Auditing Principles and Practices Quiz

Questions and Answers

What is the primary purpose of continuous auditing for auditors?

• To perform audit tests once a year
• To focus solely on revenue transactions
• To analyze past financial statements
• To subject all transactions to control functions in real time (correct)

Which function is NOT included in the capabilities of GAS CAAT?

• Report generation (correct)
• Recalculation
• File import
• Gap analysis

What does the Benford Law state about financial numbers?

• The only acceptable first digit is 5
• The first digit is most likely to be 1 and least likely to be 9 (correct)
• The first digit is more likely to be 0 than any other digit
• Every digit has an equal probability of appearing as the first digit

What is a significant risk when using CAAT?

Unauthorized changes and incomplete testing (D)

Which of the following is a potential issue with outsourcing in auditing?

The firm remains liable for issues despite outsourcing services (B)

What should a service auditor do if there is a significant control deficiency?

Issue a qualified report (A)

Which procedure is documented in a type 1 sampling test?

Only controls (C)

What is the purpose of identifying compensating controls?

To strengthen weak controls when combined (B)

Which of the following is NOT included in the standards developed by the PCI Security Council?

User training programs (B)

What does SOC 2 specifically address in its reports?

Security, availability, integrity, and confidentiality (D)

What must a user auditor review upon receiving a control assurance report?

Control considerations and procedures (B)

What type of report is SOC designed to provide for service organizations?

Trust and confidence in services and controls (D)

Which of the following is a procedure used in audit?

Testing (C)

What is the main goal of user acceptance testing (UAT)?

To ensure the system is functioning as intended (A)

Which conversion method is the least risky?

Phased conversion (C)

What is NOT a component of the Fraud Triangle?

Policy (D)

What is the purpose of program change controls?

To prioritize, authorize and document changes to programs (A)

Which infrastructure component is NOT part of e-business?

File management software (A)

What is the primary reason for segregation of duties?

To ensure independent verification and reduce risk of fraud (A)

Which of the following is an essential part of end user development controls?

Strict policies for documentation and approval (C)

What does detection risk refer to in terms of system controls?

Risks arising from the complexity and lack of audit trails in systems (B)

Which of the following represents a post-implementation review activity?

Assessing previous system errors (C)

Which risk involves transaction accuracy and completion in systems?

Control risk (B)

What is a cold site in the context of disaster recovery?

A backup site available within a week without hardware, software, or data (C)

How often should a disaster recovery plan be tested?

Annually (C)

What aspect is crucial for assessing the adequacy of a data center's protection?

Environmental controls like humidity and temperature (A)

Which of the following is NOT a component of general control weaknesses?

Technical documentation (D)

What can result from insufficient controls during the System Development Life Cycle (SDLC)?

Errors in programming logic (A)

What is the purpose of corporate governance within an organization?

To select objectives and monitor performance (D)

Which of the following is a potential issue with accounting information systems due to development problems?

Bookkeeping fraud (A)

What should be reviewed to ensure systems can be recovered in a timely manner?

Backup procedures (D)

Which method ensures that receivable balances are unchanged between postings?

Compare total receivable before and after posting (C)

What is a primary method for ensuring invoice data is accurately transferred between systems?

Check for duplicate entries (B)

What common method is used to verify the accuracy of system tax calculations?

Prepare simulated transactions and compare results (B)

Which approach is essential during a walkthrough interview for testing application controls?

Engage with key personnel responsible for using the application (D)

How should auditors ensure the reliability of reports used in substantive procedures?

Ensure data can be verified against independent sources (A)

What must auditors evaluate regarding significant controls related to business objectives?

If they help address completeness and accuracy assertions (B)

What is the purpose of analyzing the flow of transactions through systems during a control evaluation?

To understand the effectiveness of controls (B)

Which of the following actions would not contribute to effective test strategy and frequency determination?

Rely solely on prior audit results (C)

What is the primary difference between symmetric key encryption and asymmetric key encryption?

Symmetric uses one common key for encryption and decryption, while asymmetric uses a public and a private key. (A)

What is a potential risk of using symmetric key encryption?

A single compromised key allows unauthorized access to all encrypted data. (B)

Which component of a digital signature ensures the integrity of the message?

The hash computed from the original document. (A)

Which application of encryption is NOT mentioned in the content?

Instant messaging (B)

What does a digital certificate establish in an online transaction?

The identity of users and electronic assets. (C)

In asymmetric encryption, what role does the private key play?

