S4 M1 Slides_merged.pdf

Full Transcript

Overview of SOC
Engagements: Part 1

© Becker Professional Education Corporation. All rights reserved.
 Overview of SOC Engagements

What creates the need for a SOC engagement?

Organizations often engage in business relationships with other
entities to outsource key services and business operations.
User Entity
o The organization utilizing the outsourced services.
Service Organization
o The outside organization providing services.

© Becker Professional Education Corporation. All rights reserved.
 Overview of SOC Engagements
A service organization provides the user entity with the benefits of:

Personnel Expertise Equipment Technology

To operate tasks and functions that the
user entity wishes to outsource

© Becker Professional Education Corporation. All rights reserved.
 Overview of SOC Engagements

Examples of the types of services provided by service organizations:

Credit Card Processing
Outsourced Payroll Processors Cloud Service Providers
Organizations
Service organizations that Third-party organizations offering Companies that process
provide payroll services to user a cloud-based platform, payments for merchants by
entities. infrastructure, application, or offering an infrastructure that
storage services. routes payment from customer
banks or financial institutions to
retailers.

© Becker Professional Education Corporation. All rights reserved.
 Overview of SOC Engagements

Examples of the types of services provided by service organizations:

Enterprise IT Outsourcing Financial Technology (FinTech) Customer Support
Services Services

IT-managed service providers Financial institutions that provide Organizations that provide
that manage, operate, and IT-based transaction processing customers of user entities online
maintain user entities’ IT data services such as servicing loans, or telephonic customer support
centers, infrastructure, and payment processing, and asset and service management.
application systems. management.

© Becker Professional Education Corporation. All rights reserved.
 Overview of SOC Engagements

Why do we need SOC engagements?

User entities and business partners, entities with which another commercial entity has some form
of alliance such as their external auditor, usually need information about the:
o design;
o operation; and
o effectiveness of controls within the service organization's system.
To support risk assessment procedures, user entities may request a System and Organizational
Controls (SOC) report from the service organization.
An independent CPA, referred to as the service auditor, performs a SOC examination in
accordance with attestation standards issued by the American Institute of Certified Public
Accountants (AICPA).

© Becker Professional Education Corporation. All rights reserved.
 Types of SOC Engagements
SOC engagements assess the effectiveness of a service organization's controls.
These engagements:
o result in the issuance of a SOC report; and
o promote reliance by third parties on service organizations.
There are three main types of SOC engagements including:
o SOC 1®;
o SOC 2®; and
o SOC 3®.

© Becker Professional Education Corporation. All rights reserved.
 Types of SOC Engagements
SOC 1® for Service Organizations: Internal Control over Financial
Reporting (SOC 1® engagement)
The examination and reporting on controls at a service organization
that are likely to be relevant to user entities' internal control over
financial reporting.
SOC 1® reports are restricted to:
o management of the service organization;
o user entities of the service organization's system; and
o the independent auditors of such user entities.
It does not include potential users of the service organization.

© Becker Professional Education Corporation. All rights reserved.
 Types of SOC Engagements
SOC 2® for Service Organizations: Trust Services Criteria (SOC 2® engagement)
The examination and reporting on:

The security, availability, or The confidentiality or privacy of the
processing integrity of a system. information processed by the system.

The AICPA’s five trust services categories.

© Becker Professional Education Corporation. All rights reserved.
 Types of SOC Engagements
SOC 2® for Service Organizations: Trust Services Criteria
SOC 2® reports are intended for use by those who have sufficient
knowledge and understanding of:
o the service organization;
o the services it provides; and
o the system used to provide those services, among other matters.
Management and the service auditor should agree on the intended
users of the report (specified parties).

© Becker Professional Education Corporation. All rights reserved.
 Types of SOC Engagements
SOC 2® for Service Organizations: Trust Services Criteria
The expected knowledge of specified parties ordinarily includes the following:
o The nature of the service provided by the service organization
o Service organization's system interactions with user entities, subservice organizations, and other
parties
o Internal control and its limitations
o Complementary user entity controls
o Complementary subservice organizational controls
o User entity responsibilities and their impact to effectively use the service organization's services
o The applicable trust services criteria
o The risks that may impact the service organization's service commitments and system requirements,
and how controls address those risks
© Becker Professional Education Corporation. All rights reserved.
 Types of SOC Engagements
SOC 3® for Service Organizations: Trust Services Criteria for General Use Report (SOC
3® engagement)
Similar to a SOC 2® engagement, the service auditor reports on whether controls
within the system were effective to provide reasonable assurance that the service
organization's service commitments and system requirements were achieved based on
the applicable trust services criteria.
Different from a SOC 2® report, a SOC 3® report does not include:
o a description of the system (detailed controls within the system are not disclosed); or

o a description of the service auditor's tests of controls, and the results thereof.

© Becker Professional Education Corporation. All rights reserved.
 Types of SOC Engagements
SOC 3® for Service Organizations: Trust Services Criteria for General Use Report
A SOC 3® report is ordinarily for general users who:
o need assurance about the controls at a service organization relevant to security, availability,
processing integrity, confidentiality, or privacy; but

o lack the knowledge and understanding for a SOC 2® report.

© Becker Professional Education Corporation. All rights reserved.
 Types of SOC Engagements
Other SOC Engagements

SOC for Cybersecurity Engagement SOC for Supply Chain Engagement
Examine and report on a description of the Examine and report on an entity's controls
entity's cybersecurity risk management over the security, availability, processing
program and the effectiveness of controls integrity, confidentiality, or privacy of a
with that program. system used to produce, manufacture or
distribute products.

© Becker Professional Education Corporation. All rights reserved.
 Overview of SOC
Engagements: Part 2

© Becker Professional Education Corporation. All rights reserved.
 Types of SOC Reports
At the completion of a SOC engagement, the practitioner
issues a report showing the findings.
SOC reports differ depending on:
o the type of SOC engagement completed; and
o whether the report issued is a Type 1 or Type 2 report.

