Attestation Standards

What is the purpose of a SOC 1 report?

To report on controls at a service organization relevant to user entities' internal control over financial reporting (ICFR).

Who are Soc 1 reports intended for?

Restricted to service organization management, user entities, and user auditors.

What is the key differences between SOC 1 Type 1 and Type 2 report?

Type 1 reports on the design of controls as of a date; Type 2 reports on both the design and operating effectiveness of controls over a period.

What are SOC 2 reports used for?

To evaluate controls related to security, availability, processing integrity, confidentiality, and privacy.

What is a SOC 3 report?

A general use report on trust services criteria that can be freely distributed, unlike SOC 2 which is restricted

What are the five sections in SOC 1/SOC 2 reports?

The five sections in SOC 1/SOC 2 reports are Management's Assertion on Controls, Service Auditors Report on Controls, Description of the Service Organization, Service Auditors test of controls, other information provided by the service organization that is not covered by the service auditors report (unaudited section)

What is AT-C 320 focused on?

Reporting on an examination of controls at a service organization relevant to ICFR.

What is meant by 'limited assurance' in attestation standards?

It is a level of assurance that is less than reasonable assurance.

What is 'professional skepticism'?

An attitude that includes a questioning mind and a critical assessment of audit evidence.

How are internal auditors' work used in attestation engagements?

Their work may be used by the practitioner if deemed reliable, to gain understanding and gather evidence.

What is 'materiality' in SOC reports?

A concept that determines the significance of misstatements or control deficiencies.

What are control objectives and control activities?

Objectives define what controls aim to achieve; activities are the actual procedures in place to meet them.