SOC Engagements Overview PDF
Document Details
Uploaded by CalmingArgon6002
Tags
Summary
This document provides an overview of System and Organizational Controls (SOC) engagements. It explains the need for SOC engagements, different types of SOC engagements (SOC 1, SOC 2, and SOC 3), and the types of services provided by service organizations. It also discusses the various types of SOC reports and their purposes, emphasizing the importance of internal control and potential use cases for financial advising companies.
Full Transcript
Overview of SOC Engagements: Part 1 © Becker Professional Education Corporation. All rights reserved. Overview of SOC Engagements What creates the need for a SOC engagement? Organizations often engage in business relationships with other...
Overview of SOC Engagements: Part 1 © Becker Professional Education Corporation. All rights reserved. Overview of SOC Engagements What creates the need for a SOC engagement? Organizations often engage in business relationships with other entities to outsource key services and business operations. User Entity o The organization utilizing the outsourced services. Service Organization o The outside organization providing services. © Becker Professional Education Corporation. All rights reserved. Overview of SOC Engagements A service organization provides the user entity with the benefits of: Personnel Expertise Equipment Technology To operate tasks and functions that the user entity wishes to outsource © Becker Professional Education Corporation. All rights reserved. Overview of SOC Engagements Examples of the types of services provided by service organizations: Credit Card Processing Outsourced Payroll Processors Cloud Service Providers Organizations Service organizations that Third-party organizations offering Companies that process provide payroll services to user a cloud-based platform, payments for merchants by entities. infrastructure, application, or offering an infrastructure that storage services. routes payment from customer banks or financial institutions to retailers. © Becker Professional Education Corporation. All rights reserved. Overview of SOC Engagements Examples of the types of services provided by service organizations: Enterprise IT Outsourcing Financial Technology (FinTech) Customer Support Services Services IT-managed service providers Financial institutions that provide Organizations that provide that manage, operate, and IT-based transaction processing customers of user entities online maintain user entities’ IT data services such as servicing loans, or telephonic customer support centers, infrastructure, and payment processing, and asset and service management. application systems. management. © Becker Professional Education Corporation. All rights reserved. Overview of SOC Engagements Why do we need SOC engagements? User entities and business partners, entities with which another commercial entity has some form of alliance such as their external auditor, usually need information about the: o design; o operation; and o effectiveness of controls within the service organization's system. To support risk assessment procedures, user entities may request a System and Organizational Controls (SOC) report from the service organization. An independent CPA, referred to as the service auditor, performs a SOC examination in accordance with attestation standards issued by the American Institute of Certified Public Accountants (AICPA). © Becker Professional Education Corporation. All rights reserved. Types of SOC Engagements SOC engagements assess the effectiveness of a service organization's controls. These engagements: o result in the issuance of a SOC report; and o promote reliance by third parties on service organizations. There are three main types of SOC engagements including: o SOC 1®; o SOC 2®; and o SOC 3®. © Becker Professional Education Corporation. All rights reserved. Types of SOC Engagements SOC 1® for Service Organizations: Internal Control over Financial Reporting (SOC 1® engagement) The examination and reporting on controls at a service organization that are likely to be relevant to user entities' internal control over financial reporting. SOC 1® reports are restricted to: o management of the service organization; o user entities of the service organization's system; and o the independent auditors of such user entities. It does not include potential users of the service organization. © Becker Professional Education Corporation. All rights reserved. Types of SOC Engagements SOC 2® for Service Organizations: Trust Services Criteria (SOC 2® engagement) The examination and reporting on: The security, availability, or The confidentiality or privacy of the processing integrity of a system. information processed by the system. The AICPA’s five trust services categories. © Becker Professional Education Corporation. All rights reserved. Types of SOC Engagements SOC 2® for Service Organizations: Trust Services Criteria SOC 2® reports are intended for use by those who have sufficient knowledge and understanding of: o the service organization; o the services it provides; and o the system used to provide those services, among other matters. Management and the service auditor should agree on the intended users of the report (specified parties). © Becker Professional Education Corporation. All rights reserved. Types of SOC Engagements SOC 2® for Service Organizations: Trust Services Criteria The expected knowledge of specified parties ordinarily includes the following: o The nature of the service provided by the service organization o Service organization's system interactions with user entities, subservice organizations, and other parties o Internal control and its limitations o Complementary user entity controls o Complementary subservice organizational controls o User entity responsibilities and their impact to effectively use the service organization's services o The applicable trust services criteria o The risks that may impact the service organization's service commitments and system requirements, and how controls address those risks © Becker Professional Education Corporation. All rights reserved. Types of SOC Engagements SOC 3® for Service Organizations: Trust Services Criteria for General Use Report (SOC 3® engagement) Similar to a SOC 2® engagement, the service auditor reports on whether controls within the system were effective to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. Different from a SOC 2® report, a SOC 3® report does not include: o a description of the system (detailed controls within the system are not disclosed); or o a description of the service auditor's tests of controls, and the results thereof. © Becker Professional Education Corporation. All rights reserved. Types of SOC Engagements SOC 3® for Service Organizations: Trust Services Criteria for General Use Report A SOC 3® report is ordinarily for general users who: o need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy; but o lack the knowledge and understanding for a SOC 2® report. © Becker Professional Education Corporation. All rights reserved. Types of SOC Engagements Other SOC Engagements SOC for Cybersecurity Engagement SOC for Supply Chain Engagement Examine and report on a description of the Examine and report on an entity's controls entity's cybersecurity risk management over the security, availability, processing program and the effectiveness of controls integrity, confidentiality, or privacy of a with that program. system used to produce, manufacture or distribute products. © Becker Professional Education Corporation. All rights reserved. Overview of SOC Engagements: Part 2 © Becker Professional Education Corporation. All rights reserved. Types of SOC Reports At the completion of a SOC engagement, the practitioner issues a report showing the findings. SOC reports differ depending on: o the type of SOC engagement completed; and o whether the report issued is a Type 1 or Type 2 report. © Becker Professional Education Corporation. All rights reserved. Types of SOC Reports Type 1 A report on the: o fairness of the presentation of management's description of the service organization's system; and o suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date. © Becker Professional Education Corporation. All rights reserved. Types of SOC Reports Type 2 A report on the: o fairness of the presentation of management's description of the service organization's system; and o suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. © Becker Professional Education Corporation. All rights reserved. Types of SOC Reports SOC 1® and SOC 2® reports can be issued as either Type 1 or Type 2 reports depending on the needs of the user. A