Under the inclusive method under a SOC 2 Type 2 report, what other info would be included?
The Subservice organization assertion
Under the carve-out method, what would the report say?
The report would say that the objectives and controls were not evaluated
AT-C 320 outlines the reporting standards that are for what type of examination?
SOC 1 examination
What should an independent service auditor’s report include?
- The report should include a statement that the service auditor didn’t evaluate the suitability or operating effectiveness of the complementary user entity controls.
- This statement makes users of the report aware that although complemenetary controls are listed in management’s description of the service organiaztion’s system, the service auditor did not perform any procedures to determine if there are misstatements
What are complementary user entity controls?
- They are controls provided by a 3rd party service provider to help achieve the vendor’s control activities.
- CUECs can be thought of as a laundry list of controls/activities that customers of a service provider must have in place to receive services.
- Example of CUEC: A cloud-based file-sharing program, like Dropbox, may require user entities to remove a former employee’s corporate account from the file-sharing program.
A SOC 2 Type 2 report lists
- The service auditor’s tests of control and results.
- The auditor includes a table showing controls tested, nature of tests performed, and whether they were performed on a sample or the total population.
- Service auditors should describe the NUMBER and NATURE of all exceptions, including the number of items tested, AS MATERIALITY DOES NOT APPLY TO DISCLOSING TESTING EXCEPTIONS
If any exceptions in a test are identified, what happens?
- The report should include the number of exceptions found, sample or population testing size, and an explanation of the nature of each exception.
- Example: An exception was found in 5 of the 25 systems sampled
AT-C 205 states that a CPA’s role in an assertion-based exam is to:
- Obtain reasonable assurance about the subject matter being free from material misstatement.
- Express an opinion in a written report about:
1) The subject matter being in accordance with the criteria in all material respects
2) The responsible party’s assertion is fairly stated in all material respects
What is an unmodified (unqualified) opinion?
- It is an opinion that is ok only when the service auditor didn’t find any material misstatements in management’s description of the service organization’s system, the suitability of controls, and operating effectiveness of controls (type 2 report ONLY for operating effectiveness)
What is a modified opinion?
- It is AKA Qualified, Adverse, Disclaimer.
- It is an opinion that is appropriate when the effect of the following is material:
1) The service auditor cannot obtain sufficient appropriate evidence to conclude that the subject matter is in accordance with criteria
2) Based on evidence obtained, the service auditor believes the subject matter is NOT in accordance with the criteria
What is pervasiveness?
It is the extent to which the findings affect the subject matter
What is a disclaimer of opinion?
- It happens when no opinion is expressed.
- It is appropriate when the service auditor is unable to obtain sufficient appropriate evidence and the potential effects could be both material and pervasive.
What is a qualified opinion (modified)?
It is appropriate when scope limitations (problems with obtaining evidence) can cause undetected material misstatements BUT they are not pervasive
What kind of assurance do SOC examinations provide?
Reasonable assurance
NOT absolute assurance
What is reasonable assurance?
It is a higher level of assurance.
However, service auditors cannot guarantee that procedures will uncover every material misstatement.
What should a service auditor’s report include?
It should include a paragraph that discusses the inherent limitations in the effectiveness of any system of internal controls
What kind of attestation engagements are SOC exams?
Assertion-based attestation engagements
In a SOC 2 Type 2 report, a statement that says that management believes that complementary user entity controls OPERATED EFFECTIVELY THROUGHOUT THE PERIOD would appear in which section of the report?
Management’s Assertion
In a SOC 2 examination, management’s description of the service organiation’s system should provide:
A list/table of relevant complementary user entity controls (CUEC)
What is an example of a service organization?
Employee benefit plans, payroll processors, insurance claims processors
What are controls that are performed by carved out subservice organizations called?
Complementary subservice organiation controls
When a service organization’s management chooses the carve-out method for a subservice organization during a SOC 1, 2, or 3 engagement
The service auditor’s report must state that the procedures did not extend to the Complementary Subservice Organization Controls (CSOC)
The date of the service auditor’s report should be
The date on which the auditor has completed documentation and review of the evidence and obtained the finalized management’s description and assertion, AND the signed representation letter
Type 1 report
- Exam scope: As of a specified day
- Service auditor evaluates: Description of system and suitability of the design of the controls
- Service auditor must state: that the engagement team did not perform tests of controls and does not express an opinion on the operating effectiveness of controls
