M3 - Reporting on SOC Engagements

Questions and Answers

What must be included in a report when using the Carve Out Method?

Components of the subservice organization's system

Independence of the auditor

Nature of services performed (correct)

Trust services to be met by CSOC (correct)

What does a service auditor do when issuing a modified opinion?

Change the report to a Type 2 report

Include a summary of all controls

Add a separate paragraph explaining the modification (correct)

List all opinions previously made

Which of the following statements correctly describes the Inclusive Method?

It excludes CSOC details from the report.

It addresses significant and complex services provided by a subservice organization. (correct)

It is used when no reports are available for the subservice.

It allows the auditor to evaluate CUECs only.

Which element is NOT required in a report that utilizes the Inclusive Method?

Expected controls at the service organization

CUECs are necessary for what purpose?

To complement the controls of the service organization

What is indicated in a service auditor's report regarding the evaluation of CUECs?

CUECs were not evaluated for design suitability or operating effectiveness.

What indicates a change in a Qualified SOC 1 Opinion?

An addition of 'except for' in the opinion section

What is true regarding a Type 1 Report?

It contains an Other Matter Paragraph indicating procedures not performed.

Study Notes

SOC Engagements - Reporting on Complementary Controls

• Complementary Subservice Organization Controls (CSOC) are controls implemented at a sub-service or vendor organization, necessary for achieving service organization control objectives.
• Service auditors must ensure the services and controls are adequately described.
• The Carve-Out method excludes CSOCs and is used if a Type 1 or 2 auditor's report exists for the sub-service. It includes: the nature of services performed, types of controls expected at the sub-service, how the service org monitors the sub-service, and trust services intended by CSOC.
• The Inclusive method addresses services from a sub-service organization, is used for more complex services. The auditor must be independent from the sub-service. It includes: the nature of the services provided, and components of the sub-service organization's system.

Complementary User Entity Controls (CUECs)

• CUECs are controls implemented by the user entity working with service organization controls.
• Management must ensure system descriptions include CUECs.
• Examples include security monitoring, managed service provider (MSP) environment changes, encrypted financial data, physical access controls, and authorization policies.
• CUECs are identified in the SOC engagement's OPINION and SCOPE sections. A service auditor's report that does not evaluate CUECs' design suitability or operating effectiveness is qualified.

Modified Opinions

• When giving a modified opinion, a service auditor adds a separate paragraph explaining the modifying matter.
• A qualified opinion is issued when an explanation of matters is added to the SOC report. The OPINION section is amended to include the explanation.
• For Type 1 reports, an "Other Matter Paragraph" states that operating effectiveness procedures were not performed and no opinion is expressed on operating effectiveness.

Qualified Opinions

• Qualified SOC 1 opinions use the phrase "except for" in the Qualified Opinion Section.
• Qualified SOC 2 opinions include "basis for qualified opinion" in the Service Auditors Responsibilities and "except for" in the Qualified Opinion Section.

Adverse Opinions

• Adverse SOC 1 opinions state "because," "does not fairly present," "not suitably designed," or "do not operate effectively" in the Adverse Opinion Section.
• Adverse SOC 2 opinions include "basis for adverse opinion" and similar phrases as SOC 1 in the Service Auditors Responsibilities and Adverse Opinion sections.

Disclaimer Opinions

• Disclaimer opinions state "we were engaged to examine" and "we do not express an opinion."