M3 - Reporting on SOC Engagements

Questions and Answers

What must be included in a report when using the Carve Out Method?

• Components of the subservice organization's system
• Independence of the auditor
• Nature of services performed (correct)
• Trust services to be met by CSOC (correct)

What does a service auditor do when issuing a modified opinion?

• Change the report to a Type 2 report
• Include a summary of all controls
• Add a separate paragraph explaining the modification (correct)
• List all opinions previously made

Which of the following statements correctly describes the Inclusive Method?

• It excludes CSOC details from the report.
• It addresses significant and complex services provided by a subservice organization. (correct)
• It is used when no reports are available for the subservice.
• It allows the auditor to evaluate CUECs only.

Which element is NOT required in a report that utilizes the Inclusive Method?

Expected controls at the service organization (B)

CUECs are necessary for what purpose?

To complement the controls of the service organization (B)

What is indicated in a service auditor's report regarding the evaluation of CUECs?

CUECs were not evaluated for design suitability or operating effectiveness. (D)

What indicates a change in a Qualified SOC 1 Opinion?

An addition of 'except for' in the opinion section (C)

What is true regarding a Type 1 Report?

It contains an Other Matter Paragraph indicating procedures not performed. (D)

Flashcards

Complementary Subservice Organization Controls (CSOC)

Controls implemented by a sub-service organization (vendor) to achieve the stated control objectives.

Carve-Out Method for CSOC

A method used when the auditor does not review the sub-service organization's controls. It's used if a separate audit report is available for the sub-service.

Inclusive Method for CSOC

A method used when the auditor examines the sub-service organization's controls directly. It's used for more significant and complex services.

Complementary User Entity Controls (CUEC)

Controls implemented by the user entity (client) to work together with the service organization's controls to maintain security and compliance.

Modified Opinion in SOC Report

The auditor's opinion in a SOC report that indicates the complementary user entity controls were not evaluated for design or operating effectiveness.

Explanation of Matters in SOC Report

A section in a SOC report that provides a qualified opinion. It's used to explain the specific issues that led to a modification in the opinion.

Other Matter Paragraph in Type 1 SOC Report

A paragraph in a Type 1 SOC report that states the auditor did not assess operating effectiveness due to the report's scope.

Change in Qualified SOC 1 Opinion

The change to the opinion section of a qualified SOC 1 Report, indicating the auditor's opinion is limited by the specific concerns.

Study Notes

SOC Engagements - Reporting on Complementary Controls

• Complementary Subservice Organization Controls (CSOC) are controls implemented at a sub-service or vendor organization, necessary for achieving service organization control objectives.
• Service auditors must ensure the services and controls are adequately described.
• The Carve-Out method excludes CSOCs and is used if a Type 1 or 2 auditor's report exists for the sub-service. It includes: the nature of services performed, types of controls expected at the sub-service, how the service org monitors the sub-service, and trust services intended by CSOC.
• The Inclusive method addresses services from a sub-service organization, is used for more complex services. The auditor must be independent from the sub-service. It includes: the nature of the services provided, and components of the sub-service organization's system.

Complementary User Entity Controls (CUECs)

• CUECs are controls implemented by the user entity working with service organization controls.
• Management must ensure system descriptions include CUECs.
• Examples include security monitoring, managed service provider (MSP) environment changes, encrypted financial data, physical access controls, and authorization policies.
• CUECs are identified in the SOC engagement's OPINION and SCOPE sections. A service auditor's report that does not evaluate CUECs' design suitability or operating effectiveness is qualified.

Modified Opinions

• When giving a modified opinion, a service auditor adds a separate paragraph explaining the modifying matter.
• A qualified opinion is issued when an explanation of matters is added to the SOC report. The OPINION section is amended to include the explanation.
• For Type 1 reports, an "Other Matter Paragraph" states that operating effectiveness procedures were not performed and no opinion is expressed on operating effectiveness.

Qualified Opinions

• Qualified SOC 1 opinions use the phrase "except for" in the Qualified Opinion Section.
• Qualified SOC 2 opinions include "basis for qualified opinion" in the Service Auditors Responsibilities and "except for" in the Qualified Opinion Section.

Adverse Opinions

• Adverse SOC 1 opinions state "because," "does not fairly present," "not suitably designed," or "do not operate effectively" in the Adverse Opinion Section.
• Adverse SOC 2 opinions include "basis for adverse opinion" and similar phrases as SOC 1 in the Service Auditors Responsibilities and Adverse Opinion sections.

Disclaimer Opinions

• Disclaimer opinions state "we were engaged to examine" and "we do not express an opinion."