© Becker Professional Education Corporation. All rights reserved.
 Types of SOC Reports
Type 1
A report on the:
o fairness of the presentation of management's
description of the service organization's system; and
o suitability of the design of the controls to achieve the
related control objectives included in the description
as of a specified date.

© Becker Professional Education Corporation. All rights reserved.
 Types of SOC Reports
Type 2
A report on the:
o fairness of the presentation of management's description of
the service organization's system; and
o suitability of the design and operating effectiveness of the
controls to achieve the related control objectives included
in the description throughout a specified period.

© Becker Professional Education Corporation. All rights reserved.
 Types of SOC Reports
SOC 1® and SOC 2® reports can be issued as either Type 1
or Type 2 reports depending on the needs of the user.
A SOC 3® report is always issued as a Type 2 report.

© Becker Professional Education Corporation. All rights reserved.
 Types of SOC Reports

Illustration: SOC 1® Use

Wyatt Co., a financial advising company, utilizes a third-party service provider named Database Inc.
to process its sales contracts and store information about its clients. Wyatt Co.'s auditors want to
ensure that the controls in place at Database Inc. are designed and operating effectively because
control deficiencies at Database Inc. would negatively affect Wyatt Co. and its clients. Wyatt Co.'s
auditors gain comfort by obtaining and reviewing the attestation to fairness of the controls and their
operations within the System and Organization Controls (SOC 1®) Type 2 report because it gives
them assurance that this has been in place over the last six months.

© Becker Professional Education Corporation. All rights reserved.
 Contents of Type 1 and Type 2 SOC Reports
The main components of a SOC report are consistent for both:
SOC 1®; and
SOC 2® engagements.

© Becker Professional Education Corporation. All rights reserved.
 Contents of Type 1 and Type 2 SOC Reports
A service auditor's Type 1 report is typically comprised of the following:
Management's description of the service organization's system.
A written assertion by management of the service organization about
whether, as of a specified date, based on the criteria:
o Management's description of the system fairly presents the service
organization's system that was designed and implemented.
o The controls related to the control objectives stated in
management's description of the system were suitably designed to
achieve those control objectives.
A report that expresses an opinion on the matters described above.

© Becker Professional Education Corporation. All rights reserved.
 Contents of Type 1 and Type 2 SOC Reports
A service auditor's Type 2 report is comprised of the following:
Management's description of the service organization's system.
A written assertion by management of the service organization about
whether, throughout a specified period, based on the criteria:
o Management's description of the system fairly presents the service
organization's system that was designed and implemented.
o The controls related to the control objectives stated in
management's description of the system were suitably designed
and operated effectively to achieve those control objectives.
A report that expresses an opinion on the matters described above
and includes a description of the tests of controls and the results.

© Becker Professional Education Corporation. All rights reserved.
 Contents of Type 1 and Type 2 SOC Reports

Pass Key
Key Differences Between Type 1 and Type 2 SOC Reports
A Type 1 report covers the system design as of a given point in time, whereas a
Type 2 report covers both the design and operating effectiveness over a period
of time.

© Becker Professional Education Corporation. All rights reserved.
 Summary of SOC Reports
Report
Subject Matter Types Purpose Use of Report
Type
SOC 1® Assesses controls Type 1 Provides information and a service auditor's opinion Restricted to
relevant to financial about controls at a service organization likely relevant management of the
reporting. Type 2 to financial reporting. Enables the user auditor to service organization,
perform risk assessment procedures. user entities, and
auditors.
Use of a Type 2 report as audit evidence that controls
at the service organization are operating effectively.
SOC 2® Assesses controls Type 1 Provides information and a service auditor's opinion Restricted to
relevant to security, about controls at a service organization relevant to management and other
availability, processing Type 2 security, availability, processing integrity, specified parties.
integrity, confidentiality, confidentiality, or privacy.
or privacy.
SOC 3® Assesses controls Type 2 Provides a service auditor's opinion about controls at Not restricted. Users are
relevant to security, only a service organization relevant to security, availability, interest parties.
availability, processing processing integrity, confidentiality,
integrity, confidentiality, or privacy.
or privacy.

© Becker Professional Education Corporation. All rights reserved.
 Trust Services Criteria

© Becker Professional Education Corporation. All rights reserved.
 Applicability of the Trust Services Criteria to SOC 2 ®

and SOC 3® Engagements
Due to the nature of a system of internal controls, entities face certain
risks that threaten their ability to achieve their objectives.
Due to these inherent risks, entities are responsible for:
o designing and implementing suitable controls to mitigate the risks.

© Becker Professional Education Corporation. All rights reserved.
 Applicability of the Trust Services Criteria to SOC 2 ®

and SOC 3® Engagements
The AlCPA's Assurance Services Executive Committee (ASEC) has
established trust services criteria that set forth the outcomes that an
entity's controls should meet to achieve the entity's unique objectives.
This enables practitioners to evaluate and report on controls over the:
o security;
o availability;
o processing integrity;
o confidentiality; or
o privacy of information and systems for SOC 2® and SOC 3® engagements.

© Becker Professional Education Corporation. All rights reserved.
 Applicability of the Trust Services Criteria to SOC 2 ®

and SOC 3® Engagements
The report can be based on any of the five trust services categories, either:
o individually; or
o in combination.
These categories include security, availability, processing integrity,
confidentiality, and privacy.

© Becker Professional Education Corporation. All rights reserved.
 Trust Services Categories
The five trust services categories can be remembered using the mnemonic "CAPPS:"

C Confidentiality: Information designated as confidential is protected to meet the entity's objectives.

A Availability: Information and systems are available for operation and used to meet the entity's objectives.

P Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet
the entity's objectives.

P Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the
entity's objectives.

S Security: Information and systems are protected against unauthorized access; unauthorized disclosure
of information; and damage to systems that could compromise the availability, integrity, confidentiality,
and privacy of information or systems and affect the entity's ability to meet its objectives.

