S4, M1-M5 Flashcards
(159 cards)
1
Q
What creates the need for a SOC engagement?
A
outsourcing
2
Q
Who is the user entity?
A
the organization using outsourced services
3
Q
A service organization provides the user entity with the benefits of what four things?
A
Personnel
Expertise
Equipment
Technology
4
Q
SOC Reports generally support what operation for a user entity’s auditor?
A
risk assessment
5
Q
SOC examinations are conducted according to what standards issued by whom?
A
attestation statndards, issued by AICPA
6
Q
T/F: A SOC engagement is audit.
A
False, it is an attestation engagement.
7
Q
What are the three main types of SOC engagements?
A
SOC 1, SOC 2, SOC 3
8
Q
A SOC 1 report reports on what?
A
controls relevant to user entity’s ICFR
8
Q
SOC 1 reports are restricted to what three groups?
A
- management of service org
- user entities of service organization’s system
- independent auditors of user entity
8
Q
SOC 1 reports are not intended for what group?
A
potential users of the service organization
9
Q
A SOC 2 reports on the ___, ___, or ___ of a system or the ____/____ of the information processed by the system.
A
security, availability, processing integrity
confidentiality, privacy
10
Q
Who are the intended users of the SOC 2 report?
A
mngnt and service auditor agree on intended users of the report (people with sufficient knowledge and understanding)
11
Q
Who are the intended users of a SOC 3 report?
A
general use report
12
Q
What two items does a SOC 3 report NOT include?
A
- description of system (detailed)
- description of test of controls and results of tests
13
Q
What does a SOC for Cybersecurity Engagement report on?
A
entiy’s description of its cybersecurity risk management program and effectiveness of controls in that program
14
Q
What does a SOC for Supply Chain Engagement report on?
A
controls over trust services criteria used to produce, manufacture, or distribute products
15
Q
How many potential SOC reports are there (SOC 1-3 only)?
A
5
16
Q
T/F: A SOC 3 report can only be a Type 2 report.
A
True.
17
Q
What is the difference between a Type 1 and Type 2 report (design/op eff, time period)?
A
Type 1: design of controls only, point of time
Type 2: design and op eff, over a period of time
18
Q
Can trust services criteria be reported on individually in a SOC report, or do they all have to be reported on in combination?
A
They can be individually reported on.
19
Q
Which of the trust services criteria is required to be reported on in a SOC 2 report?
A
security
20
Q
Th Security Trust Services Criteria is supposed to protect against what three things?
A
A - Unauthorized Access
D - Unauthorized Disclosure of Information
D - Damage to Systems
21
Q
SOC for cybersecurity reports on which trust services criteria (3)?
A
- security
- availability
- confidentiality
22
Q
The trust services criteria has been alsigned with what principles?
A
COSO
23
Trust services criteria have all the same principles of COSO, in addition to expanding on principle ___ of the COSO framework.
12 (policies and procedures)
24
What are the four common criteria (trust services supplemental criteria)?
- Logical and Physical Access Controls
- System Operations
- Change Management
- Risk Mitigation
(ARCS)
25
What are system operations (trust services supplemental criteria)?
how an entity detects and mitigates processing deviations
26
In addition to the common criteria, which trust services categories have additonal category-specific criteria?
All of them, except for Security.
27
What two things should the service auditor evaluate when forming an opinion about the subject matter of the engagement?
- sufficiency and appropriateness of evidence (Do I have enough evidence to form an opinion?)
- whether uncorrected misstatements are material (Should I modify my opinion?)
28
The overall _____ of a SOC 1 and SOC 2 engagement are consistent, but the ___ ___ for which an opinion is being formed is different.
objectives, subject matter
29
What are the four types. ofopinions in a SOC engagement?
- unmodified
- qualified
- adverse
- disclaimer
30
What is being "achieved" in a SOC 1 report?
control objectives
31
What is being "achieved" in a SOC 2 report?
service commitments and system requirements
32
What are two types of issues that could create a modified opinion?
- material misstatement/material departure from critieria
- unabled to obtain sufficient appropriate evidence (audit issue)
33
What are the magic words for a qualified opinion?
except for
34
What is the magic word for an adverse opinion?
because
35
Is a matter giving rise to a qualified opinion material? Is it pervasive?
material, not pervasive
36
Is a matter giving rise to an adverse opinion material? Is it pervasive?
material and pervasive
37
What are the four (potential) parts of a SOC report?
- Management's description of the system
- Management's assertion
- Independent service auditor's report
- Auditor's tests of controls and results of tests
38
Who is responsible for documenting the description of the service organization's system?
service organization's management
39
Is there a pre-determined format for management's description of the service organization's system?