It decrypts data that was encrypted with the public key. (A)

What is a significant advantage of asymmetric key encryption over symmetric key encryption?

It does not require secure key exchange. (D)

How can encryption help in data transmission?

By preventing unauthorized access through data scrambling. (C)

Flashcards

User Acceptance Testing (UAT)

Ensures the system's functionality aligns with user expectations.

Stress Testing

A type of testing that assesses the system's ability to handle high volumes and demands.

System Conversion

The process of transitioning from the old system to the new system. It can be done in different ways, each with its own advantages and risks.

Post-implementation Review

The process of reviewing the implementation process to identify potential issues and ensure the new system functions as intended.

System Development Life Cycle (SDLC)

A structured approach for developing and maintaining software systems, encompassing all stages of development.

Segregation of Duties

The practice of separating duties among different individuals to prevent fraud and errors.

Firewall

A secure barrier that restricts information flow between networks or systems.

Incentive (Fraud Triangle)

The potential for financial or emotional gain that motivates someone to commit fraud.

Opportunity (Fraud Triangle)

The ability to commit fraud without getting caught.

Rationalization (Fraud Triangle)

The justification or rationalization used by an individual to justify their fraudulent actions.

Computer-Assisted Audit Techniques (CAATs)

An audit technique that uses computer programs to analyze and test data, reducing manual effort and improving efficiency.

Benford's Law

A mathematical principle that states the first digit of naturally occurring numbers is more likely to be 1 and less likely to be 9. This can be used to detect fraud or anomalies in financial data.

Continuous Auditing

A specific type of CAAT used for real-time data analysis, where auditors continuously monitor transactions and processes for control effectiveness. This helps ensure controls are working as intended and reduces the risk of fraud.

Outsourcing Assurance Engagements

Auditing the effectiveness of outsourced processes, like payroll or supply chain management, to ensure the company's controls are working effectively.

Special Reports for Outsourced Operations

A type of assurance engagement where the auditor provides a written report expressing their professional opinion on the effectiveness of the controls for outsourced processes. This gives the company confidence that the outsourced functions are being managed effectively.

Application Control Testing

The process of examining and verifying the reliability and effectiveness of application controls in a business system.

Manual Follow-Up Controls

A control that relies on manual follow-up to identify and correct errors or anomalies. The control uses reports to highlight these issues.

Estimation Processes

A process that utilizes reports to generate complete and accurate input data for calculations or estimations. An example is receivables aging analysis.

Substantive Procedures

An approach where auditors verify the completeness and accuracy of a client's records through a detailed examination of selected items.

Data Transfer Verification

A technique used to verify that data is transferred accurately between systems. It ensures consistency, making sure data is both complete and accurate.

Simulated Transaction Testing

A method used to test the accuracy of system calculations by creating simulated transactions and comparing the output to predetermined results. This approach avoids reliance on manual recalculations.

Receivable Balance Verification

A control that requires comparing the total receivables before and after posting to ensure no unauthorized changes occurred.

Data Transmission Verification

A control used to verify the accuracy of data by comparing data from different sources. In this case, data from a local site is compared to the data transmitted from outlets to ensure accuracy.

What is a cold site?

A cold site is a disaster recovery facility with no hardware or data, typically ready within a week. It's a bare-bones space used for quickly setting up operations after a disaster.

Why is testing a disaster recovery plan essential?

Recovery plan testing ensures the plan works and that the organization can effectively recover from a disaster. It involves simulated scenarios and analysis of results to improve the plan's efficiency.

What does auditing a disaster recovery plan entail?

Auditing a disaster recovery plan involves reviewing various aspects to ensure its effectiveness. This covers procedures, back-up logs, off-site locations, contracts, test results, and data center protection measures.

How do general controls impact application controls?

General controls are overarching mechanisms impacting all application controls. Weak general controls can compromise the effectiveness of application controls, potentially leading to system vulnerabilities.

What is corporate governance?

Corporate governance focuses on aligning organizational objectives with strategic processes and monitoring performance to ensure those goals are met. It provides a framework for responsible and accountable leadership.

What is IT governance?

IT governance ensures that IT infrastructure supports the organization's overall business strategy. It aligns IT initiatives with business goals and promotes efficient use of resources.

Why is testing in the SDLC important?

SDLC testing is crucial as it assesses the reliability of the developed system. It helps detect errors in programming logic, preventing inaccurate outputs that could lead to financial and operational risks.

What problems can development issues in accounting systems cause?

Development issues in accounting information systems can lead to a range of problems, including inaccurate financial data, fraudulent activities, legal violations, and business disruptions.

Data Encryption

A method of scrambling data using mathematical algorithms and a secret key to protect information from unauthorized access.

Symmetric Key Encryption

A cryptographic method using a single key to encrypt and decrypt data. Both sender and receiver use the same key.

Asymmetric Key Encryption

A cryptographic method using a pair of keys - a public key for encryption and a private key for decryption. The public key can be shared, while the private key remains secret.

Digital Signature

A digital code attached to an electronic message to verify the origin and contents of the message. It ensures authenticity, integrity, and identification of the sender.

Certificate Authority (CA)

A trusted third party that verifies the identity of individuals and organizations and issues digital certificates.

Digital Certificate

A data file containing information about the identity of a user or electronic asset, used to secure online transactions.

Virtual Private Network (VPN)

A system that uses cryptography to secure communication and data transmission over a network. It creates a secure tunnel between two devices.

Cybersecurity

The practice of applying security measures to protect computer systems, networks, and data from unauthorized access, use, disclosure, disruption, modification, or destruction.

Qualified Audit Opinion

A qualified audit opinion is issued when a significant control deficiency exists, impacting the achievement of objectives.

Type 1 Audit Procedure

Type 1 audit procedures document controls but not the execution process.

Type 2 Audit Procedure

Type 2 audit procedures document both controls and the procedures used to execute them.

Compensating Controls

Compensating controls help mitigate risks by providing alternative safeguards even when primary controls are weak. Two weak but complementary controls can create a strong one.

Control Assurance Report

A 'control assurance report' provides an independent evaluation of the controls implemented by a service organization.

PCI DSS

The PCI DSS (Payment Card Industry Data Security Standard) outlines a set of requirements for organizations handling sensitive payment card data.

SOC 2 Report

SOC 2 reports provide assurance about the security, availability, integrity, confidentiality of a service organization's controls.

SOC (Service Organization Controls)

The AICPA (American Institute of Certified Public Accountants) developed the SOC (Service Organization Controls) framework.

Study Notes

CAATOE

• Completeness
• Accuracy
• Timeliness
• Authorization
• Occurrence
• Efficiency computes information faster and more cost-effectively, and is scalable.

Components of AIS - SIPPII

• Information system collects, stores, and processes financial and accounting data for decision-makers.
• Infrastructure includes LAN, WAN, wireless network, hardware, and real estate.
• Software includes system software and application software.
• People include CIO, system operations, management, and users.
• IT controls are security measures and procedures to ensure information security.
• IT controls are important for reliable output and to mitigate risks like theft and fraud, ensuring information security.

Effective Decision Making

• AIS purpose is to collect and store data about organizational activities, resources, and personnel.
• Transform data into information to help management plan, execute, control, and evaluate activities and resources.
• Enables management decision-making.
• Provides adequate control to protect organizational assets and data.

Processing Modes

• Online input update: transfer money in real time.
• Online input and batch update: paying credit cards through bank accounts.
• Batch input and period update: writing and giving checks to people for later deposit.

Databases

• Databases are collections of files used in related applications; they can be shared.
• Require a database management system (DBMS).
• DBMS advantages include reduced data redundancy, data independence, and improved data accessibility.
• DBMS disadvantages include complexity in setup, high cost, and slower processing of high volumes of periodic transactions.

Computer Processing

• Computer processing often eliminates random errors but may not eliminate systemic errors.

Incompatible Functions

• Incompatible functions may not be segregated.
• Inappropriate access could be an issue.
• Increased management supervision is required.
• Controls affect auditing of general purpose financial statements.

Causes of IT Issues

• Lack of testing
• Overload of access
• Lack of bandwidth
• Human error

Sources of Problems

• Hardware implementation issues
• Programming issues
• Abuse and misuse

Audit Risk

• Risk that audit opinion is wrong.
• Inherent risk.
• Risk of undesirable financial events occurring.
• Management cannot influence inherent risk but can mitigate control risk.
• Auditors can influence detection risk.
• Control risk is the risk of controls not preventing or detecting undesirable events.
• If control risk is high, substantive testing will be required.