© Becker Professional Education Corporation. All rights reserved.
 Application and Use of the Trust Services Criteria
The trust services criteria were designed to provide flexibility in:
application; and
use for a variety of different subject matters.

© Becker Professional Education Corporation. All rights reserved.
 Application and Use of the Trust Services Criteria
The types of subject matter a practitioner may be engaged to report on using the trust services criteria
include the following:
SOC for cybersecurity engagement
o The effectiveness of controls within an entity's cybersecurity risk management program to achieve
the entity's cybersecurity objectives using the trust services criteria relevant to:
o security;
o availability; and
o confidentiality as control criteria.

© Becker Professional Education Corporation. All rights reserved.
 Application and Use of the Trust Services Criteria
The types of subject matter a practitioner may be engaged to report on using the trust services criteria include the following:

SOC 2® engagement:

Type 1 Type 2

Same subject matter as a Type 2 The suitability of design and operating effectiveness
SOC 2® engagement. of controls included in management's description of
a service organization's system relevant to one or
However, a Type 1 SOC 2® report does not contain: more of the trust services criteria over security,
o an opinion on the operating effectiveness of availability, processing integrity, confidentiality, or
controls; nor privacy throughout a specified period to achieve the
entity's objectives based on those criteria.
o a detailed description of tests of controls
performed by the service auditor and the results A Type 2 report includes:
of those tests. o an opinion on the operating effectiveness of
controls; and

o a detailed description of tests of controls
performed by the service auditor and the results
of those tests.

© Becker Professional Education Corporation. All rights reserved.
 Application and Use of the Trust Services Criteria
The types of subject matter a practitioner may be engaged to report on using the trust services criteria
include the following:
SOC 3® engagement
o The design and operating effectiveness of a service organization's controls over a system relevant
to one or more of the trust services criteria over security, availability, processing integrity,
confidentiality, and privacy.
A SOC 3® report:
o contains an opinion on the operating effectiveness of controls; but
o does not include a detailed description of tests of controls performed by the service auditor and the
results of those tests.

© Becker Professional Education Corporation. All rights reserved.
 Application and Use of the Trust Services Criteria
The types of subject matter a practitioner may be engaged to report on using the trust services criteria
include the following:
The suitability of design and operating effectiveness of controls of an entity, other than a service
organization, over one or more systems relevant to one or more of the trust services categories of
security, availability, processing integrity, confidentiality, or privacy.
o For example: a SOC for supply chain engagement
The suitability of the design of an entity's controls over security, availability, processing integrity,
confidentiality, or privacy to achieve the entity's objectives based on the related trust services criteria.

© Becker Professional Education Corporation. All rights reserved.
 The COSO Framework
Overview and Alignment
to the Trust Services
Criteria: Part 1

© Becker Professional Education Corporation. All rights reserved.
 Overview of the COSO Framework
The AICPA has aligned the trust services criteria with the COSO (Committee of Sponsoring Organizations
of the Treadway Commission) Internal Control–Integrated Framework (the COSO framework).
The COSO framework is:
o a widely accepted control framework utilized by entities to establish and implement an effective
system of internal control; and
o includes five components that are supported by 17 principles.
The trust services criteria have been aligned to the 17 COSO principles, but include additional criteria.

© Becker Professional Education Corporation. All rights reserved.
 Overview of the COSO Framework
Control Environment
C Control environment
COSO principles 1 through 5:
o Relate to the control environment, which cover R Risk assessment
control from the perspective of the board and
management through: I Information and communication
integrity;
M Monitoring
ethics;
the proper corporate structure; and E Existing control activities
establishing an environment that holds
employees accountable.

© Becker Professional Education Corporation. All rights reserved.
 Overview of the COSO Framework
Control Environment: Principles 1 through 5
1. The entity demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management
and exercises oversight of the development and performance of
internal control.
3. Management establishes, with board oversight, structures, reporting
lines, and appropriate authorities and responsibilities in the pursuit
of objectives.
4. The entity demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives.
5. The entity holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.

© Becker Professional Education Corporation. All rights reserved.
 Overview of the COSO Framework
Risk Assessment
COSO principles 6 through 9:
o Relate to the risk assessment component of the COSO framework.
o Focus on:
identifying risk;
considering the potential for fraud; and
understanding changes that could impact internal controls.

© Becker Professional Education Corporation. All rights reserved.
 Overview of the COSO Framework
Risk Assessment: Principles 6 through 9
6. The entity specifies objectives with sufficient clarity to enable
the identification and assessment of risks relating to objectives.
7. The entity identifies risks to the achievement of its objectives
across the entity and analyzes risks as a basis for determining
how the risks should be managed.
8. The entity considers the potential for fraud in assessing risks to
the achievement of objectives.
9. The entity identifies and assesses changes that could
significantly impact the system of internal control.

© Becker Professional Education Corporation. All rights reserved.
 Overview of the COSO Framework
Control Activities
COSO principles 10 through 12:
o Relate to the control activities implemented and designed to ensure the proper application of
policies and procedures that help ensure management directives and control objectives are met.

© Becker Professional Education Corporation. All rights reserved.
 Overview of the COSO Framework
Control Activities: Principles 10 through 12
10. The entity selects and develops control activities that
contribute to the mitigation of risks to the achievement of
objectives to acceptable levels.
11. The entity also selects and develops general control activities
over technology to support the achievement of objectives.
12. The entity deploys control activities through policies that
establish what is expected and procedures that put policies
into action.

© Becker Professional Education Corporation. All rights reserved.
 Overview of the COSO Framework
Control Activities: Principle 12
The trust services criteria expand on principle 12 by adding four common criteria referred to as the trust
services supplemental criteria:
Logical and Physical Access Controls
o Relates to how an entity restricts, provides, and removes access and prevents unauthorized access.
System Operations
o Relates to how an entity detects and mitigates processing deviations, including logical and physical
security deviations.

