Chapter 1 - SOC PLANNING AND PERFORMING Flashcards
(39 cards)
What is SOC For Cybersecurity??
examination that describes an entity’s cybersecurity risk management program and related controls.
What are the 5 trust Services categories?
Security, Availability, Processing Integrity, Confidentiality, Privacy
Why is disclosure important for subsequent events?
It is required so users of the report are not misled
Where is the disclosure presented in the Soc report?
in the description of the company’s system or management’s assertion
Who determines if Disclosure is needed if there’s a subsequent event? What should Auditor do?
The auditor should request that management evaluate the breach and determine if a disclosure is needed.
Who are the intended users of a Soc 1
User auditor, user entities, and service org management
What does NIST Cybersecurity Framework Profile do?
Identifies the outcome a company has prioritized to remediate control gaps
What method does the Subcompany have to provide a Management representation letter? What do they both contain?
inclusive not carved out & description of sub companies services
What opinion should you give if management refuses to provide a written representation letter?
– Provide a modified opinion because of a scope of limitation.
What are you called if a company retains responsibility for controls and monitors you?
A vendor
What should an auditor do if a subsequent event becomes known?
Perform additional procedures
What is used to measure of evaluate managements description of the system?
Aicpa dc section 200 description criteria
What is used to measure of evaluate managements description of the system?
Aicpa dc section 200 description criteria
What criteria is used to prove controls were designed, implemented, and operated to provide assurance ?
Aicpa TSP section 100 trust services criteria
How does an auditor determine materiality?
-Misstatements
-qualitative and quantitative factors
-the circumstances, nature, size, and extent of misstatements
What forms the basis for the auditors opinion of the systems description, control design, and control effectiveness?
Managements written representation
When is it okay to give a disclaimer of opinion? What do others get if not pervasive?
Scope limitation if material and pervasive, if not its a qualified opinion
What phase does the auditor obtain a signed management rep letter?
Reporting
What does the management description cover under the Inclusive METHOD?
Sub services org controls objectives and related controls
What should you do regard events after the examination period but before the auditors report date in Soc 2 engagement?
include disclosure in the description or managements assertion so people aren’t misled.
who are the intended users of a Soc 1 report? purpose?
User entities, company management, user auditors
The purpose is to assure controls relevant to user entities’ Internal control over Financial reporting
who are the intended users of a Soc 2 report? purpose?
management and parties who have a direct relationship with the org and knowledge and understanding of the system
Purpose- assure controls relevant to security, availability, processing integrity, confidentiality, or privacy.
who does the audit have to be independent of in a Soc engagement?
The company, Subcompany if the inclusive method is used
not user entity!
What is included in management’s description if the Carve out method is used?
must explicitly state that the description does not extend to complementary sub-company controls (CSOCs