SOC 3® report is always issued as a Type 2 report. © Becker Professional Education Corporation. All rights reserved. Types of SOC Reports Illustration: SOC 1® Use Wyatt Co., a financial advising company, utilizes a third-party service provider named Database Inc. to process its sales contracts and store information about its clients. Wyatt Co.'s auditors want to ensure that the controls in place at Database Inc. are designed and operating effectively because control deficiencies at Database Inc. would negatively affect Wyatt Co. and its clients. Wyatt Co.'s auditors gain comfort by obtaining and reviewing the attestation to fairness of the controls and their operations within the System and Organization Controls (SOC 1®) Type 2 report because it gives them assurance that this has been in place over the last six months. © Becker Professional Education Corporation. All rights reserved. Contents of Type 1 and Type 2 SOC Reports The main components of a SOC report are consistent for both: SOC 1®; and SOC 2® engagements. © Becker Professional Education Corporation. All rights reserved. Contents of Type 1 and Type 2 SOC Reports A service auditor's Type 1 report is typically comprised of the following: Management's description of the service organization's system. A written assertion by management of the service organization about whether, as of a specified date, based on the criteria: o Management's description of the system fairly presents the service organization's system that was designed and implemented. o The controls related to the control objectives stated in management's description of the system were suitably designed to achieve those control objectives. A report that expresses an opinion on the matters described above. © Becker Professional Education Corporation. All rights reserved. Contents of Type 1 and Type 2 SOC Reports A service auditor's Type 2 report is comprised of the following: Management's description of the service organization's system. A written assertion by management of the service organization about whether, throughout a specified period, based on the criteria: o Management's description of the system fairly presents the service organization's system that was designed and implemented. o The controls related to the control objectives stated in management's description of the system were suitably designed and operated effectively to achieve those control objectives. A report that expresses an opinion on the matters described above and includes a description of the tests of controls and the results. © Becker Professional Education Corporation. All rights reserved. Contents of Type 1 and Type 2 SOC Reports Pass Key Key Differences Between Type 1 and Type 2 SOC Reports A Type 1 report covers the system design as of a given point in time, whereas a Type 2 report covers both the design and operating effectiveness over a period of time. © Becker Professional Education Corporation. All rights reserved. Summary of SOC Reports Report Subject Matter Types Purpose Use of Report Type SOC 1® Assesses controls Type 1 Provides information and a service auditor's opinion Restricted to relevant to financial about controls at a service organization likely relevant management of the reporting. Type 2 to financial reporting. Enables the user auditor to service organization, perform risk assessment procedures. user entities, and auditors. Use of a Type 2 report as audit evidence that controls at the service organization are operating effectively. SOC 2® Assesses controls Type 1 Provides information and a service auditor's opinion Restricted to relevant to security, about controls at a service organization relevant to management and other availability, processing Type 2 security, availability, processing integrity, specified parties. integrity, confidentiality, confidentiality, or privacy. or privacy. SOC 3® Assesses controls Type 2 Provides a service auditor's opinion about controls at Not restricted. Users are relevant to security, only a service organization relevant to security, availability, interest parties. availability, processing processing integrity, confidentiality, integrity, confidentiality, or privacy. or privacy. © Becker Professional Education Corporation. All rights reserved. Trust Services Criteria © Becker Professional Education Corporation. All rights reserved. Applicability of the Trust Services Criteria to SOC 2 ® and SOC 3® Engagements Due to the nature of a system of internal controls, entities face certain risks that threaten their ability to achieve their objectives. Due to these inherent risks, entities are responsible for: o designing and implementing suitable controls to mitigate the risks. © Becker Professional Education Corporation. All rights reserved. Applicability of the Trust Services Criteria to SOC 2 ® and SOC 3® Engagements The AlCPA's Assurance Services Executive Committee (ASEC) has established trust services criteria that set forth the outcomes that an entity's controls should meet to achieve the entity's unique objectives. This enables practitioners to evaluate and report on controls over the: o security; o availability; o processing integrity; o confidentiality; or o privacy of information and systems for SOC 2® and SOC 3® engagements. © Becker Professional Education Corporation. All rights reserved. Applicability of the Trust Services Criteria to SOC 2 ® and SOC 3® Engagements The report can be based on any of the five trust services categories, either: o individually; or o in combination. These categories include security, availability, processing integrity, confidentiality, and privacy. © Becker Professional Education Corporation. All rights reserved. Trust Services Categories The five trust services categories can be remembered using the mnemonic "CAPPS:" C Confidentiality: Information designated as confidential is protected to meet the entity's objectives. A Availability: Information and systems are available for operation and used to meet the entity's objectives. P Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives. P Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives. S Security: Information and systems are protected against unauthorized access; unauthorized disclosure of information; and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives. © Becker Professional Education Corporation. All rights reserved. Application and Use of the Trust Services Criteria The trust services criteria were designed to provide flexibility in: application; and use for a variety of different subject matters. © Becker Professional Education Corporation. All rights reserved. Application and Use of the Trust Services Criteria The types of subject matter a practitioner may be engaged to report on using the trust services criteria include the following: SOC for cybersecurity engagement o The effectiveness of controls within an entity's cybersecurity risk management program to achieve the entity's cybersecurity objectives using the trust services criteria relevant to: o security; o availability; and o confidentiality as control criteria. © Becker Professional Education Corporation. All rights reserved. Application and Use of the Trust Services Criteria The types of subject matter a practitioner may be engaged to report on using the trust services criteria include the following: SOC 2® engagement: Type 1 Type 2 Same subject matter as a Type 2 The suitability of design and operating effectiveness SOC 2® engagement. of controls included in management's description of a service organization's system relevant to one or However, a Type 1 SOC 2® report does not contain: more of the trust services criteria over security, o an opinion on the operating effectiveness of availability, processing integrity, confidentiality, or controls; nor privacy throughout a specified period to achieve the entity's objectives based on those criteria. o a detailed description of tests of controls performed by the service auditor and the results A Type 2 report includes: of those tests. o an opinion on the operating effectiveness of controls; and o a detailed description of tests of controls performed by the service auditor and the results of those tests. © Becker Professional Education Corporation. All rights reserved. Application and Use of the Trust Services Criteria The types of subject matter a practitioner may be engaged to report on using the trust services criteria include the following: SOC 3® engagement o The design and operating effectiveness of a service organization's controls over a system relevant to one or more of the trust services criteria over security, availability, processing integrity, confidentiality, and privacy. A SOC 3® report: o contains an opinion on the