What are the four elements of a SOC engagement?
- Mgmt’s Description of System
- Mgmt’s Assertion
- SOC Report (includes a reference to mgmt’s assertion)
- Test of Controls Detail
What are the key elements of a SOC report?
- Title / Addressee / Signatures / Date
- Scope
- Service Organization Responsibilities
- Subservice Organization Responsibilities (if inclusive method)
- Service Auditor’s Responsibilities
- Inherit Limitations
- Description of Tests of Controls (Type 2 only)
- Other Matter (Type 1 only - explaining no test of controls)
- Opinion
- Restricted Use (All except SOC 3)
In which 4 areas of a SOC engagement would mention of Complementary User Entity Controls (CUEC) be found?
- Management’s Description of the System: CUECs are identified and described as controls user entities must implement.
- Management’s Assertion: Management asserts the description (including CUECs) is fairly presented.
- Service Auditor’s Report (Opinion and Scope): Opinion assumes CUECs operate effectively; scope states auditor did not test them.
- Auditor’s Tests of Controls and Results: No testing or results related to CUECs are included (outside auditor’s scope).
In which 4 areas of a SOC engagement would mention of Complementary Subservice Organization Controls (CSOCs) be found?
- Management’s Description of the System: CSOCs are described as controls at subservice organizations necessary for achieving control objectives.
- Management’s Assertion: Management asserts whether CSOCs are included or carved out and fairly presented in the description.
- Service Auditor’s Report (Scope and Opinion): Scope identifies SSOs and method used; opinion references CSOCs and clarifies auditor’s procedures related to them.
- Auditor’s Tests of Controls and Results: For inclusive method, auditor tests CSOCs; for carve-out, CSOCs are excluded and not tested or reported on.
Are SOC 1 and SOC 2 reports provided to potential users of the entity’s services?
SOC 1 and SOC 2 reports are restricted to specified users—current customers, their auditors, or parties with detailed knowledge. They are not for potential users.
Only SOC 3 reports are general-use and can be shared with potential or broad audiences.
What is an Explanation of Matter paragraph and when is it used?
A separate paragraph added to an auditor’s report to clearly describe specific issues or circumstances that affect the report and result in a modified opinion.
Qualified and Adverse opinion:
Added as a distinct paragraph before the opinion paragraph in the opinion section to explain the reasons for the qualification.
Disclaimer of opinion:
The explanation is included in the Service Auditor’s Responsibilities section, because the auditor is not expressing an opinion.
What is the difference between a SOC 2 Type 2 and Type 3 (aka SOC 3) audit?
SOC 3 is like a SOC 2 Type 2 except:
- No detailed system description
- No tests of controls or results included
- General use (unrestricted)
- NO detailed system description
- NO description of tests of controls
- NO Results of tests of controls
Do CUECs and services provided by a subservice organization has to be provided in Type 1 engagements?
YES
Both Complementary User Entity Controls (CUECs) and services provided by subservice organizations must be included in the system description for ALL SOC reports (including Type 1 SOC engagements).
In a SOC engagement, what the auditor is using the help of the service organization’s internal auditors, should the auditor report make mention of the internal auditor? If so, what should be disclosed?
YES.
In the Description of Tests of Controls section, both the internal audit’s testing and the service auditor’s procedures over that work should be noted (confirming no exceptions were noted if applicable).
Is the management of a service organization required to perform a full description of the system in Type 1 SOC engagement?
YES
Management must include a full description of their system—covering both automated and manual procedures—regardless of whether the SOC report is Type 1 or Type 2.
-
Final Review - Weak Areas42
-
COSO ERM12
-
COSO ERM for Cloud Computing19
-
COSO ERM (+Cloud Computing)13
-
NIST PF Rapid Fire20
-
NIST SPF 800-398
-
COBIT Domains40
-
COBIT Design Factors Rapid Fire25
-
COBIT Framework25
-
Threats and Attacks Rapid Fire78
-
Information Systems Rapid Fire37
-
Network Security Definitions62
-
Trust Services Rapid Fire27
-
Network Infrastructure Definitions29
-
Cloud Services Definitions19
-
Data & Analytics18
-
SOC Controls2
-
SOC Reporting10
-
Safeguards8
-
Change Management31
-
Open Systems Interconnection (OSI)30
-
Frameworks9
-
Business Resiliency9
-
General Controls Definitions14
-
Framework Identification45
-
Disaster Recovery Plan11
-
COSO4
-
COSO IF Rapid Fire20
-
PCI DSS7
-
GDPR Drills12
-
CIS Rapid Fire54
-
Center for Internet Security (CIS) Rapid Fire55
-
CIS Simplified8
-
COBIT Very Simple5
-
COBIT Framework/System Principles20
-
COBIT Design Factors23
-
NIST CSF Rapid Fire20
-
NIST Very Simple5
-
Resiliency, Continuity, and Recovery9
-
Business Impact Analysis (BIA)15
-
Incident Response Plan (IRP)16
-
BIA & IRP Metrics22
-
NIST CSF + PF Table35