IT Effect on Risk

• IT supports new business models like e-commerce, increasing inherent risk due to external parties processing transactions.
• Increase in control risk due to fewer people, reduced segregation of duties, and inability to keep up with technological advancements.
• It can decrease control risk since computer usage reduces human mistakes.
• Increase in detection risk due to more complex and integrated IT systems.
• Increase in audit risk because of less competent IT systems and insufficient audit capabilities.

Input Risk

• Incorrect input
• Untimely input or incomplete input
• Unauthorized transactions for another user
• Loss of audit trail

Processing Risk

• Incomplete processing
• Inaccurate processing errors
• Undocumented processes
• Untimely processing

Output Risk

• Incomplete output
• Inaccurate output
• Unauthorized access to reports
• Untimely output (like late T4)
• Stored data risk (unauthorized access and unavailability of data, data loss)

Other Risks

• Virus
• Hackers
• Disasters/catastrophes
• Computer crime
• Sabotage

IT Governance and General Controls

• IT strategy must align with business strategy, covering a 3-year period, and addressing infrastructure, software, information, and people.
• Procedures are not part of IT governance; it addresses IP and I.
• CIO is accountable for setting corporate policies and providing IT infrastructure.
• Executives are responsible for approving IT expenditures and projects.
• CIO reports to the CEO or COO, not the CFO.

General Controls

• IT controls that apply to more than one system.
• Should be implemented before application controls.
• Not every system has the same risks, so application controls are necessary.

Types of General Controls

• Organizational controls, such as segregation of duties.
• IT governance controls, such as checks and balances for minimizing errors and ensuring efficiency.

Computer Operations Controls

• Use operations systems to specify resource allocation, constraints, and types of allowed transactions.
• Maintain file versions.
• Distribute outputs/transactions.

Disaster Prevention and Recovery Plan

• Purpose is to recover critical applications in case of system collapse.

Backup

• Environmental controls
• Preventative controls
• Detective controls
• Corrective controls

Plan availability

• Hot site: available within a day, including hardware, software, and data; most expensive.
• Warm site: has hardware but no software; typically available within a few days.
• Cold site: has no hardware, software, or data; typically available within a week.
• Plans should be tested, reviewed, and approved by management.
• Tested annually.
• Procedures and criteria for invoking plans.
• Distanced from production site
• Auditing Disaster recovery planning.
• Review backup procedure
• Obtain and review recovery plan

Review Backups

• Review backup logs for correctness - currency and offsite storage
• Inspect site locations for weaknesses
• Review previous recovery test results
• Assess the adequacy of data center protection in terms of humidity, temperature, fire, and flood prevention.
• Consult experts, as needed.

General Control Weaknesses

• Assess weaknesses related to application impact.
• Relate general control weaknesses to the impact on application controls.
• Identify weak general controls that may still allow some application controls to be relied upon, such as access controls, organizational controls, and program change controls.
• Corporate governance - organization objectives, processes, IT infrastructure, and alignment with business strategy.

System-Development Controls

• Why test the System Development Life Cycle (SDLC)?
• Reliability of computer systems is dependent on change management controlling system developments.
• Insufficient or inappropriate controls lead to errors in programming logic and subsequently, errors in output.

Source Code

• Source code written by the programmer.
• Escrow agreement (protects provider and user), where a third party holds rights if vendor/developer goes out of business.
• Object code is run by computers (off the shelf).

Customized vs. Off-the-Shelf Software

• Customized software meets specific user needs, while off-the-shelf software is generic.
• Customization is more expensive and has a greater chance of errors.

Web-Based Solutions (One Drive, Google Docs)

• Provide backups and accessibility..
• Easy to use for collaboration.

Security

• Security risks related to Wi-Fi and internet connectivity, including potential hacker risks and data interception/tampering.

SDLC, Operational, Technical, and Financial Factors

• Operational: how well the system can be executed.
• Technical: available resources.
• Financial: funds required (recurring costs and non-recurring costs).
• Quantifiable (tangible) costs such as setting up a system.
• Non-quantifiable (intangible) costs, such as employee satisfaction.

Unit Testing

• Testing one component of the system, done by the developer.

Integration Testing

• Independent tester tests multiple components through integration testing.

UAT

• User acceptance testing (UAT) done at the end by the user to ensure the system works as intended.

Production Infrastructure Installation

• Install production infrastructure.
• Conversion and implementation: manual or automated methods of converting the system from older versions to new versions (e.g., parallel, direct, or phased).

Post-Implementation Review

• Review what went wrong with the process
• Ensure the new system is functioning as planned.