© Becker Professional Education Corporation. All rights reserved.
 Overview of the COSO Framework
Control Activities: Principle 12
The trust services criteria expand on principle 12 by adding four common criteria referred to as the trust
services supplemental criteria:
Change Management
o Relates to how an entity manages changes and prevents unauthorized changes from being made.
Risk Mitigation
o Relates to how an entity manages risk mitigation activities arising from potential business
disruptions and the use of vendors and business partners.

© Becker Professional Education Corporation. All rights reserved.
 Overview of the COSO Framework
Information and Communication
COSO principles 13 through 15:
o Focus on:
o obtaining;
o generating; and
o controlling information and communication.

© Becker Professional Education Corporation. All rights reserved.
 Overview of the COSO Framework
Information and Communication: Principles 13 through 15
13. The entity obtains or generates and uses relevant, quality information
to support the functioning of internal control.
14. The entity internally communicates information, including objectives
and responsibilities for internal control, necessary to support the
functioning of internal control.
15. The entity communicates with external parties regarding matters
affecting the functioning of internal control.

© Becker Professional Education Corporation. All rights reserved.
 Overview of the COSO Framework
Monitoring Activities
COSO principles 16 and 17:
o Relate to monitoring activities, which outline how an organization should:
o conduct ongoing evaluations of control activities; and
o communicate internal control deficiencies.

© Becker Professional Education Corporation. All rights reserved.
 Overview of the COSO Framework
Monitoring Activities: Principles 16 through 17
16. The entity selects, develops, and performs ongoing and/or
separate evaluations to ascertain whether the components
of internal control are present and functioning.
17. The entity evaluates and communicates internal control
deficiencies in a timely manner to those parties responsible
for taking corrective action, including senior management
and the board of directors, as appropriate.

© Becker Professional Education Corporation. All rights reserved.
 The COSO Framework
Overview and Alignment to
the Trust Services Criteria:
Part 2

© Becker Professional Education Corporation. All rights reserved.
 Alignment of the Trust Services Criteria and the
COSO Principles
Overview

Trust Services Category
Common Criteria Additional Category-Specific Criteria
(CAPPS)
N/A, common criteria is suitable
Security ✓
with no additional criteria
Availability ✓ A series

Processing Integrity ✓ PI series

Confidentiality ✓ C series

Privacy ✓ P series

© Becker Professional Education Corporation. All rights reserved.
 Additional Criteria for Availability (A series)
The additional criteria for availability focus on an entity's
ability to ensure all systems are continuously available as
needed by:
o maintaining and monitoring processing capacity;
o identifying and responding to threats; and
o ensuring a recovery plan is in place and tested.

© Becker Professional Education Corporation. All rights reserved.
 Additional Criteria for Availability (A series)
A1.1: The entity maintains, monitors, and evaluates current
processing capacity and use of system components:
o to manage capacity demand; and
o to enable the implementation of additional capacity to
meet entity objectives.

© Becker Professional Education Corporation. All rights reserved.
 Additional Criteria for Availability (A series)
A1.2: The entity ensures systems are available by:
o identifying environmental threats;
o designing detection measures;
o implementing protection mechanisms and alerts;
o responding to environmental threats;
o communicating threat events;
o performing data backup;
o ensuring there is off-site storage;
o implementing an alternate infrastructure; and
o considering data recoverability to meet entity objectives.

© Becker Professional Education Corporation. All rights reserved.
 Additional Criteria for Availability (A series)
A1.3: The entity tests its recovery plan procedures to
ensure system recovery meets entity objectives.

© Becker Professional Education Corporation. All rights reserved.
 Additional Criteria for Processing Integrity (PI series)
The additional criteria for processing integrity include considerations related to creating, using, and
communicating quality information so that objectives will be met regarding:
o product/service specifications;
o controls for completeness and accuracy;
o productivity; and
o system specifications.

© Becker Professional Education Corporation. All rights reserved.
 Additional Criteria for Processing Integrity (PI series)
PI1.1: The entity obtains or generates, uses, and communicates relevant, quality information regarding
processing objectives to support the use of products and services.
PI1.2: The entity implements policies and procedures over system inputs to result in products, services,
and reporting that meet entity objectives.
PI1.3: The entity implements policies and procedures over system processing to result in products,
services, and reporting that meet entity objectives.
PI1.4: The entity implements policies and procedures to make available or deliver output completely,
accurately, and timely that meet entity objectives.
PI1.5: The entity implements policies and procedures to store inputs, items in processing, and outputs
completely, accurately, and timely in accordance with system specifications to meet the entity's objectives

© Becker Professional Education Corporation. All rights reserved.
 Additional Criteria for Confidentiality (C series)
The additional criteria for confidentiality relate to ensuring
confidential information is handled appropriately.
o C1.1: The entity identifies and maintains confidential
information to meet the entity's confidentiality objectives.
o C1.2: The entity disposes of confidential information to
meet the entity's confidentiality objectives.

© Becker Professional Education Corporation. All rights reserved.
 Additional Criteria for Privacy (P series)
The additional criteria for privacy relate to:
o collecting personal data;
o obtaining consent when collecting and using that data;
o using data for specific purposes only;
o managing access to individuals' data responsibly;
o disclosing policies to third parties and individuals properly;
o maintaining complete and accurate records; and
o monitoring and enforcing practices in place.

© Becker Professional Education Corporation. All rights reserved.
 Additional Criteria for Privacy (P series)
P1.0: Notice and Communication of Objectives Related to Privacy
P2.0: Choice and Consent
P3.0: Collection
P4.0: Use, Retention, and Disposal
P5.0: Access
P6.0: Disclosure and Notification
P7.0: Quality
P8.0: Monitoring and Enforcement

© Becker Professional Education Corporation. All rights reserved.
 Forming the Opinion in a
SOC Engagement

© Becker Professional Education Corporation. All rights reserved.
 Forming the Opinion in a SOC Engagement
The service auditor should form an opinion about the subject
matter of the engagement.
When forming the opinion, the service auditor should evaluate:
o the sufficiency and appropriateness of the evidence
obtained; and
o whether uncorrected misstatements, individually or in the
aggregate, are material.

