Reporting on SOC Engagements
How do we form our overall opinion?
•what is the subject matter of the engagement
•As you form an opinion, evaluate whether the evidence obtained is sufficient and appropriate and if the uncorrected misstatements are individually or in aggregate material.
What is an opinion:
•the subject matter is in accordance with the criteria in all material respects or the assertation is fairly stated in all material respects.
The opinion of the servcie auditor is focused on:
1the fair presentation of managements description of the service organization system
2the suitability of the design of the controls related to the control objectives stated in managements description
3(Type 2 control is operating effectively /is not operating effectively is optional.)
Note: the engagement objective is the same but the subject matter for the opinion being formed is different
Types of Opinions:
•unmodified (unqualified) opinion
mgmt description was fairly presented and implemented controls stated were suitably designed (Type 2, controls operating effectively)
(SOC 1, specific period and control objectives), (SOC 2, throughout period and trust service criteria)
Complementary User Entity Controls should be stated in management's description if material.
Same with Complementary Sub Service Organization Controls.
•qualified opinion: states that except for the effects of the matters giving rise to the modification, the description is presented in accordance with the description criteria and the controls were suitability designed and (operating effectively, Type 2) in all material respects
couldn't get enough evidence
Evidence shows that something is wrong
•adverse opinion: states the description misstatements either individually or in aggregate are material and pervasive, or deficiencies in the design or operation of controls are material and pervasive.
•disclaimer of opinion: can't express an opinion
scope issue
Components of the Auditors Report for SOC Engagement:
•management's description of system
mgmt responsibility and form determined by manager
provides enough info to give understanding and to assess RMM of users entity financial statements (SOC 1)
services provided
specifics of procedures performed
System functionality
subservice org controls
complementary user entity controls: controls implemented by user entity to meet control ojectives
controls
how reports are prepared
deficiences in information used in the performance of the procedures and how to correct them
(Type 2, relevant changes to system in period covered, why trust service criteria is relevant or irrelevant)
(Cybersecurity Risk, nature of business/operation, nature of information at risk, cybersecurity risk management program objectives, factors that have a significant effect on inherent cybersecurity risk, government process, assessment process, communication/quality of info, monior, control processes)
•management's assertion
controls stated were suitably designedindependent service auditor's report
•auditors test of controls and result of tests
SOC 1: Left off at contexts of the service auditors report part 2
Title: "independent"
Addressee
Scope: identifying the managements description, period it relates, criteria,any information not contained in the service auditor report, if any services performed by a subservice organization and whether the carve out method or inclusive method was used, scope of writing for any general needs, complementary user entity controls, complementary service entity controls.
Service organization responsibility: Reference to assertion made, a statement that management is responsible for the description, providing service covered by description, specifying the control objectives, criteria to measure against, identify risks, and document. Service auditor will express an opinion in accrodance with the attestation standards established by the AICPA, what the standards require the service auditor to plan and perform
Inherent limitations: describe the inherent limitations in any system or internal control and a warning that controls can become ineffective
Type 2- make reference to operating effectiveness, which control was tested, in entirely or sample, level of detail in test, deviations found, what work internal audit function did.
Type 1- statement that service auditor is not making an opinion on the operational effectiveness
Opinion: conclusion, statement of need for complementary subservice organization controls or complementary user entity controls
Restricted use language: solely for the management, service auditor, or user entities of service organizations
Wrap up: signature, city, state, date of report to have all evidence.
Type 2: has trust criteria, covers a period, has a paragraph on operating effectiveness, and restricted to party's service auditor and management agreed on
Subservice providers methods to rely on them: first they have to be relevant to the users understanding related to one or more trust service criteria (CAPPS). Doesn't have to be independent.
Carve out method:
•carve out/exclude controls at a engagement level and instead identifies what type of controls we expect to have been performed.
•Look at the methods to monitor the performance.
Statement that controls are excluded and results is only achievable that way the control is operating effectively and proving that isn't in service auditors scope
Subservice controls is impossible
•When the carve-out method is applied, the complementary subservice organization controls would be excluded from the description of the service organization's system and from the scope of the engagement, but the service organization management should still identify the services provided by the subservice organization, the complementary user entity controls necessary, and the controls in place at the service organization to monitor the effectiveness of the complementary subservice organization controls
Inclusive method: more extensive.
•include controls at a engagement level
Opposite
Note: do not need to be consistent with method chosen for each subservice.
Note: can't do the inclusive method if the service auditor isn't independent of the subservice org and they need to audit them.
Note: when deciding between methods consider the significant the portion of work, complexity, and controls/ how much assurance they need from this control
Where these methods impact the SOC report?
•carve out
•
Complementary User entity controls:
•required disclosure by management when identified
In some instances, a service organization's controls cannot provide reasonable assurance that its service commitments and system requirements were achieved without the user entity performing certain activities in a defined manner.
•The service organization expects the user entity to implement necessary controls and to perform them completely and accurately in a timely manner.
•Management of the service organization identifies such CUECs in their system description.
Complementary subservice organization controls (CSOCs) are those controls that are necessary, in combination with the service organization controls, to provide reasonable assurance that service commitments and system requirements are achieved. A vendor used by a service organization is considered a subservice organization only if the services provided by the vendor are relevant to the users' understanding of the service organization's system, and the controls are necessary, in combination with the controls of the service organization, to provide reasonable assurance that the service commitments and system requirements are achieved.
How do they impact SOC?
•SOC 1: statement it's not their problem
•SOC 2: statement it's not their problem, did not include an evaluation, and how the service interact with the organizations controls
•