S4-m5

Question 1

Key areas of engagement performance once initial risk assessment procedures are complete:

Answer 1

1. Respond to risk
2. Evaluate whether managements description is fairly presented in accordance
3. Obtain and evaluate evidence regarding suitability of the design of controls
4. Obtain and evaluate evidence regarding the operating effectiveness of controls
5. Evaluate the results of the procedures
6. Form the opinion

Question 2

The service auditor is required:

Responding to the Assesed Level of Risk

Answer 2

• obtain sufficient audit evidence to reduce attestation risk to an acceptably low level
• to design and implement overall responses to address the assessed risk of material misstatements for the subject matter; and design and perform further procedures whose nature, extent and timing are based on, and responsive to, the assessed risk of material misstatement

Question 3

Assessment of risks of material misstatement is impacted by several factors, including:

Answer 3

-material considerations
-the service auditors understanding of the effectiveness of the control environment
-other openness of internal control related to the service provided to user entities and business partners

Question 4

Overall responses by the service auditor to address the assessed risks of material misstatement may include:

Answer 4

• maintaining a culture of professional skepticism with the engagement team
  -assigning more experienced staff or using specialists as needed
  -providing additional supervision over audit procedures
  -incorporating elements of unpredictability in the selection of procedures to be performed
  -making changes to the nature, extent, or timing of procedures

Question 5

A description is not fairly presented if:

Answer 5

• the description states or implies that controls are being performed when they are not being performed
  -the description inadvertently or intentionally omits relevant controls performed by the service organization that are not suitably designed or operating effectively

Question 6

The service auditor is required to obtain and read managements description of the service org system and evaluate whether those aspects of the description that are included in the scope of the engagement are presented fairly, in all material respects, based on the suitable criteria in managements assertion, including whether:

SOC 1

Answer 6

-the control objectives stated in managements description of the service organizations system are reasonable in the circumstances
-control identified in managements description of the service organization system were implemented
-complementary user entity controls and complementary subservice organization controls, if any are adequately described
-the services performed by a subservice organization, if any are adequately described, including whether the carve out method or inclusive method has been used

Question 7

The attributes of suitable criteria for evaluating the fair presentation of managements description includes:

SOC 1

Answer 7

-whether managements description of the service org system presents how the service or system was designed and implemented, including the types of services, procedures, information used, how system captures and addresses significant events
-whether managements description of the service organization system includes relevant details of changes to the service organizations system during the period covered
-whether managements description of the service org system does not omit or provide misleading info relevant to the service orgs system

Question 8

Procedures the service auditor may perform to evaluate whether the description of the service organization system is fairly presented typically include a combination of the following:

Answer 8

-considering the nature of the user entities and how the services provided by the service organization are likely to affect them
-reading contracts with user entities to gain an understanding of the service organizations contractual obligations
-observing the procedures performed
-reviewing the service organizations policy
-walkthroughs

Question 9

A description of a service organizations system in a SOC 2 is presented in accordance with description criteria when the description:

Answer 9

-describes the system that the service organization has implemented
-includes information about each description criterion to the extent it is relevant to the system being described
-does not inadvertently or intentionally omit or distort information

Question 10

A description is not presented in accordance with the description criteria if:

SOC 2

Answer 10

-the description states or implies that certain IT components exist when they do not
-the description states or implies that certain processes and controls have been implemented when they are not being performed
-the description contains statements that cannot be objectively evaluated

Question 11

The service auditor should consider whether additional disclosures are necessary to supplement the description. Additional disclosures may include:

Answer 11

-significant interpretations made in applying the criteria
-subsequent events

Question 12

In addition to obtaining evidence that the description presents the system was designed and implemented in accordance with the description criteria, the service auditor must also…

SOC 2

Answer 12

obtain evidence that the controls were suitable designed and operated effectively during the specified period (T2)

Question 13

Suitably designed controls operated…

SOC 2

Answer 13

as designed by individuals who have the necessary authority and competence to perform the controls

Question 14

Controls that operate effectively provide…

SOC 2

Answer 14

reasonable assurance of achieving the service organizations service commitments and system requirements based on the applicable trust services criteria

