M1 - SOC Engagement Categories and Types

Questions and Answers

What is the primary focus of a SOC1 report?

• Internal control over financial reporting (correct)
• Fairness of management's description of the service organization
• Internal control over trust services
• Trust services general use report

Which statement correctly describes a Type 2 SOC report?

• It evaluates the effectiveness of controls over a specified period. (correct)
• It only assesses the suitability of the design of controls at a specific date.
• It includes a description of controls but no results from testing them.
• It is restricted from potential users of the service organization.

Which of the following is NOT a trust service category?

• Reliability (correct)
• Security
• Confidentiality
• Processing Integrity

What addition distinguishes a Type 2 report from a Type 1 report?

A section describing tests of controls and results over time. (A)

Which trust service is the most commonly addressed in SOC reports?

Security (A)

Which aspect is NOT included in the VAACT criteria for system processing integrity?

Efficient (D)

Which of the following is NOT a component of the COSO Risk Assessment framework?

Audit trails (D)

What is the primary role of the COSO Control Environment component?

To ensure board oversight and independence (C)

Which of the following best describes an additional requirement for trust services related to risk mitigation?

Establishing logical and physical access controls (A)

In the context of trust services, which statement is true regarding confidentiality and processing integrity?

Additional criteria are required for both confidentiality and processing integrity. (B)

Flashcards

Processing Integrity

Policies and procedures ensuring system inputs produce valid, accurate, authorized, complete, and timely products and services.

COSO - Control Environment (EBOCA)

The COSO framework principle that focuses on establishing an ethical culture, independent board oversight, a well-defined organizational structure, competency development, and accountability.

Trust Services Alignment with COSO

Trust services principles like security, confidentiality, availability, processing integrity, and privacy require additional criteria beyond the common criteria.

COSO - Risk Assessment (SAFR)

The COSO framework principle that involves identifying, analyzing, and managing risks. It includes evaluating specific objectives, assessing changes, understanding fraud potential, and analyzing risks.

COSO - Information and Communication (OIE)

The COSO principle that focuses on establishing effective communication channels and procedures for obtaining, sharing, and communicating information both internally and externally.

SOC 1 Report

A report describing internal controls over a service organization's financial reporting, restricted from potential users of the service.

SOC 2 Report

A report describing internal controls over a service organization's trust services, restricted from potential users.

SOC 3 Report

A publicly available report describing the system and service auditor's tests and results.

Type 1 Report

A SOC report that assesses whether controls are designed effectively at a specific point in time.

Type 2 Report

A SOC report that assesses whether controls are designed effectively and operating efficiently over a period of time.

Study Notes

SOC Engagement Categories and Types

• SOC1: Internal control over financial reporting, restricted from potential users of the service organization.
• SOC2: Internal control over trust services, restricted from potential users of the service organization.
• SOC3: Trust services general use report, describing the system and auditors' tests of controls and results.

Type 1 vs. Type 2 Reports

• Type 1 Report: A report on the fairness of management's description of the service organization and the suitability of the design of controls as of a specific date.
• Type 2 Report: A report on the fairness of management's description of the service organization and the suitability of design and effectiveness of controls throughout a specified period. Includes a section describing tests of controls and results.

Additional Type 2 Requirements

• Additional section: Describes tests of controls and results, unlike Type 1.
• Period of time: Evaluates controls over a specified period.

Trust Services

• Key Principles: Confidentiality (C), Availability (A), Processing Integrity (PI), Privacy (P), Security (S).
  • C - Confidentiality: Information designated confidential, protected.
  • A - Availability: Info & systems available for operation and use (e.g., recovery plan testing).
  • PI - Processing Integrity: Policies & procedures producing valid, accurate, authorized, complete, and timely system processing.
  • P - Privacy: Sensitive personal information collected, used, retained, disclosed, and disposed of appropriately.
  • S - Security: Information and systems protected against unauthorized access.

Most Commonly Addressed Trust Service

• Security (S) is frequently addressed.

COSO - Control Environment

• Components: Ethics & integrity (E), board independence & oversight (B), organizational structure (O), commitment to competence (C), accountability (A).

COSO - Risk Assessment

• Components: Specific objectives (S), assess changes (A), fraud potential (F), analyze risks (R).

COSO - Information and Communication

• Components: Obtain information (O), communicate internally (I), communicate externally (E).

COSO - Monitoring

• Components: Specific and ongoing evaluations (SO), evaluate and communicate deficiencies (D).

COSO - Existing Control Activities

• Components: Select & develop control activities (CA), technology controls (T), policies & procedures (P).

Additional Trust Service Requirements

• Logical & physical access controls.
• Systems operations.
• Change management.
• Risk mitigation.

Alignment of Trust Services to COSO

• Security: Common criteria alone is sufficient.
• Other Trust Services: Additional criteria (e.g., C series, A series, PI series, P series) required.