© Becker Professional Education Corporation. All rights reserved.
 Forming the Opinion in a SOC Engagement
In a SOC engagement, the service auditor forms an opinion
about whether:
o the subject matter is in accordance with (or based on) the
criteria, in all material respects; or
o the assertion is fairly stated in all material respects.
The opinion of the service auditor focuses on:
o Fair presentation of management's description of the service
organization's system.
o The suitability of the design of the controls related to the control objectives stated in
management's description.
o The effective operation of the controls stated in management's description (Type 2 only).

© Becker Professional Education Corporation. All rights reserved.
 Forming the Opinion in a SOC Engagement
The overall objectives of a SOC 1® and SOC 2® engagement are consistent.
The subject matter for which an opinion is being formed is different.
In a SOC 1® engagement, the service auditor forms an opinion regarding the controls at a
service organization relevant to the user entities' internal control over financial reporting.
In a SOC 2® engagement, the service auditor forms an opinion regarding the controls at a
service organization relevant to one or more of the five trust services criteria, which include:
o confidentiality;
o availability;
o processing integrity;
o privacy; and
o security.

© Becker Professional Education Corporation. All rights reserved.
 Types of Opinions in a SOC
Engagement: Part 1

© Becker Professional Education Corporation. All rights reserved.
 Types of Opinions in a SOC Engagement
When a service auditor concludes a SOC 1® or SOC 2®
engagement, the report will contain the service auditor's
opinion pertaining to the controls examined.
The service auditor reaches his or her opinion by
determining whether:
o The description of the controls is presented fairly by
management.
o The controls are designed effectively.
o The controls operate as intended over a specified period
of time (Type 2 only).

© Becker Professional Education Corporation. All rights reserved.
 Types of Opinions in a SOC Engagement
The opinions of the service auditor in a SOC engagement
depend on the facts and circumstances of the evidence
gathered throughout the engagement and may include an:
unmodified (unqualified) opinion;
qualified opinion;
adverse opinion; or
disclaimer of an opinion.

© Becker Professional Education Corporation. All rights reserved.
 Unmodified (Unqualified) Opinion
An unmodified opinion is the service auditor's opinion that, in all material respects, based on the criteria
described in management's assertion:
1. Management's description of the system fairly presents the system that was designed and implemented.
SOC 1®: Management's description of the service organization's system fairly presents the service
organization's system that was designed and implemented as of a specified date (Type 1) or throughout
the specified period (Type 2).
SOC 2®: Management's description of the service organization's system presents the service
organization's system that was designed and implemented in accordance with the description criteria,
as of a specified date (Type 1) or throughout the specified period (Type 2).

© Becker Professional Education Corporation. All rights reserved.
 Unmodified (Unqualified) Opinion
An unmodified opinion is the service auditor's opinion that, in all material respects, based on the criteria
described in management's assertion:
2. The controls stated in management's description of the system were suitably designed.
SOC 1®: The controls related to the control objectives statement in management's description of the
service organization's system were suitably designed to achieve the control objectives as of the
specified date (Type 1) or throughout the specified period (Type 2).
SOC 2®: The controls stated in management's description were suitably designed to provide reasonable
assurance that the service organization's service commitments and system requirements were
achieved based on the applicable trust services criteria as of the specified date (Type 1) or throughout
the specified period (Type 2).

© Becker Professional Education Corporation. All rights reserved.
 Unmodified (Unqualified) Opinion
An unmodified opinion is the service auditor's opinion that, in all material respects, based on the criteria
described in management's assertion:

3. The controls stated in management's description of the system operated effectively (Type 2 only).

SOC 1®: The controls related to the control objectives stated in management's description of the system
operated effectively throughout the specified period to achieve the control objectives.

SOC 2®: The controls stated in management's description of the system operated effectively throughout
the specified period to provide reasonable assurance that the service organization's service
commitments and system requirements were achieved based on the applicable trust services criteria.

© Becker Professional Education Corporation. All rights reserved.
 Unmodified (Unqualified) Opinion
CUECs
If the application of complementary user entity controls is necessary
to achieve the related control objectives stated in management's
description of the service organization's system, a statement to that
effect has been made. CSOCs
If the application of complementary subservice organization controls
is necessary to achieve the related control objectives stated in
management's description of the service organization's system, a
statement to that effect has been made.

© Becker Professional Education Corporation. All rights reserved.
 Types of Opinions in a
SOC Engagement: Part 2

© Becker Professional Education Corporation. All rights reserved.
 Modifications to the Service Auditor's Opinion
The service auditor is required to modify the opinion when either
of the following circumstances exist and, in the service auditor's
professional judgment, the effect of the matter is or may
be material:
The service auditor is unable to obtain sufficient appropriate
evidence to conclude that the subject matter is in accordance
with (or based on) the criteria, in all material respects.
The service auditor concludes, based on evidence obtained,
that the subject matter is not in accordance with (or based on)
the criteria, in all material respects.

© Becker Professional Education Corporation. All rights reserved.
 Modifications to the Service Auditor's Opinion
The service auditor's opinion should be modified, and the service
auditor's report should include a description of the matter or
matters giving rise to the modification, if the service auditor
concludes any of the following:
SOC 1® engagement:
o Management's description of the service organization's system
is not fairly presented, in all material respects.
o The controls are not suitably designed to provide reasonable
assurance that the control objectives stated in management's
description of the service organization's system would be achieved
if the controls operated effectively, in all material respects.

