SOC

5.0(1)
studied byStudied by 2 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/23

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

24 Terms

1
New cards

SOC 1

Internal control over financial reporting

2
New cards

What does SOC 2 focus on?

Security, availability, or processing integrity of a system or the confidentiality or privacy of the information processed by the system.

3
New cards

Who is SOC 2 meant for?

Knowledgeable users.

4
New cards

What is SOC 3?

A report designed for general users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy, but lack knowledge.

5
New cards

What type of report is SOC 3?

It is always a type 2 report.

6
New cards

Type 1

as of a specified date

7
New cards

Type 2

throughout a specified period

8
New cards

Trust services criteria 1: confidentiality

Information is protected

9
New cards

Trust services criteria 2: availability

Information and systems are available for operation and use

10
New cards

Trust services criteria 3: processing integrity

system processing is complete, valid, accurate, timely, and authorized

11
New cards

Trust services criteria 4: privacy

Personal information is collected, used, retained, disclosed, and disposed of

12
New cards

Trust services criteria 5: security

information and systems are protected against unauthorized access

13
New cards

How does the service auditor reach their opinion for a SOC engagement?

By determining if the description of the controls is presented fairly, controls are designed effectively, and the controls operate as intended

14
New cards

Inclusive method

Subservice will need to provide a separate management assertion letter for the primary service auditor's report

15
New cards

Carve out method

nature of the service provided, types of controls along with applicable trust service criteria that are intended to be met by the complementary subservice organization controls (CSOCs)

16
New cards

Contents of SOC 1 report

Management's description of the system Management's assertions Independent service auditor report Auditor's test of controls and results of tests (type 2 only)

17
New cards

Contents of SOC 2 report

Management's description of the system Management's Assertion Independent service auditor's report Auditor's test of controls and results of tests (type 2 only)

18
New cards

When does a SOC report included the Auditor's test of controls and results of tests

Type 2 only

19
New cards

If a SOC 2 Type 2 report identified deviations, what information also needs to be included?

Number of items tested, number and nature of deviations, causative factors (optional)

20
New cards

CUECs for SOC 1 reports

Any relevant CUECs that ensure control objectives are met should be descripted in the system desription

21
New cards

CUECs for SOC 2 reports

System descriptions should also include relevant CUECs and a statement that user entities are responsible for those controls

22
New cards

Qualified opinion

except for the effects of the matter(s) giving rise to the modification, the description is presented in accordance with the description criteria

23
New cards

Adverse opinion

Description misstatements are material and pervasive or deficiencies in the design or operation of controls are material and pervasive

24
New cards

Disclaimer of opinion

Auditor does not express an opinion