S4 - System and Organization Controls (SOC) Engagements

This engagement involves internal control over financial reporting. These reports are restricted to management of the service organization, user entities of the SVO’s system, and independent auditors. This excludes potential users of the service organizations.

SOC 1 engagement

This engagement involves the five trust services criteria. These reports are intended for use by those who have sufficient knowledge and understanding of the service organization, the services it provides, adn the system used to provide those services, among other matters.

SOC 2 engagement

This engagement is similar to SOC 2, where the service auditor reports on whether controls within the system were effective to provide reasonable assurance that the service commitments and system requirements were achieved. This report does not include a description of the system or a description of the service auditor’s’ tests of controls and corresponding results. It is ordinarily for general users who need assurance about the controls at a service organization but lack the knowledge and understanding for a SOC 2 engagement.

SOC 3 engagement

specified on the fairness of the presentation of management’s description of the SVO’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specifed date

Type 1 SOC Report

A report on the fairness of the presentation of management’s description of the SVO’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period

Type 2 SOC Report

Five Trust Services Categories

Security, Privacy, Confidentiality, Processing Integrity, Availability

Five Components of COSO Framework

Control Environment, Risk Assessment, Information and Communication, Monitoring, Control Activities

When forming an opinion about the subject matter of the SOC engagement, what should the service auditor evaluate?

1. The sufficiency and appropriateness of the evidence obtained

2. Whether uncorrected misstatements, individually or in the aggregate, are material

Fair presentation of management’s description of the SVO’s system, suitability of the design of the controls related to the control objectives stated in management description, the effective operation of the controls stated in managements description.

What the service auditor’s opinion is focused on

Four key components of a SOC Report

Management’s system description, management’s assertion, independent service auditor’s report, auditor’s tests of controls and results of tests

They are responsible for documenting the description of the service organization’s system, which must be sufficient o allow a user auditor to understand how the service organization’s processing affects the user entity’s financial statements and to assess the risk of material misstatement of the user entity’s financial statements.

Management’s Responsibilities in a SOC 1 Engagement

They are responsible for presenting a description of the system to enable report users, such as user entities, business partners, or other relevant parties, to understand the system and the processing and flow of data throughout and from the system

Management’s responsibilities in a SOC 2 engagement.

Title, Addressee, Scope, Service Org’s Responsibilities, Service auditor’s responsibilities, Inherent limitations, description of tests of controls (Type 2), Other Matter (Type 1), Opinion, Restricted Use

Independent Service Auditor’s SOC Report

Services provided by the vendor are likely relevant to user entities’ IC over FR, and controls implemented at the vendor org are necessary to achieve the control objectives stated in management’s description of the SVO's system.

SOC 1 subservice organization

The services provided by the vendor are relevant to report users; understanding of the service organization’s system as it relates to the applicable trust services criteria. Controls at the vendor org are necessary, in combination with the SVO’s controls, to provide reasonable assurance that the service commitments and system requirements are achieved.

SOC 2 and SOC 3 subservice organization

The method of addressing the services provided by a subservice organization in which the complementary sub service organizations controls of the subservice org are excluded from the description of the SVO’s system and from the scope of the engagement.

Carve-out method

The method of addressing the service sprovided by a subservice organization in which the description of the SVO’s system includes a description of the nature of service provided by the subservice organization and the components of the subservice organization’s system used to provide services to the SVO.

Inclusive method

Controls that are necessary to be implemented by the user entity, in combination with the SVO’s controls, to provide reasonable assurance that the control objectives stated in management’s description of the SVO system or the service org’s service commitments and system requirements were achieved.

Complementary user entity controls

Security monitoring, managed service provider environment changes, encrypted financial data, physical access controls , authorization policies

Common examples of CUECs

____ are controls that a subservice org must execute in order for a service rog’s controls to function effectively, whereras ____ CUECs are controls that a user entity must employ for the service organization’s controls to function. In both scenarios, the service organization relies on other entities (vendor or client) for their own controls to work properly.

CSOCs, CUECs

What needs to be added to a service auditor’s report when the service auditor concludes that a modified opinion is appropriate based on the professional judgment of the service auditor

An additional paragraph explaining the matter that gave rise to the modification.

The service auditor is requried to esablish an understanding with the service org’s management about its reponsibilities and the responsibilites of the service audit _____

Prior to accepting the SOC engagement.

What is a major difference in management responsibilities in a SOC 3 engagement compared to a SOC 2 engagement?

Management does not prepare a system description.

Determining whether to accept or continue the engagement, agreeing on engagement terms, reaching an understanding with management regarding a written assertion, are the responsibilities of who during the planning of what type of engagement.

Service auditor, any SOC engagement

Assessing the risk of material misstatement, obtaining an understanding of the SVO’s system and assessing the suitability of the criteria used by management in preparing its system description.

Service auditor responsibilities in the planning of SOC 1

Establish an overall strategy for the engagement and performing risk assessment procedures are additional responsibilities for whom and during the planning of what type of engagements

Service auditor and SOC 2/SOC 3

The infrastructure, software, procedures, and data that are designed, implemented, and operated by people to achieve one or more of the organization’s specific business objectives in accordance with management specified requirements.

System in SOC 2 engagement

Materiality considerations, service auditors’ understanding of the effectiveness of the control environment, other components of IC related to the service provided to user entities and business partners

Factors that impact the assessment of the risks of material misstatements

Common terms used when discussing misstatements related to the different subject matters in a SOC engagement?

Description misstatement, deviation or exception, deficiency in design, deficiency in OE