Question 15

Nature of Test of Controls

Answer 15

The nature and objectives of tests to evaluate the operating effectiveness of controls are different from those performed to evaluate the suitability of design of controls
-make inquiries and perform other procedures such as inspection, observation, or reperformance about how the control was applied
-determine whether the controls to be tested depend on other controls
-evaluate and determine an effective method for selecting the items to be tested

Question 16

The extent of tests of controls

Answer 16

the extent of the service auditors testing refers to the size of the sample tested or the number of observations of a control activity

Question 17

The extent of testing is based on the service auditors professional judgment after considering:

Answer 17

-the tolerable rate of deviation
-expected rate of deviation
-frequency with which the control operates
-length of testing period

Question 18

Factors relevant to the service auditors determination of timing:

Answer 18

-the period of time during which the info will be available
-whether control leaves evidence of its operation and if not whether the control should be tested through observation
-the significance of the control being tested

Question 19

The service auditor must evaluate…

Answer 19

the results of all the procedures performed and must conduct both quantitative and qualitative analysis

Question 20

When evaluating the results of procedures…

Answer 20

the service auditor investigates the nature and cause of any identified description misstatements and deficiencies or deviations in the effectiveness of controls

Question 21

The service auditor may obtain evidence by inquiring about the operating effectiveness of controls by inspecting the following:

Answer 21

-relevant internal auditors reports issued during the subsequent period
-other practitioners reports issued during the subsequent period
-relevant regulatory agencies reports issued during the subsequent period
-reports on other professional engagement for that entity

Question 22

Subsequent events likely to affect a SOC report:

Answer 22

-during the last quarter of the period covered by the service auditors report, the IT director provided all of the programmers with access to the production data files, enabling them to modify data
-A confidentiality breach occurred during the period covered by the service auditors report
-signatures on a number of non automated trade execution instructions summitted during the engagement period that appeared to be authenticated has been forged

Question 23

Subsequent events Unlikely to affect a SOC report:

Answer 23

the service organizations:
-was acquired
-experienced a major operational disruption that was caused by weather or natural disaster
-made significant changes to its information systems

Question 24

What should a service auditor do when they become aware of a subsequent event of significance?

Answer 24

request that management disclose the event in either managements assertions or the description of the service organizations system

Question 25

The service auditor should determine whether the subsequently discovered facts…

Answer 25

had they been known as of the report date, may have caused the service auditor to revise the report

Question 25

Subsequently discovered facts after the issuance of a SOC report

Answer 25

the service auditor is not required to perform any procedures regarding the description, the suitability of design of controls, the operating effectiveness (T2), or managements assertion after the date of the service auditors report.
-the service auditor is responsible for responding appropriately to facts that become known after the date of the report

Question 26

The service auditor is required to obtain written representation from the management of the service organization

Answer 26

-such representations are intended to confirm explicit or implicit representations given to the service auditor, indicate and document the continuing appropriateness of those representations, and reduce the possibility of misunderstanding between the service auditor and management
-appropriate individuals
-should be the date of the issued SOC report

Question 27

State that

Content of Written Representation

Answer 27

-all relevant matters are reflected in the measurement or evaluation of the subject matter or assertion
-all known matters contradicting the subject matter or assertion and any communications from regulatory agencies or others affecting the subject matter have been disclosed to the service auditor

Question 28

Acknowledge Responsibility for:

Content of Written Representation

Answer 28

-the subject matter and assertion
-selecting the criteria
-determining that such criteria are appropriate for managements purposes

Question 29

State that any known subsequent events related to…

Answer 29

the subject matters of the report that would have a material effect of the subject matter or assertion have been disclosed to the service auditor

Question 30

State that management has provided..

Answer 30

the service auditor with all relevant access and information

Question 31

State that management believes the effects of uncorrected misstatements…

Answer 31

are immaterial, individually and in the aggregate, to the subject matter

Question 32

State that management has disclosed to the service auditor:

Answer 32

-all deficiencies in internal control relevant to the engagement
-its knowledge of any fraud or noncompliance
-all other matter deemed appropriate
-instances of noncompliance with laws
-identified system incidents