No, it is flexible.
40
The description of the system should have sufficient information to do what two things?
- allow user auditor to understand how service org's processing affects user entity's financial statements
- assess risk of MM for user entity
41
What is a subservice organization, in super simple terms?
organization that provides services to the service orgnaization that is the subject of the SOC engagement
42
What three things (broadly) should be reported (in the description) in regards to subservice organizations?
- services provided
- carve out or inclusive method used
- CSOCs (complementary controls)
43
In terms of controls, what two things should be reported in the description?
the control objective, and
design of controls to acheive that objective
44
The system description is prepared to meet the (unique/common) needs of a (subset/broad range) of user entities and their auditors.
common, broad range
45
Does the system description always describe each aspect that a user entity may consider important in their control environment?
No, becuase it serves the broad range of needs of users.
46
What are service commitments?
declarations made to user entities about the system used to provide the service
47
What are system requirements?
specifications on how the system should function to meet the commitments made
48
What needs to be reported in management's description in relation to Identified System Incidents?
the NET of the incident and its disposition
49
What are complementary user entity controls?
(1) controls that should be implemented by the user entity
(2) that are neccessary to work with the controls at the service organization,
(3) in order to provide reasonable assurance that
(4) service commitments and system requirements will be achieved
50
Describe the high-level difference between the inclusive method and carve out method?
Inclusive includes the subservice organization's controls in the report (in detail).
Carve-out provides a high level description of CSOCs and states clearly that it is the subservice org's responsibility to implement such controls.
51
Since you do not present managment description of the system in a SOC 3 report, what is reported instead (2)?
- describe system boundaries
- principal service commitments and system requirements
52
What should the service auditor do if management refuses to provide their written assertion? What if it is not legally possible to do so?
Withdraw
If not legally possible, disclaim opinion.
53
The title of any SOC report should include what word?
independent
54
Is a service auditor required to be independent of the service entity?
Yes.
55
Under which method of reporting on sub-service orgnaizations do you describe services performed by subservice org?
Both!
56
What are the methods of reporting on subservice organizations?
inclusive, carve-out method
57
What are the methods of reporting on complementary user entity controls?
only one (carve-out method)
58
How does management's responsibility for "designing, implementing, and documenting controls that are suitably designed and operating effectively" vary for a Type 1 versus a Type 2 report?
It does not, their responsibility remains the same in either case.
59
What is the date of the service auditor's report?
no earlier than the date that sufficient appropriate audit evidence is obtained
60
List the sections of a SOC 1, Type 1 report.
Title
Addressee
Scope
Service Organization's Reponsibilities
Service Auditor's Responsibilities
Inherent Limitations
Other Matter
Opinion
Restricted Use
Signature, Address, Date
61
What is the only difference between the sections of a SOC 1 Type 1 and Type 2 report?
Replace the "Other Matter" section with a section titled: Description of Tests of Controls.
62
What is the other key difference between a Type 1 and Type 2 report?
Type 2 contains expanded language for operating effectiveness and "over a period of time".
63
What is the difference between what is being evaluated regarding management's description for a SOC 1 and SOC 2 report?
SOC 1: description is fairly presented
SOC 2: description is presented in accordance with description criteria
64
What are the description criteria used to evaluate a system description? Who creates this criteria?
2018 Description Criteria for a Description of a Service Organization’s System in SOC 2 Report (AICPA, Description Criteria)
65
What are the two crtieria mentioned in the Scope paragraph of the SOC 2 report?
Description Criteria, Trust Services Criteria
66
In the description of tests of controls section, what all should be described if there are no identified deficiencies?
- controls testing
- whether represetns all or selection of items in population
- nature of tests (sufficient detail to determine effect on risk assessment)
67
In the description of tests of controls section, what all should be described if there are identified deficiencies?
- everything from when there is no deficiency, plus:
- number of items tested
- number and nature of deviations
- causitive factors (optionla)
- internal auditor's work
68
Can a subservice organizaiton be a related entity of the parent service organization?
Yes.
69
Who determines whether an entity is considered a subservice organization?
service organization management
70
Who decides whether to use the inclusive or carve-out method?
service organization management
71
What two criteria qualify a vendor as a subservice organization (SOC 1)?
- services provided by vendor are likely relevant to user entity's ICFR, AND
- controls at subservice organization are necessary to acheive control objectives stated in mngmt's description
72
What two criteria qualify a vendor as a subservice organization (SOC 2/3)?