© Becker Professional Education Corporation. All rights reserved.
 Modifications to the Service Auditor's Opinion
The service auditor's opinion should be modified, and the service
auditor's report should include a description of the matter or
matters giving rise to the modification, if the service auditor
concludes any of the following:
SOC 1® engagement:
o The controls did not operate effectively throughout the
specified period to achieve the related control objectives stated
in management's description of the service organization's system,
in all material respects (Type 2 only).
o The service auditor is unable to obtain sufficient and appropriate evidence.

© Becker Professional Education Corporation. All rights reserved.
 Modifications to the Service Auditor's Opinion
The service auditor's opinion should be modified, and the service
auditor's report should include a description of the matter or
matters giving rise to the modification, if the service auditor
concludes any of the following:
SOC 2® engagement:
o Management's description of the service organization's
system does not present the system designed and implemented
throughout the period in accordance with the description criteria,
in all material respects.
o The controls are not suitably designed to provide reasonable assurance that the service
organization's service commitments and system requirements would be achieved based
on the applicable trust services criteria if the controls operated effectively, in all
material respects.

© Becker Professional Education Corporation. All rights reserved.
 Modifications to the Service Auditor's Opinion
The service auditor's opinion should be modified, and the service
auditor's report should include a description of the matter or
matters giving rise to the modification, if the service auditor
concludes any of the following:
SOC 2® engagement:
o The controls did not operate effectively throughout the
specified period to provide reasonable assurance that
the service organization's service commitments and system
requirements were achieved based on the applicable trust
services criteria, in all material respects (Type 2 only).
o The service auditor is unable to obtain sufficient and appropriate evidence.

© Becker Professional Education Corporation. All rights reserved.
 Modifications to the Service Auditor's Opinion
The service auditor determines whether a qualified opinion,
an adverse opinion, or a disclaimer of opinion is appropriate
depending on the following:
The nature of the matter giving rise to the modification (that
is, whether the subject matter of the engagement is
presented in accordance with (or based on) the criteria, in all
material respects, or, in the case of an inability to obtain
sufficient appropriate evidence, may be materially misstated).
The service auditor's professional judgment about the
pervasiveness of the effects, or possible effects, of the matter
on the subject matter of the engagement.

© Becker Professional Education Corporation. All rights reserved.
 Modifications to the Service Auditor's Opinion
There are three types of modified opinions:
Qualified Opinion: States that except for the effects of the
matter(s) giving rise to the modification, the description is
presented in accordance with the description criteria and the
controls were suitably designed and operating effectively
(Type 2), in all material respects.
Adverse Opinion: States that the description misstatements,
either individually or in the aggregate, are material and
pervasive, or deficiencies in the design or operation of
controls are material and pervasive.
Disclaimer of Opinion: States that the auditor does not express an opinion.

© Becker Professional Education Corporation. All rights reserved.
 Summary of Modified Opinions
The chart below summarizes the nature of matters giving rise to the service auditor's opinion modification:
Service Auditor's Professional Judgment About
Nature of Matter Nature of Matter the Pervasiveness of the Effects (or Possible Effects)
Giving Rise to the Giving Rise to the on the Opinion on the Description, on the Suitability of
Modification (SOC 1®) Modification (SOC 2®) the Design of Controls, and on the Operating
Effectiveness of Controls
Material but Not Pervasive Material and Pervasive
Scope limitation: An Scope limitation: An Qualified opinion Disclaimer of opinion
inability to obtain inability to obtain sufficient
sufficient appropriate appropriate evidence.
evidence.

© Becker Professional Education Corporation. All rights reserved.
 Summary of Modified Opinions
The chart below summarizes the nature of matters giving rise to the service auditor's opinion modification:
Service Auditor's Professional Judgment About
Nature of Matter Nature of Matter the Pervasiveness of the Effects (or Possible Effects)
Giving Rise to the Giving Rise to the on the Opinion on the Description, on the Suitability of
Modification (SOC 1®) Modification (SOC 2®) the Design of Controls, and on the Operating
Effectiveness of Controls
Material but Not Pervasive Material and Pervasive
Material misstatements: Material misstatements: Qualified opinion Adverse opinion
The description is The description is materially
materially misstated. misstated.
OR OR
The controls are not The controls are not suitably
suitably designed to designed to provide
achieve one or more of the reasonable assurance that
related control objectives one or more of the service
stated in management's organization's service
description of the service commitments or system
organization's system. requirements were achieved
based on the applicable trust
services criteria.
© Becker Professional Education Corporation. All rights reserved.
 Summary of Modified Opinions
The chart below summarizes the nature of matters giving rise to the service auditor's opinion modification:
Service Auditor’s Professional Judgment About
Nature of Matter Nature of Matter the Pervasiveness of the Effects (or Possible Effects)
Giving Rise to the Giving Rise to the on the Opinion on the Description, on the Suitability of
Modification (SOC 1®) Modification (SOC 2®) the Design of Controls, and on the Operating
Effectiveness of Controls
Material but Not Pervasive Material and Pervasive
OR OR Qualified opinion Adverse opinion
The controls are not The controls are not
operating effectively to operating effectively to
achieve one or more provide reasonable
of the related control assurance that one or more
objectives stated in of the service organization's
management's description service commitments or
of the service system requirements were
organization's system. achieved based on the
applicable trust
services criteria.

© Becker Professional Education Corporation. All rights reserved.
 Contents of the Auditor's
Report for a SOC
Engagement: Part 1

© Becker Professional Education Corporation. All rights reserved.
 Contents of the Auditor's Report for a SOC Engagement
The SOC report includes the following key components:
Management's description of the system
Management's assertion
Independent service auditor's report
Auditor's tests of controls and results of tests

© Becker Professional Education Corporation. All rights reserved.
 SOC ®
1 Purpose
and Common Sections of Management's
System Description
A SOC 1® engagement is an examination to report on a service organization's controls
relevant to user entities' internal control over financial reporting.
The service organization's management is responsible for documenting the description
of the service organization's system.
The description must provide sufficient information:
o to allow a user auditor to understand how the service organization's processing affects
the user entity's financial statements; and
o to assess the risk of material misstatement of the user entity's financial statements.
The form and extent of the description:
o are determined by management; and
o may depend on the size and complexity of the service organization.

