S4-m4 Flashcards
(36 cards)
The service auditor, when auditing the service organization, is required to:
-establish, prior to acceptance of the SOC engagement, and understanding with service organization management about its responsibilities of the service auditor
-communication with the management of the service org
-determine the appropriate persons within the service organizations management or governance structure with whom to interact
The objectives of the service auditor are to:
obtain reasonable assurance about whether, in all material respects, based on suitable criteria:
-managements description of the service organization system fairly presents the system that was designed and implemented
- the control related to the control objectives stated were suitably designed
-when included in the scope, the controls operated effectively
-report in accordance with the service auditors findings
During planning of any SOC engagement, the service auditor is responsible for:
-determining whether to accept or continue the engagement
-agreeing on engagement terms
-reaching an understanding with management regarding a written assertion
During planning of a SOC 1 engagement, the service auditor is also responsible for:
-assessing the risk of material misstatement
-obtaining an understanding of the service orgs system and assessing the suitability of the criteria used by management in preparing its system description
During planning of a SOC 2 & 3 engagement, the service auditor is also responsible for:
-establishing an overall strategy for the engagement; sets scope timing, direction
-performing risk assessment procedures; how system controls were designed, implemented, and operated to provide reasonable assurance
Agreed upon engagement terms
Service auditor and service organization
-objectives and scope
-responsibilities of the service auditor and the responsible party, including the responsibility o management to provide a representation letter
-identification of the criteria used to measure, evaluate, or disclose information about the subject matter
-acknowledgment that the engagement will be conducted in accordance with attestation standards established
Service Organization and Service Auditor
Independence Considertations
the service auditor needs to be independent with respect to the responsible party. The responsible party is most often the service organization
Subservice Organization and Service Auditor
Independence Considertations
If management elects to use the inclusive method, then the subservice organization management is a responsible party and should be independent of the service auditor
What should the service auditor d when they lack independence?
when the service auditor is required by law to accept the engagement the service auditor should disclaim an opinion and should specifically state the service auditor is not independent
The service auditors consideration of materiality should include…
SOC 1
the fair presentation of the description of the service organizations system
Fair presentation of the description relates to…
The concept of materiality
the information being reported on, not the financial statements of user entities
Materiality relates to…
SOC 1
qualitative factors, such as whether significant aspects of the processing have been included in the description or if relevant information has been omitted or distorted
Quantitative factors
Materiallity with respect to SOC 1 T 2
The tolerable and observed rate of deviations
Qualitative factors
Materiallity with respect to SOC 1 T 2
The nature and cause of deviations
Materiality can be described as:
SOC 2
- the likelihood and magnitude of the risks that threaten the achievement of the service organizations service commitments and system requirements
-whether the controls the service organization has designed, implemented, and operated were effective in mitigating those risks to an acceptable level based on the applicable trust services criteria
The service auditor should consider the nature of threats…
SOC 2
and the likelihood and magnitude of the risks arising from those threats to the achievement of the service organization service commitments and system requirements
Description Misstatement
The term used when describing errors or omission in the description of the service organizations system
Deviation Expectation
identified misstatements resulting from the failure of a control to operate in a specified instance. A deviation may result in a deficiency
Deficiency in the design
when a control necessary to meet control objectives is missing or improperly designed so that even if it operates as designed, control objectives would not be achieved
Deficiency in the operating effectiveness
when a properly designed control fails to operate as designed or when the person performing the control does not possess the competency necessary to perform the control effectively
In a SOC 2 engagement what is a system?
a system is defined as the infrastructure, software, procedures, and data that are designed, implemented, and operated by people to achieve one or more of the organizations specific business objectives in accordance with management specified requirement
What are the boundaries of a system?
are the specific aspects of a service organizations infrastructure, software, people, procedures, and data necessary to provide its services.
-need to be clearly defined and communicated to report users in a SOC engagement
Service commitments are…
declarations made by service organization management to user entities and others about the system used to provide the service
System requirements are…
specifications regarding how the system should function to meet the service organization service commitments, to comply with relevant laws and regulations and guidelines of industry groups, and to achieve other objectives of the service organization that are relevant to the trust services category or categories addressed by the description
-also define how the system should function to meet commitments, comply with laws