operating effectiveness of controls; but o does not include a detailed description of tests of controls performed by the service auditor and the results of those tests. © Becker Professional Education Corporation. All rights reserved. Application and Use of the Trust Services Criteria The types of subject matter a practitioner may be engaged to report on using the trust services criteria include the following: The suitability of design and operating effectiveness of controls of an entity, other than a service organization, over one or more systems relevant to one or more of the trust services categories of security, availability, processing integrity, confidentiality, or privacy. o For example: a SOC for supply chain engagement The suitability of the design of an entity's controls over security, availability, processing integrity, confidentiality, or privacy to achieve the entity's objectives based on the related trust services criteria. © Becker Professional Education Corporation. All rights reserved. The COSO Framework Overview and Alignment to the Trust Services Criteria: Part 1 © Becker Professional Education Corporation. All rights reserved. Overview of the COSO Framework The AICPA has aligned the trust services criteria with the COSO (Committee of Sponsoring Organizations of the Treadway Commission) Internal Control–Integrated Framework (the COSO framework). The COSO framework is: o a widely accepted control framework utilized by entities to establish and implement an effective system of internal control; and o includes five components that are supported by 17 principles. The trust services criteria have been aligned to the 17 COSO principles, but include additional criteria. © Becker Professional Education Corporation. All rights reserved. Overview of the COSO Framework Control Environment C Control environment COSO principles 1 through 5: o Relate to the control environment, which cover R Risk assessment control from the perspective of the board and management through: I Information and communication integrity; M Monitoring ethics; the proper corporate structure; and E Existing control activities establishing an environment that holds employees accountable. © Becker Professional Education Corporation. All rights reserved. Overview of the COSO Framework Control Environment: Principles 1 through 5 1. The entity demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. © Becker Professional Education Corporation. All rights reserved. Overview of the COSO Framework Risk Assessment COSO principles 6 through 9: o Relate to the risk assessment component of the COSO framework. o Focus on: identifying risk; considering the potential for fraud; and understanding changes that could impact internal controls. © Becker Professional Education Corporation. All rights reserved. Overview of the COSO Framework Risk Assessment: Principles 6 through 9 6. The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. The entity considers the potential for fraud in assessing risks to the achievement of objectives. 9. The entity identifies and assesses changes that could significantly impact the system of internal control. © Becker Professional Education Corporation. All rights reserved. Overview of the COSO Framework Control Activities COSO principles 10 through 12: o Relate to the control activities implemented and designed to ensure the proper application of policies and procedures that help ensure management directives and control objectives are met. © Becker Professional Education Corporation. All rights reserved. Overview of the COSO Framework Control Activities: Principles 10 through 12 10. The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The entity also selects and develops general control activities over technology to support the achievement of objectives. 12. The entity deploys control activities through policies that establish what is expected and procedures that put policies into action. © Becker Professional Education Corporation. All rights reserved. Overview of the COSO Framework Control Activities: Principle 12 The trust services criteria expand on principle 12 by adding four common criteria referred to as the trust services supplemental criteria: Logical and Physical Access Controls o Relates to how an entity restricts, provides, and removes access and prevents unauthorized access. System Operations o Relates to how an entity detects and mitigates processing deviations, including logical and physical security deviations. © Becker Professional Education Corporation. All rights reserved. Overview of the COSO Framework Control Activities: Principle 12 The trust services criteria expand on principle 12 by adding four common criteria referred to as the trust services supplemental criteria: Change Management o Relates to how an entity manages changes and prevents unauthorized changes from being made. Risk Mitigation o Relates to how an entity manages risk mitigation activities arising from potential business disruptions and the use of vendors and business partners. © Becker Professional Education Corporation. All rights reserved. Overview of the COSO Framework Information and Communication COSO principles 13 through 15: o Focus on: o obtaining; o generating; and o controlling information and communication. © Becker Professional Education Corporation. All rights reserved. Overview of the COSO Framework Information and Communication: Principles 13 through 15 13. The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15. The entity communicates with external parties regarding matters affecting the functioning of internal control. © Becker Professional Education Corporation. All rights reserved. Overview of the COSO Framework Monitoring Activities COSO principles 16 and 17: o Relate to monitoring activities, which outline how an organization should: o conduct ongoing evaluations of control activities; and o communicate internal control deficiencies. © Becker Professional Education Corporation. All rights reserved. Overview of the COSO Framework Monitoring Activities: Principles 16 through 17 16. The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. © Becker Professional Education Corporation. All rights reserved. The COSO Framework Overview and Alignment to the Trust Services Criteria: Part 2 © Becker Professional Education Corporation. All rights reserved. Alignment of the Trust Services Criteria and the COSO Principles Overview Trust Services Category Common Criteria Additional Category-Specific Criteria (CAPPS) N/A, common criteria is suitable Security ✓ with no additional criteria Availability ✓ A series Processing Integrity ✓ PI series Confidentiality ✓ C series Privacy ✓ P series © Becker Professional Education Corporation. All rights reserved. Additional Criteria for Availability (A series) The additional criteria for availability focus on an entity's ability to ensure all systems are continuously available as needed by: o maintaining and monitoring processing capacity; o identifying and responding to threats; and o ensuring a recovery plan is in place and tested. © Becker Professional Education Corporation. All rights reserved. Additional Criteria for Availability (A series) A1.1: The entity maintains, monitors, and evaluates current processing capacity and use of system components: o to manage capacity demand; and o to enable the implementation of additional capacity to meet entity objectives. © Becker Professional Education Corporation. All rights reserved. Additional Criteria for Availability (A series) A1.2: The entity ensures systems are available by: o identifying environmental threats; o designing detection measures; o implementing protection mechanisms and alerts; o responding to environmental threats; o communicating threat events; o performing data backup; o ensuring there is off-site storage; o implementing an alternate infrastructure; and o considering data recoverability to meet entity objectives. © Becker Professional Education Corporation. All rights reserved. Additional Criteria for Availability (A series) A1.3: The entity tests its recovery plan procedures to ensure system recovery meets entity objectives. © Becker Professional Education Corporation. All rights reserved. Additional Criteria for Processing Integrity (PI series) The additional criteria for processing integrity include considerations related to creating, using, and communicating quality information so that objectives will be met regarding: o product/service specifications; o controls for completeness and accuracy; o productivity; and o system specifications. © Becker Professional Education Corporation. All rights reserved. Additional Criteria for Processing Integrity (PI series) PI1.1: The entity obtains or