© Becker Professional Education Corporation. All rights reserved.
 SOC 1®
Purpose and Common Sections of Management's
System Description
Common sections of a system description subject to SOC 1®
engagements include:
Types of services provided
o Defined scope of services provided and the classes of
transactions processed.
Procedures performed
o Procedures, within both manual and automated systems, by
which services are provided, including procedures to initiate,
authorize, record, process, correct, and transfer transactions
to reports and other information for user entities.

© Becker Professional Education Corporation. All rights reserved.
 SOC 1®
Purpose and Common Sections of Management's
System Description
Common sections of a system description subject to SOC 1®
engagements include:
System functionality
o How the system captures and addresses significant events and
conditions (other than transactions).
Subservice organizations
o Services performed by entities the service organization uses to
provide services to the user entity, including whether the
carve-out method or the inclusive method has been used, and
any complementary subservice organizational controls
necessary to meet control objectives.

© Becker Professional Education Corporation. All rights reserved.
 SOC 1®
Purpose and Common Sections of Management's
System Description
Common sections of a system description subject to SOC 1®
engagements include:
Controls
o A description of the control objective and design to achieve those
objectives, including the frequency, timing, person, or parties
responsible for performance, and the source of information to
which the control is applied.
Information on other aspects of the control environment, risk
assessment process, information and communication, control
activities, and monitoring activities that are relevant to the
services provided.

© Becker Professional Education Corporation. All rights reserved.
 SOC 1®
Purpose and Common Sections of Management's
System Description
Common sections of a system description subject to SOC 1®
engagements include:
Prepare reports
o Process to prepare reports and other information for user entities.
Deficiencies in information
o If applicable, information used in the performance of the
procedures (if applicable, related accounting records and
supporting information) to initiate, authorize, record, process,
and report transactions.
o This includes the correction of incorrect information and how
information is transferred to the report, and other information
prepared for user entities.

© Becker Professional Education Corporation. All rights reserved.
 SOC 1®
Purpose and Common Sections of Management's
System Description
Common sections of a system description subject to SOC 1®
engagements include:
Complementary user entity controls (CUECs)
o Controls that must be implemented by the user entity to meet
control objectives.
Relevant details of changes to the service organization's system
during the period covered by the description (Type 2 only).

© Becker Professional Education Corporation. All rights reserved.
 SOC 1®
Purpose and Common Sections of Management's
System Description
Common sections of a system description subject to SOC 1®
engagements include:
The description:
o does not omit or distort information relevant to the system; and
o is prepared to meet the common needs of a broad range of user
entities and their auditors, and thus may not include every
aspect that a user entity may consider important in its own
particular environment.

© Becker Professional Education Corporation. All rights reserved.
 Contents of the Auditor's
Report for a SOC
Engagement: Part 2

© Becker Professional Education Corporation. All rights reserved.
 SOC 2 ®
Purpose and Common Sections
of Management's System Description
A SOC 2® engagement is an examination of:
o a service organization's description of its system;
o the suitability of the design of controls; and
o the operating effectiveness of controls relevant to security,
availability, processing integrity, confidentiality, and privacy
(in a Type 2 engagement).

© Becker Professional Education Corporation. All rights reserved.
 SOC 2 ®
Purpose and Common Sections
of Management's System Description
The service organization's management is responsible for
presenting a description of the system to enable report users,
such as user entities, business partners, or other relevant parties,
to understand the system and the processing and flow of data
throughout and from the system.
The description:
o is to be prepared in accordance with specific criteria; and
o describes the procedures and controls in place to manage risk.

© Becker Professional Education Corporation. All rights reserved.
 SOC 2 ®
Purpose and Common Sections
of Management's System Description
Common sections of a system description subject to a SOC 2®
engagement include:
Types of services provided
o Types of services provided by service organizations,
including the services that are the focus of the engagement.
Principal service commitments and system requirements
o The commitments made to user entities and the system
requirements required to achieve such commitments.
o Service commitments: Declarations made by service organization management to user
entities and others (such as user entities' customers) about the system used to provide
the service.

© Becker Professional Education Corporation. All rights reserved.
 SOC 2 ®
Purpose and Common Sections
of Management's System Description
Principal service commitments and system requirements
o System requirements: Specifications regarding how the system
should function:
to meet the service organization's service commitments to user
entities and others;
to meet the service organization's commitments to vendors and
business partners;
to comply with relevant laws and regulations and guidelines of
industry groups; and
to achieve other objectives of the service organization that are relevant to
the trust services category or categories addressed by the description.

© Becker Professional Education Corporation. All rights reserved.
 SOC 2 ®
Purpose and Common Sections
of Management's System Description
Common sections of a system description subject to a SOC 2®
engagement include:
Components of the system used to provide the services
o Infrastructure, software, people, procedures, and data.
Identified system incidents
o Incidents that were the result of controls that were not suitably
designed or operating effectively or that resulted in a significant
failure in the achievement of one or more service commitments
and system requirements.
o The nature, extent (or effect), and timing of the system incident and its disposition
(based on management's judgment) that occurred as of the date of the description
(Type 1) or during the period of time covered by the description (Type 2).

© Becker Professional Education Corporation. All rights reserved.
 SOC 2 ®
Purpose and Common Sections
of Management's System Description
Common sections of a system description subject to a SOC 2®
engagement include:
Applicable trust services criteria
o The trust services criteria being reported on, including
applicable controls in place to provide reasonable assurance
that the service commitments and system requirements
were achieved.
Complementary user entity controls (CUECs)
o The controls implemented by the user entity that are necessary,
in combination with controls at the service organization, to provide
reasonable assurance that the service commitments and system
requirements would be achieved.

