Huh Chapter 16: Planning and RA in SOC, a fajita fanfic

Planning and Risk Assessment in SOC engagements

How we understand service organization management's responsibilities:

Planning service auditors responsibilities:

•establish communication w/mgmet of the service organization

•determine the appropriate person within the service organizations management or governance structure with whom to interact

•Gain an understanding of key areas and make an assessment of risk based on the engagement

•do they want the job, do they agree with the terms, does mgmt understand their reponsibilty

SOC 1: if they accept the criteria

SOC 2 and 3: materiality and risk

Planning mgmt responsibilities:

SOC 1

•define the scope of the engagement like which services, functions, and applications they believe will be relevant for the user entities internal control over financial reporting

•whether the service organization has any contractual obligations to provide Type 1 or Type 2 report to one or more of its user entities

•frequence of report to be issued and droid covered by the report

•relevant sub service organizations and whether using the carve out or inclusive method

•selecting the criteria to be used, stated in the assertation, and determining that the criteria are appropriate for mgmt purpose.

•state control objectives, whether any control objectives are specified by laws etc.

•identify risks that threaten the achievements of the stated control objectives and design, implementing, and documenting controls that are suitably designed and objectives effectively

What mgmt gives to service auditor:

•Preparing a description of the system, including completeness, accuracy, and method of presentation of the description

•reasonable basis for its assertion

•prepare a written assertion that accompanies mgmt description of the service org system and providing both to the users of the entity

•provide auditor with everything they need

•Provide written representation at the end of the engagement

•Acknowledgement if service auditor uses internal auditor

•Disclosures to the auditor about noncompliance, fraud, uncorrected misstatements not clearly trivial w/statement on appropriate communication

•subsequent events

Note: PY report can help start the CY

SOC 2

Prepare

Mgmt responsibility:

•define the scope of the engagement like which services, functions, and applications they believe will be relevant

•Systems used

•whether the service organization has any contractual obligations to provide Type 1 or Type 2 report to one or more of its user entities

•As of date

•relevant sub service organizations and whether using the carve out or inclusive method

•identify risks that threaten the achievements of the stated control objectives and design, implementing, and documenting controls that are suitably designed and objectives effectively

•Which trust service criteria to use

•Design, implement, operate, moderate controls

During

What mgmt gives to service auditor:

•Preparing a description of the system, including completeness, accuracy, and method of presentation of the description

•reasonable basis for its assertion

•Identify risk

•prepare a written assertion that accompanies mgmt description of the service org system and providing both to the users of the entity

•provide auditor with everything they need

•Provide written representation at the end of the engagement

•Acknowledgement if service auditor uses internal auditor

•Disclosures to the auditor about noncompliance, fraud, uncorrected misstatements not clearly trivial w/statement on appropriate communication

•subsequent events

SOC 3

Mgmt does not prepare a system description

Service auditors must be independent of client and subservice entity, not user entity,

Materiality: need to reassess materiality if new info is found

Context of materiality: is materiality of client not just focusing on financial statement

Materiality with approach to controls: quantitative and qualitative

Description materiality: error or omissions

Deviation or Exception: could result in deficiencies

Design definciey

Deficiency in operating effectiveness

Risk assessment in SOC

System: the infrastructure, software, processes that is designed implemented and operated with the intent to achieve management objectives

•Infrastructure :Individual physical or virtual resources, or a collection of resources, that support a service organization's environment. o Mayers, swiches, al storage devices, sure lah a quines, mobile devices, and internally or externally connected networks.

•Software:Applications and programs that support the operations of an IT system such as operating systems, middleware, database structures and retrieval mechanisms, external web-based applications, internally shared applications, and details describing those systems or how they function.

•People

•Data: The type of information used by personnel and systems, information describing that data such as data dictionaries, and information mapping the flow of data and where it is stored.

•Procedures: The automated or manual business procedures that are related to services and products offered, including the activities that initiate, authorize, perform, deliver, and report on those procedures.

Boundary's need to be clearly defined and stated in report. Boundary's for each system will be different

Objectives and sub-objectives relate primarily to the following:

•The achievement of service commitments made to user entities related to the system used to provide the services and the system requirements necessary to achieve those commitments.

•Service commitments may be established for many different aspects of the service being provided, including the following:

Specifics of an algorithm used in a system calculation

The hours the system will be available

Published password standards

Encryption standards used to encrypt stored customer data

Service commitments impose requirements and requirements relate to trust service criteria. Mgmt only needs to disclose common needs for service commitments for the users, not all.

As part of the risk assessment, the service auditor should obtain an understanding of the service organization's system, including controls within the system. That understanding should include the service organization's processes and procedures used to:

• prepare the description of the service organization's system, including the determination of the control objectives;

• identify the controls designed to achieve control objectives;

• assess the suitability of the design of the controls; and

• assess the operating effectiveness of controls (Type 2 only).

If the service organization has an internal audit function, the service auditor's understanding of the service organization's system should include the following:

• The nature of the internal audit function's responsibilities and how the internal audit function fits into the service organization's organizational structure

• The activities performed or to be performed by the internal audit function as it relates to the service organization

How to assess the suitability of the service commitments and service requirements: