Huh Chapter 17: Performing SOC engagements, a fajita fanfic

Performing SOC engagements

Once the service auditor has accepted the engagement and completed the initial planning and risk assessment, the next phase of the engagement involves:

•obtaining an understanding of the system defined by the service organization

•performing test of controls and obtaining evidence

•consider subsequent events

•Evaluate the results to form the opinion

evaluate whether management description of the service organization system is fairly presented in accordance with the description criteria.

Key areas:

•respond to the assessed risk with the type of evidence gathered including materiality consideration

Responding to greater risk: increase professional skepticism, assigning more specialists, additional supervision, more unpredictability, changing NET.

How to evaluate whether managements description of the service organizations system is fairly presented. The service auditor considers if:

SOC 1

•the control objectives stated in managements description of the service organizations system are reasonable in the circumstances.

•Control identified in the management description of the service organization system were implemented

•complementary user entity controls and complementary subservice organization controls are adequelty described and if its carve out or inclusive.

•whether managements description is accurately designed and implemented

types of service provided

procedures

information used in the performance of the procedures incudes accounting records released to important transactions

How the service organization system captures and addresses significant events and conditions other than transactions

how the service org prepares the reports

services controls by subservice org

specific control objectives and if it was met

other aspects of the service control environment

includes change

SOC 2:

•not in accordance with criteria if description or procedures states it exists when it doesn't or description contains statements that can not be objectively evaluated

Evaluate the description:

•whether description is misleading.

•Additional disclosures id needed like subsequent events or significant interpretations made.

If the description is misstated, ask management to amend the description.

Procedures to obtain evidence that description presents the system that was designed and implemented and controls are suitably designed and operated effectively during the specific period:

SOC 2

•inquiry

•inspecition

•walk through

•reading applicable supporting system doc

•determing whether attacks, vulnerability explications, emerging risks, threats have been adequately addresses,

Suitability of design if meet trust criteria and provide reasonable assurance requirements were achieved.

•frequency of control

•Competence and authority of individual

•precision and sensitivity

•funcitoining as designed

NET affects this.