generates, uses, and communicates relevant, quality information regarding processing objectives to support the use of products and services. PI1.2: The entity implements policies and procedures over system inputs to result in products, services, and reporting that meet entity objectives. PI1.3: The entity implements policies and procedures over system processing to result in products, services, and reporting that meet entity objectives. PI1.4: The entity implements policies and procedures to make available or deliver output completely, accurately, and timely that meet entity objectives. PI1.5: The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity's objectives © Becker Professional Education Corporation. All rights reserved. Additional Criteria for Confidentiality (C series) The additional criteria for confidentiality relate to ensuring confidential information is handled appropriately. o C1.1: The entity identifies and maintains confidential information to meet the entity's confidentiality objectives. o C1.2: The entity disposes of confidential information to meet the entity's confidentiality objectives. © Becker Professional Education Corporation. All rights reserved. Additional Criteria for Privacy (P series) The additional criteria for privacy relate to: o collecting personal data; o obtaining consent when collecting and using that data; o using data for specific purposes only; o managing access to individuals' data responsibly; o disclosing policies to third parties and individuals properly; o maintaining complete and accurate records; and o monitoring and enforcing practices in place. © Becker Professional Education Corporation. All rights reserved. Additional Criteria for Privacy (P series) P1.0: Notice and Communication of Objectives Related to Privacy P2.0: Choice and Consent P3.0: Collection P4.0: Use, Retention, and Disposal P5.0: Access P6.0: Disclosure and Notification P7.0: Quality P8.0: Monitoring and Enforcement © Becker Professional Education Corporation. All rights reserved. Forming the Opinion in a SOC Engagement © Becker Professional Education Corporation. All rights reserved. Forming the Opinion in a SOC Engagement The service auditor should form an opinion about the subject matter of the engagement. When forming the opinion, the service auditor should evaluate: o the sufficiency and appropriateness of the evidence obtained; and o whether uncorrected misstatements, individually or in the aggregate, are material. © Becker Professional Education Corporation. All rights reserved. Forming the Opinion in a SOC Engagement In a SOC engagement, the service auditor forms an opinion about whether: o the subject matter is in accordance with (or based on) the criteria, in all material respects; or o the assertion is fairly stated in all material respects. The opinion of the service auditor focuses on: o Fair presentation of management's description of the service organization's system. o The suitability of the design of the controls related to the control objectives stated in management's description. o The effective operation of the controls stated in management's description (Type 2 only). © Becker Professional Education Corporation. All rights reserved. Forming the Opinion in a SOC Engagement The overall objectives of a SOC 1® and SOC 2® engagement are consistent. The subject matter for which an opinion is being formed is different. In a SOC 1® engagement, the service auditor forms an opinion regarding the controls at a service organization relevant to the user entities' internal control over financial reporting. In a SOC 2® engagement, the service auditor forms an opinion regarding the controls at a service organization relevant to one or more of the five trust services criteria, which include: o confidentiality; o availability; o processing integrity; o privacy; and o security. © Becker Professional Education Corporation. All rights reserved. Types of Opinions in a SOC Engagement: Part 1 © Becker Professional Education Corporation. All rights reserved. Types of Opinions in a SOC Engagement When a service auditor concludes a SOC 1® or SOC 2® engagement, the report will contain the service auditor's opinion pertaining to the controls examined. The service auditor reaches his or her opinion by determining whether: o The description of the controls is presented fairly by management. o The controls are designed effectively. o The controls operate as intended over a specified period of time (Type 2 only). © Becker Professional Education Corporation. All rights reserved. Types of Opinions in a SOC Engagement The opinions of the service auditor in a SOC engagement depend on the facts and circumstances of the evidence gathered throughout the engagement and may include an: unmodified (unqualified) opinion; qualified opinion; adverse opinion; or disclaimer of an opinion. © Becker Professional Education Corporation. All rights reserved. Unmodified (Unqualified) Opinion An unmodified opinion is the service auditor's opinion that, in all material respects, based on the criteria described in management's assertion: 1. Management's description of the system fairly presents the system that was designed and implemented. SOC 1®: Management's description of the service organization's system fairly presents the service organization's system that was designed and implemented as of a specified date (Type 1) or throughout the specified period (Type 2). SOC 2®: Management's description of the service organization's system presents the service organization's system that was designed and implemented in accordance with the description criteria, as of a specified date (Type 1) or throughout the specified period (Type 2). © Becker Professional Education Corporation. All rights reserved. Unmodified (Unqualified) Opinion An unmodified opinion is the service auditor's opinion that, in all material respects, based on the criteria described in management's assertion: 2. The controls stated in management's description of the system were suitably designed. SOC 1®: The controls related to the control objectives statement in management's description of the service organization's system were suitably designed to achieve the control objectives as of the specified date (Type 1) or throughout the specified period (Type 2). SOC 2®: The controls stated in management's description were suitably designed to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria as of the specified date (Type 1) or throughout the specified period (Type 2). © Becker Professional Education Corporation. All rights reserved. Unmodified (Unqualified) Opinion An unmodified opinion is the service auditor's opinion that, in all material respects, based on the criteria described in management's assertion: 3. The controls stated in management's description of the system operated effectively (Type 2 only). SOC 1®: The controls related to the control objectives stated in management's description of the system operated effectively throughout the specified period to achieve the control objectives. SOC 2®: The controls stated in management's description of the system operated effectively throughout the specified period to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. © Becker Professional Education Corporation. All rights reserved. Unmodified (Unqualified) Opinion CUECs If the application of complementary user entity controls is necessary to achieve the related control objectives stated in management's description of the service organization's system, a statement to that effect has been made. CSOCs If the application of complementary subservice organization controls is necessary to achieve the related control objectives stated in management's description of the service organization's system, a statement to that effect has been made. © Becker Professional Education Corporation. All rights reserved. Types of Opinions in a SOC Engagement: Part 2 © Becker Professional Education Corporation. All rights reserved. Modifications to the Service Auditor's Opinion The service auditor is required to modify the opinion when either of the following circumstances exist and, in the service auditor's professional judgment, the effect of the matter is or may be material: The service auditor is unable to obtain sufficient appropriate evidence to conclude that the subject matter is in accordance with (or based on) the criteria, in all material respects. The service auditor concludes, based on evidence obtained, that the subject matter is not in accordance with (or based on) the criteria, in all material respects. © Becker Professional Education Corporation. All rights reserved. Modifications to the Service Auditor's Opinion The service auditor's opinion should be