Checklist and Documentation

• Segregation of duties for developers, testers, and computer operators.
• Segregation of development, testing, and production environments (physically if possible).

Program Change Controls

• Prioritization criteria
• Authorization procedures
• Documentation procedures
• Testing procedures
• Segregation of environments
• Back-out procedures
• End-user development controls

Application Development Controls

• Application or mini-applications developed by users.
• Policies for documentation, approval, testing, and system types.

Sample Size Guidelines

• Automated controls;
• Manual changes depend on annual frequency; intervals are not critical.

Fraud Triangle

• Incentive: financial or emotional force
• Opportunity: can execute without getting caught
• Rationalization: personal justification

Fraud Triangle Causes

• Greed, stress, or pressure (incentive).
• Weak controls or loopholes in the system (opportunity).
• Justification and rationalization of actions (rationalization).

E-business Infrastructure

• Web servers and web masters
• Firewalls
• Internet service providers (ISPs)
• Application servers
• Database servers
• Routers
• Web hosting software
• Website management systems
• Network operating systems
• Inherent risk from complexity and hacker risks.

Control Risk and Risk Implications

• Increased risk due to external party controls and lack of audit trails.
• Nonoccurrence of transactions
• Incomplete processing
• Inaccurate processing
• Interception of transactions
• Inefficiency.
• E-business controls: Disaster recovery planning (DRP)

EDI - Electronic Data Interchange

• EDI use before the internet.
• EDI is now used for electronic transfer of information, such as batch purchase orders or invoices.
• EDI issues related to CAATOE (Completeness, Accuracy, Timeliness, Authorization, Occurrence)
• Problems with EDI: Inaccurate or untimely data, Security issues, Network problems.

XBRL - Extensible Business Reporting Language

• A standard format for exchanging business information, such as financial reports.
• Allows for better exchange and comparison between companies due to standardization.
• Audit XBRL procedures are to make sure users rely on these documents for financial statements and ensure appropriate tagging.
• Audit procedures: reviewing controls, policies for generating XBRL statements, and procedures, and reviewing the frequency of statement generation.

Application Controls

• Programmers have access to the operational environment, so they can make changes that are put into production; this can cause system crashes.
• Obtain all documentation required, and get system-generated lists of changes, samples, backups, and approvals.

Data Integrity

• Integrity, availability, and confidentiality are the main objectives
• Access controls involve user authentication procedures (Identification, Authentication, Authorization).
• Logs and monitoring of user activities are vital for security purposes.

General Access Controls

• Apply to numerous systems.
• Can be a policy, standards, or system controls; crucial for external audits.
• Includes physical security, education, privacy policies, and information security policies.

Password Security and Usage

• Passwords should not be shared and should be changed frequently..
• Passwords should contain 8 characters, special characters, or a combination.
• Password cracking methods (random trials/dictionaries, brute force) should be analyzed.

Two-Factor Authentication

• Compensates for password weakness, such as guessing and hacking, and uses something the user has and knows.

Biometrics

• Use of fingerprints or other biometric verification methods; often seen as a substitute for signatures, however, there are privacy concerns related to this method of identification

Application Access Controls

• Applies to specific systems.
• Can be procedural or automated.
• Supports management controls.
• Example like passwords.
• Access control lists (ACLs) restrict functions, like payroll or employee access for specific tasks.
• Uses Encryption and Procedures.
• Monitoring mechanisms are in place to oversee system activities.
• Supports segregation of duties.

Platform (Operating System) Security

• Use of standard checklists.
• Locking down workstations to prevent unauthorized software installation.
• Vulnerability scanning.
• Automated patching/fixing of vulnerabilities for security protection.
• Server profiles are used to determine password length.
• Firewall is essential to protect internal networks.

Virus Protection, VPN, and Intrusion Detection/Prevention

• Internet email systems protect against viruses.
• VPN securely accesses company systems for staff.
• Intrusion detection systems identify and prevent questionable or unacceptable traffic patterns.
• Prevention systems can be deployed to block threats.

Data Encryption

• Uses math to scramble data.
• Symmetric cryptography (one key for encryption and decryption.)
• Asymmetric cryptography (two keys, one public, one private).
• Digital signatures verify identities and content authenticity.
• Public key infrastructure (PKI) manages certificates and digital signatures.