- services provided by vendor are relevant to report users' undersanding of system as it relates to applicable trust services criteria, AND
- controls at subservice organization are necessary (in combination) to provide reasonable assurance that SC and SR are acheived
73
What three things are included in management's description if the carve-out method is used?
- nature of services provided
- types of controls expected to be performed at subservice org
- controls at service org to monitor subservice org
74
What three things are included in management's description if the inclusive method is used?
- nature of services
- parts of the subservice org’s system used by service org to provide services
- controls at subservice organization and service org. that are (together) necessary to provide reasonable assurance
75
T/F: Management has to use the same method on all subservice organizations.
False, they can pick different methods for each organization.
76
Which type of report provides more information, inclusive or carve-out?
inclusive
77
To use the inclusive method, does the service auditor need to be independent from the subservice organization?
Yes.
78
If the subservice organization's services and controls have a pervasive effect on the service organization's system, what method makes more sense: inclusive or carve out?
inclusive
79
What are CEUCs?
controls necessary to be implemented by the user entity to provide reasonable assurance that control objective met/SC and SR met
80
Why is managment usually able to get away without having to report on CEUCs or CSOCs?
They define their SC and SR in a way that they would not rely on the controls of others.
81
In both cases for a CSOC and CUEC, a service organization ...
relies on other entities for their own controls to work properly
82
If a service organization relies on other entities for their own controls to work properly, where in the audit report is there a statement to that effect?
opinion section
83
When you use a subservice organization, do they also provide their own assertion?
Yes.
84
Where is the paragragh that describes the matter giving rise to modification ususally show up in the report?
In the Opinion section, before the regular opinion format.
85
How is the first sentence of a report revised when you issue a disclaimer?
We *were* engaged to examine...
86
Do you still describe what is involved in an examination when issuing a disclaimer of opinion?
No, because the examination did not really occur. This detracts from the message that you are not issuing an opinion.
87
When you have a recurring or existing engagement, what can be a useful starting point for defining the scope of the engagement?
prior year report
88
If the internal auditor is working with the service auditor, management will acknowledege what two things?
- IAs will be told to follow service auditor instructions, and
- service org will not intervene in work of IA for service auditor
89
During planning of ANY SOC engagement, what is a service auditor responsible for?
- determine whether to accept or continue the engagement
- agree on engagement erms
- reach understanding with management regarding written assertion
90
T/F: A service auditor is required to be independent of each user entity.
False.
91
Does a service auditor need to disclose why they are not independent if there is an independence issue?
No, but if they do disclose they need to provide all reasons why (no partial explanation).
92
When is materiality considered in an audit?
risk assessment
93
Which concept is broader, privacy or confidentiality?
confidentiality
94
Privacy relates only to ____ information, whereas confidentiality relates to _____ types of _____ information.
peronal, various types of sensitive
95
(Security/privacy) is focused on prevention of breaches and attacks.
security
96
(Security/privacy) includes managing the impact and handling of personal data when a breach or incident occurs.
privacy
97
A (service commitment/system requirement) is a declaration or promise made to customers about the service itself.
service commitment
98
98
99
A (service commitment/system requirement) is a statement about the specific way the system operates or is controlled internally to meet promises.
system requirement
100
Should a service auditor in a SOC 2 engagement review external audit reports on ICFR?
Yes.
101
Is describing changes a relevant suitable criterion if there have been no major changes in the year?
No, you would not have to report on this.
102
When assessing fair presentation of the description, materiality relates to (qualitative/quantitative) factors.
qualitative
103
When assessing operating effectiveness, materiality relates to (qualitative/quantitative) factors
quantitative and qualitative
104
Are general IT controls considered material to the service organization's description? What about application controls?
General IT controls are material because they are the foundation. Application controls may or may not be material.
105
Should a service auditor's assessment of materialityt be determined by common information needs or by specific information needs?
common information needs
106
How do you determine whether misstatements are material? That is, what question should you ask yourself?
Would this misstaement reasonably be expected to influence the decisions made by a broad range of report users?
107
What is a deviation/exception?
identified misstatements resulting from failure of a control to operate in a specific instance
108
Is a deviation the same as a deficiency?
No, a deviation could resuly in a deficiency.
109
What does a risk-based approach to an audit allow the auditor to do?
focus on the riskier areas of the audit, since they are limited on time
110
What is the definition of a system (simple)?
how we do what management needs to do to meet business objectives
111
What five things make up a system?
D - Data
I - Infrastructure
S - Software
P - People
P - Procedures
112
What should system boundaries cover, at a minimum, for a SOC engagement related to confidentiality and privacy?
system components related to life cycle of confidential and personal information
113
Service commitments descirbe the ___, while system requirements define the ____.
what, how
114
Who is responsible for acheiving service commitments and system requirements?
service organization's management
115
Does management's description disclose every service commitment to every user entity?