modified, and the service auditor's report should include a description of the matter or matters giving rise to the modification, if the service auditor concludes any of the following: SOC 1® engagement: o Management's description of the service organization's system is not fairly presented, in all material respects. o The controls are not suitably designed to provide reasonable assurance that the control objectives stated in management's description of the service organization's system would be achieved if the controls operated effectively, in all material respects. © Becker Professional Education Corporation. All rights reserved. Modifications to the Service Auditor's Opinion The service auditor's opinion should be modified, and the service auditor's report should include a description of the matter or matters giving rise to the modification, if the service auditor concludes any of the following: SOC 1® engagement: o The controls did not operate effectively throughout the specified period to achieve the related control objectives stated in management's description of the service organization's system, in all material respects (Type 2 only). o The service auditor is unable to obtain sufficient and appropriate evidence. © Becker Professional Education Corporation. All rights reserved. Modifications to the Service Auditor's Opinion The service auditor's opinion should be modified, and the service auditor's report should include a description of the matter or matters giving rise to the modification, if the service auditor concludes any of the following: SOC 2® engagement: o Management's description of the service organization's system does not present the system designed and implemented throughout the period in accordance with the description criteria, in all material respects. o The controls are not suitably designed to provide reasonable assurance that the service organization's service commitments and system requirements would be achieved based on the applicable trust services criteria if the controls operated effectively, in all material respects. © Becker Professional Education Corporation. All rights reserved. Modifications to the Service Auditor's Opinion The service auditor's opinion should be modified, and the service auditor's report should include a description of the matter or matters giving rise to the modification, if the service auditor concludes any of the following: SOC 2® engagement: o The controls did not operate effectively throughout the specified period to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria, in all material respects (Type 2 only). o The service auditor is unable to obtain sufficient and appropriate evidence. © Becker Professional Education Corporation. All rights reserved. Modifications to the Service Auditor's Opinion The service auditor determines whether a qualified opinion, an adverse opinion, or a disclaimer of opinion is appropriate depending on the following: The nature of the matter giving rise to the modification (that is, whether the subject matter of the engagement is presented in accordance with (or based on) the criteria, in all material respects, or, in the case of an inability to obtain sufficient appropriate evidence, may be materially misstated). The service auditor's professional judgment about the pervasiveness of the effects, or possible effects, of the matter on the subject matter of the engagement. © Becker Professional Education Corporation. All rights reserved. Modifications to the Service Auditor's Opinion There are three types of modified opinions: Qualified Opinion: States that except for the effects of the matter(s) giving rise to the modification, the description is presented in accordance with the description criteria and the controls were suitably designed and operating effectively (Type 2), in all material respects. Adverse Opinion: States that the description misstatements, either individually or in the aggregate, are material and pervasive, or deficiencies in the design or operation of controls are material and pervasive. Disclaimer of Opinion: States that the auditor does not express an opinion. © Becker Professional Education Corporation. All rights reserved. Summary of Modified Opinions The chart below summarizes the nature of matters giving rise to the service auditor's opinion modification: Service Auditor's Professional Judgment About Nature of Matter Nature of Matter the Pervasiveness of the Effects (or Possible Effects) Giving Rise to the Giving Rise to the on the Opinion on the Description, on the Suitability of Modification (SOC 1®) Modification (SOC 2®) the Design of Controls, and on the Operating Effectiveness of Controls Material but Not Pervasive Material and Pervasive Scope limitation: An Scope limitation: An Qualified opinion Disclaimer of opinion inability to obtain inability to obtain sufficient sufficient appropriate appropriate evidence. evidence. © Becker Professional Education Corporation. All rights reserved. Summary of Modified Opinions The chart below summarizes the nature of matters giving rise to the service auditor's opinion modification: Service Auditor's Professional Judgment About Nature of Matter Nature of Matter the Pervasiveness of the Effects (or Possible Effects) Giving Rise to the Giving Rise to the on the Opinion on the Description, on the Suitability of Modification (SOC 1®) Modification (SOC 2®) the Design of Controls, and on the Operating Effectiveness of Controls Material but Not Pervasive Material and Pervasive Material misstatements: Material misstatements: Qualified opinion Adverse opinion The description is The description is materially materially misstated. misstated. OR OR The controls are not The controls are not suitably suitably designed to designed to provide achieve one or more of the reasonable assurance that related control objectives one or more of the service stated in management's organization's service description of the service commitments or system organization's system. requirements were achieved based on the applicable trust services criteria. © Becker Professional Education Corporation. All rights reserved. Summary of Modified Opinions The chart below summarizes the nature of matters giving rise to the service auditor's opinion modification: Service Auditor’s Professional Judgment About Nature of Matter Nature of Matter the Pervasiveness of the Effects (or Possible Effects) Giving Rise to the Giving Rise to the on the Opinion on the Description, on the Suitability of Modification (SOC 1®) Modification (SOC 2®) the Design of Controls, and on the Operating Effectiveness of Controls Material but Not Pervasive Material and Pervasive OR OR Qualified opinion Adverse opinion The controls are not The controls are not operating effectively to operating effectively to achieve one or more provide reasonable of the related control assurance that one or more objectives stated in of the service organization's management's description service commitments or of the service system requirements were organization's system. achieved based on the applicable trust services criteria. © Becker Professional Education Corporation. All rights reserved. Contents of the Auditor's Report for a SOC Engagement: Part 1 © Becker Professional Education Corporation. All rights reserved. Contents of the Auditor's Report for a SOC Engagement The SOC report includes the following key components: Management's description of the system Management's assertion Independent service auditor's report Auditor's tests of controls and results of tests © Becker Professional Education Corporation. All rights reserved. SOC ® 1 Purpose and Common Sections of Management's System Description A SOC 1® engagement is an examination to report on a service organization's controls relevant to user entities' internal control over financial reporting. The service organization's management is responsible for documenting the description of the service organization's system. The description must provide sufficient information: o to allow a user auditor to understand how the service organization's processing affects the user entity's financial statements; and o to assess the risk of material misstatement of the user entity's financial statements. The form and extent of the description: o are determined by management; and o may depend on the size and complexity of the service organization. © Becker Professional Education Corporation. All rights reserved. SOC 1® Purpose and Common Sections of Management's System Description Common sections of a system description subject to SOC 1® engagements include: Types of services provided o Defined scope of services provided and the classes of transactions processed. Procedures performed o