M1 - SOC Engagement Categories and Types

Questions and Answers

What is the primary focus of a SOC1 report?

Internal control over financial reporting (correct)

Fairness of management's description of the service organization

Internal control over trust services

Trust services general use report

Which statement correctly describes a Type 2 SOC report?

It evaluates the effectiveness of controls over a specified period. (correct)

It only assesses the suitability of the design of controls at a specific date.

It includes a description of controls but no results from testing them.

It is restricted from potential users of the service organization.

Which of the following is NOT a trust service category?

Reliability (correct)

Security

Confidentiality

Processing Integrity

What addition distinguishes a Type 2 report from a Type 1 report?

A section describing tests of controls and results over time. (A)

Which trust service is the most commonly addressed in SOC reports?

Security (A)

Which aspect is NOT included in the VAACT criteria for system processing integrity?

Efficient (D)

Which of the following is NOT a component of the COSO Risk Assessment framework?

Audit trails (D)

What is the primary role of the COSO Control Environment component?

To ensure board oversight and independence (C)

Which of the following best describes an additional requirement for trust services related to risk mitigation?

Establishing logical and physical access controls (A)

In the context of trust services, which statement is true regarding confidentiality and processing integrity?

Additional criteria are required for both confidentiality and processing integrity. (B)

Study Notes

SOC Engagement Categories and Types

• SOC1: Internal control over financial reporting, restricted from potential users of the service organization.
• SOC2: Internal control over trust services, restricted from potential users of the service organization.
• SOC3: Trust services general use report, describing the system and auditors' tests of controls and results.

Type 1 vs. Type 2 Reports

• Type 1 Report: A report on the fairness of management's description of the service organization and the suitability of the design of controls as of a specific date.
• Type 2 Report: A report on the fairness of management's description of the service organization and the suitability of design and effectiveness of controls throughout a specified period. Includes a section describing tests of controls and results.

Additional Type 2 Requirements

• Additional section: Describes tests of controls and results, unlike Type 1.
• Period of time: Evaluates controls over a specified period.

Trust Services

• Key Principles: Confidentiality (C), Availability (A), Processing Integrity (PI), Privacy (P), Security (S).
  • C - Confidentiality: Information designated confidential, protected.
  • A - Availability: Info & systems available for operation and use (e.g., recovery plan testing).
  • PI - Processing Integrity: Policies & procedures producing valid, accurate, authorized, complete, and timely system processing.
  • P - Privacy: Sensitive personal information collected, used, retained, disclosed, and disposed of appropriately.
  • S - Security: Information and systems protected against unauthorized access.

Most Commonly Addressed Trust Service

• Security (S) is frequently addressed.

COSO - Control Environment

• Components: Ethics & integrity (E), board independence & oversight (B), organizational structure (O), commitment to competence (C), accountability (A).

COSO - Risk Assessment

• Components: Specific objectives (S), assess changes (A), fraud potential (F), analyze risks (R).

COSO - Information and Communication

• Components: Obtain information (O), communicate internally (I), communicate externally (E).

COSO - Monitoring

• Components: Specific and ongoing evaluations (SO), evaluate and communicate deficiencies (D).

COSO - Existing Control Activities

• Components: Select & develop control activities (CA), technology controls (T), policies & procedures (P).

Additional Trust Service Requirements

• Logical & physical access controls.
• Systems operations.
• Change management.
• Risk mitigation.

Alignment of Trust Services to COSO

• Security: Common criteria alone is sufficient.
• Other Trust Services: Additional criteria (e.g., C series, A series, PI series, P series) required.

Description

Test your knowledge on SOC engagement categories, focusing on SOC1, SOC2, and SOC3 reports. This quiz will also cover the differences between Type 1 and Type 2 reports, including their specific requirements and time evaluations. Perfect for accounting and auditing students!