Digital Certificate

• Establishes the identities of users and electronic assets.
• Verifies transactions and security.
• Certificate authorities (CAs) issue and maintain certificates.
• Essential for online transactions to prevent fraud and security risks.
• Keys used to decrypt digital signatures match the algorithms to compare.
• PKI (Public Key Infrastructure): A set of policies and procedures, servers to operate a public key environment.

Public Key Infrastructure (PKI)

• Set of policies, procedures, and servers for public key environment operations.
• Public key servers store public keys.
• Servers authenticate users who activate private keys.
• Need to have a record of where the keys are kept.
• Disposal of encryption keys is important.

Wireless Encryption

• Uses 128-bit or 256-bit symmetric keys that change with each data packet.
• Static 128-bit keys are used for authentication.

Web Application Security

• Input validation ensures input's validity, length, and type.
• Developers often implement client-side and server-side input checks.
• Reviews of security policies and procedures, including firewalls, intrusion detection systems, anti-virus software, and system configuration.

Test Access Controls

• Reviews of policies to ensure proper access rights and procedures.
• Review and testing of user profiles, access control lists, and system setups, including firewalls, intrusion detection systems, and antivirus software
• Reviewing configurations of security software and hardware.

Audit Trail

• Formation of date in DD/MM/YYYY format (Date)
• Other input controls (friendly screens, custom functionalities, exception reporting)
• How to test input data.
• Testing procedures for the quality of input data.
• Observation /Control walkthrough
• Review system documentation
• Review audit trails, processed, and rejected data
• Reperformance, using check to identify discrepancies or errors.

Processing Controls

• Segregation of duties
• Restricted access
• File labels
• Error/exception logs
• Programmed balance checks
• Manual cross-checks
• Concurrent update controls.

Test of Controls

• Using test data.
• Reviewing system documentation.
• Reviewing audit trails.
• CAAT (Computer-Assisted Audit Techniques).

Reliance on Reports

• Controls as part of the combined approach (Manual follow-up).
• Audit procedures to provide complete and accurate input.
• Substantive analytical procedures via computer-generated reports.

Data Analytics

• Descriptive analysis for past data understanding.
• Diagnostic analysis to determine causes and trends.
• Predictive analysis to forecast future results.
• Prescriptive analysis to determine optimal actions and strategies.
• Data visualization techniques to present data effectively.

Data Preparation

• Ensuring data format suitability.
• Checking for missing, duplicate, and inconsistent data.
• Data consistency with general ledger entries.

Risk Assessment

• Analyze the general ledger for unusual transactions.
• Create visualizations of ratio analyses.
• Analyze changes to accounts receivables.
• Perform trend analyses.

Substantive Testing

• Non-statistical and statistical models to predict revenue.
• Identifying and isolating unusual items.
• Testing net realizable value of inventory.
• Identifying payments after year-end related to cut-offs and other similar assurance concepts.

Planning for ADA

• Access and prepare data.
• Assess relevance and reliability.
• Perform ADA (Audit Data Analytics).
• Evaluate results effectively.

Objectives for Data Analytics

• Segregation of duties.
• Duplication of payments for invoices.
• Phantom employees/vendors.
• Documentation of compliance with relevant regulations.
• Testing of account balances in financial statements.

CAAT (Computer-Assisted Audit Techniques)

• General Audit software (Excel, Power BI)
• Embedded audit module (control functions)
• Integrated Test Facility.

Special Reports and Other Assurance Engagements

• Outsourcing: taking processes like payroll.
• Outsourcing review: ensuring controls are effective enough for proper oversight.

Issues with Outsourcing Processes

• Risk and accountability.
• Increased risk when services are outsourced.
• Difficulty replicating controls in-house for outsourced processes.

Control Assurance Report by Auditor

• Reviewing audit opinion and coverage period of a report.
• Review of control considerations (ensure they meet objectives), and exceptions and their impacts on management.

Payment Card Industry Data Security Standards (PCI DSS)

• Developed by the PCI Security Standards Council, based on security standards and practices related to credit cards.

SOC Reports

• Service organization reports help build trust for service providers by externally assessing their controls and procedures.
• SOC 1 reports assess controls over financial reporting (relevant to financial reporting)
• SOC 2 reports focus on security, availability, processing integrity, and privacy. – These are based on the trust services criteria of AICPA.
• SOC 3 reports are similar to SOC 2 but are accessible to the public.
• CSAE 3416 provides more guidance applicable for SOC 2/3 (reliability of the report).