Procedures, within both manual and automated systems, by which services are provided, including procedures to initiate, authorize, record, process, correct, and transfer transactions to reports and other information for user entities. © Becker Professional Education Corporation. All rights reserved. SOC 1® Purpose and Common Sections of Management's System Description Common sections of a system description subject to SOC 1® engagements include: System functionality o How the system captures and addresses significant events and conditions (other than transactions). Subservice organizations o Services performed by entities the service organization uses to provide services to the user entity, including whether the carve-out method or the inclusive method has been used, and any complementary subservice organizational controls necessary to meet control objectives. © Becker Professional Education Corporation. All rights reserved. SOC 1® Purpose and Common Sections of Management's System Description Common sections of a system description subject to SOC 1® engagements include: Controls o A description of the control objective and design to achieve those objectives, including the frequency, timing, person, or parties responsible for performance, and the source of information to which the control is applied. Information on other aspects of the control environment, risk assessment process, information and communication, control activities, and monitoring activities that are relevant to the services provided. © Becker Professional Education Corporation. All rights reserved. SOC 1® Purpose and Common Sections of Management's System Description Common sections of a system description subject to SOC 1® engagements include: Prepare reports o Process to prepare reports and other information for user entities. Deficiencies in information o If applicable, information used in the performance of the procedures (if applicable, related accounting records and supporting information) to initiate, authorize, record, process, and report transactions. o This includes the correction of incorrect information and how information is transferred to the report, and other information prepared for user entities. © Becker Professional Education Corporation. All rights reserved. SOC 1® Purpose and Common Sections of Management's System Description Common sections of a system description subject to SOC 1® engagements include: Complementary user entity controls (CUECs) o Controls that must be implemented by the user entity to meet control objectives. Relevant details of changes to the service organization's system during the period covered by the description (Type 2 only). © Becker Professional Education Corporation. All rights reserved. SOC 1® Purpose and Common Sections of Management's System Description Common sections of a system description subject to SOC 1® engagements include: The description: o does not omit or distort information relevant to the system; and o is prepared to meet the common needs of a broad range of user entities and their auditors, and thus may not include every aspect that a user entity may consider important in its own particular environment. © Becker Professional Education Corporation. All rights reserved. Contents of the Auditor's Report for a SOC Engagement: Part 2 © Becker Professional Education Corporation. All rights reserved. SOC 2 ® Purpose and Common Sections of Management's System Description A SOC 2® engagement is an examination of: o a service organization's description of its system; o the suitability of the design of controls; and o the operating effectiveness of controls relevant to security, availability, processing integrity, confidentiality, and privacy (in a Type 2 engagement). © Becker Professional Education Corporation. All rights reserved. SOC 2 ® Purpose and Common Sections of Management's System Description The service organization's management is responsible for presenting a description of the system to enable report users, such as user entities, business partners, or other relevant parties, to understand the system and the processing and flow of data throughout and from the system. The description: o is to be prepared in accordance with specific criteria; and o describes the procedures and controls in place to manage risk. © Becker Professional Education Corporation. All rights reserved. SOC 2 ® Purpose and Common Sections of Management's System Description Common sections of a system description subject to a SOC 2® engagement include: Types of services provided o Types of services provided by service organizations, including the services that are the focus of the engagement. Principal service commitments and system requirements o The commitments made to user entities and the system requirements required to achieve such commitments. o Service commitments: Declarations made by service organization management to user entities and others (such as user entities' customers) about the system used to provide the service. © Becker Professional Education Corporation. All rights reserved. SOC 2 ® Purpose and Common Sections of Management's System Description Principal service commitments and system requirements o System requirements: Specifications regarding how the system should function: to meet the service organization's service commitments to user entities and others; to meet the service organization's commitments to vendors and business partners; to comply with relevant laws and regulations and guidelines of industry groups; and to achieve other objectives of the service organization that are relevant to the trust services category or categories addressed by the description. © Becker Professional Education Corporation. All rights reserved. SOC 2 ® Purpose and Common Sections of Management's System Description Common sections of a system description subject to a SOC 2® engagement include: Components of the system used to provide the services o Infrastructure, software, people, procedures, and data. Identified system incidents o Incidents that were the result of controls that were not suitably designed or operating effectively or that resulted in a significant failure in the achievement of one or more service commitments and system requirements. o The nature, extent (or effect), and timing of the system incident and its disposition (based on management's judgment) that occurred as of the date of the description (Type 1) or during the period of time covered by the description (Type 2). © Becker Professional Education Corporation. All rights reserved. SOC 2 ® Purpose and Common Sections of Management's System Description Common sections of a system description subject to a SOC 2® engagement include: Applicable trust services criteria o The trust services criteria being reported on, including applicable controls in place to provide reasonable assurance that the service commitments and system requirements were achieved. Complementary user entity controls (CUECs) o The controls implemented by the user entity that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service commitments and system requirements would be achieved. © Becker Professional Education Corporation. All rights reserved. SOC 2 ® Purpose and Common Sections of Management's System Description Common sections of a system description subject to a SOC 2® engagement include: Subservice organizations: A subservice organization used by the service organization and the controls at the subservice organization are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service commitments and system requirements would be achieved. o Inclusive method: Nature of the service provided, controls with clear differentiation between controls at the service organization and subservice organization, portions of the system attributable to the subservice organization along with relevant aspects (e.g., infrastructure, software, people, procedures, data). o Carve-out method: Management does not include a description of the controls that operate only or primarily at the subservice organization. However, the description should contain details regarding the nature of the service provided, types of controls along with the applicable trust services criteria that are intended to be met by the complementary subservice organization controls (CSOCs), the subservice organization's responsibilities for implementing the CSOCs, and an indication that the related service commitments and system requirements can only be achieved if the CSOCs are suitably designed and operating effectively. © Becker Professional Education Corporation. All rights reserved. SOC 2 ® Purpose and Common Sections of Management's System Description Common sections of a system description