagement
agreeing on engagement terms
reaching an understanding with mgmt regarding a written assertion
assess risk of material misstatement
understand the system
63
for SOC 2 and 3 engagements, what 2 additional things is auditor responsible for in planning?
establish overall strategy for the engagement
perform risk assessment procedures
64
when service auditor is not independent but is required by law to accept the engagement what 2 things should they do?
disclaim an opinion
state they are NOT independent
65
does an auditor have to explain why they are not independent?
no, but if they do then they have to explain all of the reasons why
66
what is a description misstatement?
term used when describing errors or omissions in the description of the service org's system
67
what is a deviation or exception?
identified misstatements resulting from the failure of a control to operate in a specific instance
68
what is a deficiency in design?
a control necessary to meet control objectives is missing or improperly designed causing control objectives to not be achieved
69
what is a deficiency in the operating effectiveness?
when a properly designed control fails to operate as designed or the person performing the control does not possess competency necessary to perform control effectively
70
what is a system?
the infrastructure, software, procedures, and data that are designed, implemented, and operated by people to achieve the business objectives
71
what are the 5 components of a system?
infrastructure
software
people
data
procedures
72
objectives and sub-objectives of the organization primarily apply to what 3 things?
service commitments
compliance with laws and regulations
achievement of any other objectives
73
in SOC engagements, risk assessment primarily focuses on inherent risks that affect what 2 things?
the preparation of the description of the system
the effectiveness of the service org's controls
74
what are 10 examples of inherent risks?
changes in the operating environment
new personnel
new or revamped information systems
rapid growth
new technology
new business models, products, or activites
corporate restructurings
expanded foreign operations
new accounting standards
changes in economic conditions
75
what are 5 ways an auditor can obtain a understanding of the org's system?
inquire
observe operations and inspect documents/reports
inspect a selection of agreements between service org and its user entities
reperform the application of a control
read relevant reports from regulators or internal auditors
76
what are the 6 things to do once initial risk assessment procedures are complete?
respond to the assessed risks
evaluate whether mgmt's description of service org's system is fairly presented
obtain and evaluate evidence regarding design of controls
obtain and evaluate evidence regarding operating effectiveness of controls (type 2)
evaluate the results of the procedures
form the opinion
77
a description is not fairly presented if what 2 possible things are present?
1) description states or implies that controls are being performed that are not being performed
2) description inadvertently or intentionally omits relevant controls that are not suitably designed or operating effectively
78
a walkthrough allows for what?
a verification process for the controls
79
what are 5 supplemental procedures to obtaining evidence about the suitability of the design of controls?
inquiry of service org. personnel
inspection of documents
additional walk throughs
reading applicable supporting system documentation
determine if threats, vulnerabilities, risks, etc. have been adequately addressed
80
what 4 things the auditor should consider when evaluating the suitability of the design of controls?
frequency of the control
competence and authority of individual performing control
precision and sensitivity of tasks within control
any evidence that may contradict assertion that control is functioning as designed
81
the service auditor is responsible for determining what 3 things of procedures to obtain sufficient evidence? what do they entail?
NET
nature (how controls are tested)
extent (# of procedures/observations and size of sample)
timing (when controls are tested and frequency of testing)
82
when designing and performing test of controls the auditor will do what 4 things?
inquire
determine if control depends on other controls
method for selecting items to test
evaluate completeness and accuracy of evidence
83
extent of testing is based on auditor's judgment in considering what 7 things?
tolerable rate of deviation
expected rate of deviation
frequency with which control operates
relevance and reliability of evidence
length of testing period
significance of control
if control relies on other controls or not
84
what are 3 factors that affect the timing of tests of controls
period of time information will be available
whether control leaves a trail or not
significance of control
85
what are 3 time periods the auditor can perform test of controls?
interim dates
end of engagement period
after engagement period
86
should the lack/absence of information be considered as evidence?
yes and the auditor should perform additional procedures
87
what are the 3 options to disclose a subsequent event?
request mgmt disclose it
if mgmt refuses then:
- modify auditor report to disclose it
- withdraw from engagement
88
is the service auditor responsible for responding appropriately to facts that become known after the date of the report?
yes
89
what 6 main things should be in a management written representation?
management's assertion about subject matter based on criteria
all relevant matters are reflected in the assertion
all known matters contradicting the assertion have been disclosed
acknowledge responsibility
all subsequent events have been disclosed
statement that mgmt believes uncorrected misstatements are immaterial
90
if a written representation is not provided or the auditor has doubt about management what 3 things should they do?
discuss matter with appropriate party
reevaluate integrity of management
take appropriate action