No, only those that are relevant to the common needs of a broad range of SOC 2 report users.
116
Can management's description describe controls that have not been implemented yet, but are soon to be implemented?
No, it must only describe controls that have been implemented.
117
What is inherent risk?
risk before consideration of controls
118
Most inherent risks result from something ___ or ____.
new or changed
119
What is the first step in a risk assessment?
obtain an understanding of the system and controls within the system
120
If a service organization has an internal audit function, what else should the auditor seek to understand?
- naure of IA function's responsibilities
- activites performed by IA function
121
Can risk assessment procedures be performed concurrently with testing procedures?
Yes.
122
The service auditors is requried to obtain sufficient audit evidence to reduce _____ _____ to an acceptably low level.
attestation risk
123
The NET of procedures should be based on what?
the assessed risk of material misstatement
124
For a higher risk area, would you increase or decrease the NET of procedures?
increase
125
Is a description of a system that omits controls which are not operating effectively or suitably designed a fairly presented description?
No, because it should include these controls.
126
If a description contains statements that cannot be objectively evaluated, is it fairly stated (SOC 2)?
No.
127
What should the service auditor do first if certain controls in the description have not been implemented?
Tell the service organization's management to remove the control from the description.
128
What should the service auditor do if certain controls in the description have not been implemented and management refuses to fix it?
Modify your opinion as appropriate.
129
What is a walk-through (simple)?
follow a transaction event from origination to the end
130
Should a service auditor question variations in a process for different types of transactions/events?
Yes.
131
Can a control be operating effectively if they are not suitably designed?
No.
132
The evidence obtained from tests of controls relate to what three things?
- how the controls were applied (how)
- consistency with which they were applied (when/how often)
- by whom/what manner they were applied (who)
133
In what two areas must tests of controls be done if they inclusive method is used?
- service organization
- subservice organization
134
When looking at the reliability of evidence collected, what three things should be looked at?
- completeness
- accuracy
- precision
135
What is the auditor required to do if tests are performed at an interim date?
perform procedures to obtain evidence through to the end of the period
136
If a control does not leave evidence of its operation, what audit procedure should be performed?
observation
137
In what types of meetings should discussions of incident responses and escalation plans for unforseen events occur?
board meetings
138
What is a way to test the operating effectiveness of whistleblower hotlines?
call the hotline
139
Where would you typically find information around a company's policies, procedures, and communication plans?
company's intranet
140
What should the service auditor do if the evidence is not sufficent and appropriate?
perform additional procedures to get more evidence
140
T/F: The service auditor should only consider the evidence obtained internally, not external evidence.
False, they shoud consider all evidence.
140
T/F: The service auditor should only consider corroborating evidnece, not contradictory evidence.
False, they shoud consider all evidence.
141
The service auditor must conduct (quantitative/qualitative) analysis.
both quantitative and qualitative
142
What should the service auditor understand about any identified misstatements or deviations?
nature and cause
143
A subsqeuent event occurs in what time period?
after the year-end but before the report date
144
What should be the service auditor's first step in obtaining evidence about subsequent events?
inquire of management
145
What else can a service auditor do to obtain evidence about subsequent events?
inspect relevant documents during the subsequent events period
146
Upon becoming aware of a subsequent events, the service auditor should request management to disclose the subsequent event in one of what two places?
- description of system
- written assertion
147
If management reduses to disclose an event that would mislead report users if undisclosed, what two actions should the service auditor consider taking?
- withdraw
- modify the opinion and diclose the event in report
148
The service auditor has a (active/passive) duty until the audit report date, and a (active/passive) duty after.
active, passive
149
Is the service auditor responsible for performing procedures after the date of the audit report? What is the caveat here?
No, but they must respond appropriately to any subsequent discoveries after the date of the report.
150
What questions should the service auditor ask themselves when they discover information after the report issuance? (3)
- Had we known this when we made our report, would we have revised the report?
- Did facts exist as of the date of the report? Would users of the report attach importance to this?
151
What three things do management representations servce to do?
- confirm explicit or implifict representations to the auditor
- indicate continuing appropreiateness of representations
- reduce possibility of misunderstanding
152
What is the date on managemnet's respresentaion?
the same as the report date for the service auditor
153
Can you (service auditor) issue an opinion without a rep letter?
No.
154
How many written representations do you need if you use the inclusive method for subservice organizations?
1 from the service organization, and 1 from each subservice organization you use the inclusive method for