subject to a SOC 2® engagement include: Irrelevant specific criteria o Explanations for why specific trust services criteria are not relevant for the service organization's system. Details of system and control changes during the period that are relevant to the service organization's service commitments and system requirements (Type 2 only). © Becker Professional Education Corporation. All rights reserved. Contents of the Auditor's Report for a SOC Engagement: Part 3 © Becker Professional Education Corporation. All rights reserved. Management's Description of the Entity's Cybersecurity Risk Management Program An entity's cybersecurity risk management program is a set of policies, processes, and controls designed to: protect information and systems from security events that could compromise the achievement of the entity's cybersecurity objectives; and detect, respond to, mitigate, and recover from, on a timely basis, security events that are not prevented. © Becker Professional Education Corporation. All rights reserved. Management's Description of the Entity's Cybersecurity Risk Management Program The categories of description criteria include the following: 1 Nature of business and operations 2 Nature of information at risk 3 Cybersecurity risk management program objectives (cybersecurity objectives) 4 Factors that have a significant effect on inherent cybersecurity risks 5 Cybersecurity risk governance structure 6 Cybersecurity risk assessment process 7 Cybersecurity communications and the quality of cybersecurity information 8 Monitoring of the cybersecurity risk management program 9 Cybersecurity control processes © Becker Professional Education Corporation. All rights reserved. Management's Description of the Entity's Cybersecurity Risk Management Program The cybersecurity risk management examination is predicated on the concept that management is responsible for: developing and presenting a description of the entity's cybersecurity risk management program; making an assertion about whether the description is presented in accordance with the description criteria; and making an assertion about the effectiveness of the controls within the program based on a set of control criteria. © Becker Professional Education Corporation. All rights reserved. Management's Assertions In a SOC engagement, the service auditor is required to request a written assertion from management. In a SOC 1® or SOC 2® engagement, management's assertion addresses whether: Management's description of the system fairly presents the system that was designed and implemented. SOC 1® SOC 2® Management's description of the service Management's description of the service organization's system fairly presents the organization's system presents the service service organization's system that was organization's system that was designed designed and implemented as of a and implemented in accordance with the specified date (Type 1) or throughout the description criteria, as of a specified date specified period (Type 2). (Type 1) or throughout the specified period (Type 2). © Becker Professional Education Corporation. All rights reserved. Management's Assertions In a SOC 1® or SOC 2® engagement, management's assertion addresses whether: The controls stated in management's description of the system were suitably designed. SOC 1® SOC 2® The controls related to the control The controls stated in management's objectives statement in management's description were suitably designed to description of the service organization's provide reasonable assurance that the system were suitably designed to achieve service organization's service the control objectives as of the specified commitments and system requirements date (Type 1) or throughout the specified were achieved based on the applicable period (Type 2). trust services criteria as of the specified date (Type 1) or throughout the specified period (Type 2). © Becker Professional Education Corporation. All rights reserved. Management's Assertions In a SOC 1® or SOC 2® engagement, management's assertion addresses whether: The controls stated in management's description of the system operated effectively (Type 2 only). SOC 1® SOC 2® The controls related to the control The controls stated in management's objectives stated in management's description of the system operated description of the system operated effectively throughout the specified period effectively throughout the specified period to provide reasonable assurance that the to achieve the control objectives. service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. © Becker Professional Education Corporation. All rights reserved. Management's Assertions In a SOC 3® engagement, management's assertion addresses whether: the controls within the system were effective throughout the specified period to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria, including: o a description of the boundaries of the system; and o the service organization's principal service commitments and system requirements. © Becker Professional Education Corporation. All rights reserved. Management's Assertions Management's assertions are included in the SOC report along with the description of the service organization's system in the service auditor's report. If management refuses to provide a written assertion, the service auditor is required to withdraw from the engagement when withdrawal is possible under applicable laws and regulations. If law or regulation does not allow the service auditor to withdraw, the service auditor should disclaim an opinion on: o the description; o the suitability of design of controls in a Type 1 engagement; and o the operating effectiveness of controls in a Type 2 engagement. © Becker Professional Education Corporation. All rights reserved. Summary of Management Assertions by Engagement Type Management's Assertions by SOC Engagement and Report Type Report Type SOC 1® SOC 2® SOC 3® Type 1 Management's system Management's system description description Management's written assertion Management's written assertion about whether the description about whether the description fairly presents the system, fairly presents the system, AND AND the controls were suitably the controls related to the designed to achieve control applicable trust services criteria objectives were suitably designed to meet those criteria © Becker Professional Education Corporation. All rights reserved. Summary of Management Assertions by Engagement Type Management's Assertions by SOC Engagement and Report Type Report Type SOC 1® SOC 2® SOC 3® Type 2 Management's system Management's system Management's description of description description the service organization's system boundaries and copy of Management's written assertion Management's written assertion its privacy notice if addressing about whether the description about whether the description the privacy principle fairly presents the system that fairly presents the system that was designed and implemented was designed and implemented Management's written assertion throughout the specified period, throughout the specified period, concerning whether effective AND AND controls over the system related the controls were suitably the controls were suitably to applicable trust services designed throughout the designed throughout the period criteria period to achieve control to achieve applicable trust objectives, services criteria, AND AND the controls operated effectively the controls operated effectively throughout the period to achieve throughout the period to meet control objectives applicable trust services criteria © Becker Professional Education Corporation. All rights reserved. Contents of the Service Auditor's Report for a SOC 1® Engagement: Part 1 © Becker Professional Education Corporation. All rights reserved. Contents of the SOC 1® Report The SOC 1® report includes the following key components: 1. Management's Description of the System 2. Management's Assertion 3. Independent Service Auditor's Report 4. Auditor's Tests of Controls and Results of Tests © Becker Professional Education Corporation. All rights reserved. Contents of the SOC 1® Report Management's Description of the System Management's description of the system as of a specified date (Type 1) or throughout the specified period ( Type 2). © Becker Professional Education Corporation. All rights reserved. Contents of the SOC 1® Report Management's Assertion Addresses whether, based on the criteria in a management's assertion: o Management's description of the service organization's system fairly presents the service organization's system that was designed and implemented as of a specified date (Type 1) or throughout the specified period (Type 2). o The controls related to the control objectives stated in management's description of the service organization's system were suitability designed to achieve those control objectives as of the specified date (Type 1) or throughout the specified period (Type 2). o The controls related to the control objectives stated in management's description of the service organization's system operated effectively to achieve those control objectives (Type 2 only). © Becker Professional Education Corporation. All rights reserved. Contents of the SOC 1® Report Independent Service Auditor's Report The service auditor's opinion about whether: o Management's description of the service organization's system fairly presents the service organization's system that was designed and implemented as of a specified date (Type 1) or throughout the specified period (Type 2). o The controls related to the control objectives stated in management's description of the service organization's system were suitability designed to achieve those control objectives as of the specified date (Type 1) or throughout the specified period (Type 2). o The controls related to the control objectives stated in management's description of the service organization's system operated effectively to achieve those control objectives (Type 2 only). © Becker Professional Education Corporation. All rights reserved. Contents of the SOC 1® Report Auditor's Tests of Controls and Results of Tests Description of the service auditor's tests of controls and results thereof (Type 2 only). © Becker Professional Education Corporation. All rights reserved. Contents of the Service Auditor's Report for a ® SOC 1 Engagement: Part 2 © Becker Professional Education Corporation. All rights reserved. Elements of the Service Auditor's SOC 1® Report The elements to be included in a service auditor's SOC 1® report include: SOC 1® Type 1 Independent Service Auditor's SOC 1® Report Title A title that includes the word independent. Addressee An appropriate addressee as required by the circumstances of the engagement. © Becker Professional Education Corporation. All rights reserved. Elements of the Service Auditor's SOC 1® Report Independent Service Auditor's SOC 1® Report Scope Identification of the following: SOC 1® Type 1 Management's description of the service organization's system, the function performed by the system, and the period to which the description relates. The criteria against which the fairness of the presentation of the description and the suitability of the design and operating effectiveness (Type 2) of the controls to achieve the related control objectives stated in the description were evaluated. Any information included in a document containing the service auditor's report that is not covered by the service auditor's report. © Becker Professional Education Corporation. All rights reserved. Elements of the Service Auditor's SOC 1® Report Independent Service Auditor's SOC 1® Report Scope Any services performed by a subservice organization SOC 1® Type 1 and whether the carve-out method or the inclusive method was used in relation to them. o If the carve-out method was used, a statement that: Management's description of the service organization's system excludes the control objectives and related controls of the relevant subservice organizations. Certain control objectives specified by the service organization can be achieved only if complementary subservice organization controls assumed in the design of the service organization's controls are suitably designed and operating effectively. © Becker Professional Education Corporation. All rights reserved. Elements of the Service Auditor's SOC 1® Report Independent Service Auditor's SOC 1® Report Scope Any services performed by a subservice organization SOC 1® Type 1 and whether the carve-out method or the inclusive method was used in relation to them. o If the carve-out method was used, a statement that: The service auditor's procedures do not extend to such complementary subservice organization controls. Management's description of the service organization's system includes the subservice organization's specified control objectives and related controls, and that the service auditor's procedures included procedures related to the subservice organization. © Becker Professional Education Corporation. All rights reserved. Elements of the Service Auditor's SOC 1® Report Independent Service Auditor's SOC 1® Report Scope A statement that the controls and control objectives SOC 1® Type 1 included in the description are those that management believes are likely to be relevant to user entities' internal control over financial reporting, and the description does not include those aspects of the system that are not likely to be relevant to user entities' internal control over financial reporting. o If management's description of the service organization's system refers to the need for complementary user entity controls, a statement that: The service auditor has not evaluated the suitability of the design or operating effectiveness of complementary user entity controls, and that the control objectives stated in the description can be achieved only if complementary user entity CEUC controls are suitably designed and operating effectively, along with the controls at the service organization. © Becker Professional Education Corporation. All rights reserved. Elements of the Service Auditor's SOC 1® Report Independent Service Auditor's SOC 1® Report Service A reference to management's assertion and a SOC 1® Type 1 Organization's statement that management is responsible for: Responsibilities o Preparing the description of the service organization's system and the assertion, including the completeness, accuracy, and method of presentation of the description and assertion. o Providing the services covered by the description of the service organization's system. o Specifying the control objectives and stating them in the description of the service organization's system. o Identifying the risks that threaten the achievement of the control objectives. o Selecting the criteria. o Designing, implementing, and documenting controls that are suitably designed and operating effectively to achieve the related control objectives stated in the description of the service organization's system. © Becker Professional Education Corporation. All rights reserved. Elements of the Service Auditor's SOC 1® Report Independent Service Auditor's SOC 1® Report Service A statement that the service auditor is responsible SOC 1® Type 1 Auditor's for expressing an opinion on the fairness of the Responsibilities presentation of management's description of the service organization's system and on the suitability of the design and operating effectiveness (Type 2) of the controls to achieve the related control objectives stated in the description based on the service auditor's examination. © Becker Professional Education Corporation. All rights reserved. Elements of the Service Auditor's SOC 1® Report Independent Service Auditor's SOC 1® Report Service A statement that: SOC 1® Type 1 Auditor's o The examination was conducted in accordance Responsibilities with attestation standards established by the AICPA. o The standards require the service auditor to plan and perform the examination to obtain reasonable assurance about whether, in all material respects, based on the criteria in management's assertion, management's description of the system is fairly presented and the controls are suitably designed and operating effectively (Type 2), as of the specified date (Type 1) or throughout the specified period (Type 2), to achieve the related control objectives. o The service auditor believes the evidence obtained is sufficient and appropriate to provide a reasonable basis for the service auditor's opinion. © Becker Professional Education Corporation. All rights reserved. Elements of the Service Auditor's SOC 1® Report Independent Service Auditor's SOC 1® Report Service A statement that an examination of management's SOC 1® Type 1 Auditor's description of a service organization's system and Responsibilities the suitability of the design and operating effectiveness (Type 2) of the service organization's controls to achieve the related control objectives stated in the description involves: o Performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design and operating effectiveness (Type 2) of the controls to achieve the related control objectives stated in the description based on the criteria in management's assertion. o Assessing the risks that management's description of the service organization's system is not fairly presented and that the controls were not