© Becker Professional Education Corporation. All rights reserved.
 SOC 2 ®
Purpose and Common Sections
of Management's System Description
Common sections of a system description subject to a SOC 2® engagement include:
Subservice organizations: A subservice organization used by the service organization
and the controls at the subservice organization are necessary, in combination with
controls at the service organization, to provide reasonable assurance that the service
commitments and system requirements would be achieved.
o Inclusive method: Nature of the service provided, controls with clear differentiation
between controls at the service organization and subservice organization, portions
of the system attributable to the subservice organization along with relevant aspects
(e.g., infrastructure, software, people, procedures, data).
o Carve-out method: Management does not include a description of the controls that
operate only or primarily at the subservice organization. However, the description
should contain details regarding the nature of the service provided, types of controls
along with the applicable trust services criteria that are intended to be met by the
complementary subservice organization controls (CSOCs), the subservice
organization's responsibilities for implementing the CSOCs, and an indication that
the related service commitments and system requirements can only be achieved if
the CSOCs are suitably designed and operating effectively.

© Becker Professional Education Corporation. All rights reserved.
 SOC 2 ®
Purpose and Common Sections
of Management's System Description
Common sections of a system description subject to a SOC 2®
engagement include:
Irrelevant specific criteria
o Explanations for why specific trust services criteria are not
relevant for the service organization's system.
Details of system and control changes during the period that are
relevant to the service organization's service commitments and
system requirements (Type 2 only).

© Becker Professional Education Corporation. All rights reserved.
 Contents of the Auditor's
Report for a SOC
Engagement: Part 3

© Becker Professional Education Corporation. All rights reserved.
 Management's Description of the Entity's
Cybersecurity Risk Management Program

An entity's cybersecurity risk management program is a set of
policies, processes, and controls designed to:
protect information and systems from security events that
could compromise the achievement of the entity's
cybersecurity objectives; and
detect, respond to, mitigate, and recover from, on a timely
basis, security events that are not prevented.

© Becker Professional Education Corporation. All rights reserved.
 Management's Description of the Entity's
Cybersecurity Risk Management Program
The categories of description criteria include the following:

1 Nature of business and operations

2 Nature of information at risk

3 Cybersecurity risk management program objectives (cybersecurity objectives)

4 Factors that have a significant effect on inherent cybersecurity risks

5 Cybersecurity risk governance structure

6 Cybersecurity risk assessment process

7 Cybersecurity communications and the quality of cybersecurity information

8 Monitoring of the cybersecurity risk management program

9 Cybersecurity control processes

© Becker Professional Education Corporation. All rights reserved.
 Management's Description of the Entity's
Cybersecurity Risk Management Program

The cybersecurity risk management examination is predicated
on the concept that management is responsible for:
developing and presenting a description of the entity's
cybersecurity risk management program;
making an assertion about whether the description is
presented in accordance with the description criteria; and
making an assertion about the effectiveness of the controls
within the program based on a set of control criteria.

© Becker Professional Education Corporation. All rights reserved.
 Management's Assertions

In a SOC engagement, the service auditor is required to request a written assertion from management.
In a SOC 1® or SOC 2® engagement, management's assertion addresses whether:
Management's description of the system fairly presents the system that was designed and implemented.

SOC 1® SOC 2®
Management's description of the service Management's description of the service
organization's system fairly presents the organization's system presents the service
service organization's system that was organization's system that was designed
designed and implemented as of a and implemented in accordance with the
specified date (Type 1) or throughout the description criteria, as of a specified date
specified period (Type 2). (Type 1) or throughout the specified
period (Type 2).

© Becker Professional Education Corporation. All rights reserved.
 Management's Assertions

In a SOC 1® or SOC 2® engagement, management's assertion addresses whether:
The controls stated in management's description of the system were suitably designed.

SOC 1® SOC 2®
The controls related to the control The controls stated in management's
objectives statement in management's description were suitably designed to
description of the service organization's provide reasonable assurance that the
system were suitably designed to achieve service organization's service
the control objectives as of the specified commitments and system requirements
date (Type 1) or throughout the specified were achieved based on the applicable
period (Type 2). trust services criteria as of the specified
date (Type 1) or throughout the specified
period (Type 2).

© Becker Professional Education Corporation. All rights reserved.
 Management's Assertions

In a SOC 1® or SOC 2® engagement, management's assertion addresses whether:
The controls stated in management's description of the system operated effectively (Type 2 only).

SOC 1® SOC 2®
The controls related to the control The controls stated in management's
objectives stated in management's description of the system operated
description of the system operated effectively throughout the specified period
effectively throughout the specified period to provide reasonable assurance that the
to achieve the control objectives. service organization's service
commitments and system requirements
were achieved based on the applicable
trust services criteria.

© Becker Professional Education Corporation. All rights reserved.
 Management's Assertions

In a SOC 3® engagement, management's assertion addresses whether:
the controls within the system were effective throughout the specified period to provide
reasonable assurance that the service organization's service commitments and system
requirements were achieved based on the applicable trust services criteria, including:
o a description of the boundaries of the system; and
o the service organization's principal service commitments and system requirements.

© Becker Professional Education Corporation. All rights reserved.
 Management's Assertions

Management's assertions are included in the SOC report along with the description of
the service organization's system in the service auditor's report.
If management refuses to provide a written assertion, the service auditor is required to
withdraw from the engagement when withdrawal is possible under applicable laws
and regulations.
If law or regulation does not allow the service auditor to withdraw, the service auditor
should disclaim an opinion on:
o the description;
o the suitability of design of controls in a Type 1 engagement; and
o the operating effectiveness of controls in a Type 2 engagement.

© Becker Professional Education Corporation. All rights reserved.
 Summary of Management Assertions by Engagement Type
Management's Assertions by SOC Engagement and Report Type

Report Type SOC 1® SOC 2® SOC 3®
Type 1 Management's system Management's system
description description
Management's written assertion Management's written assertion
about whether the description about whether the description
fairly presents the system, fairly presents the system,
AND AND
the controls were suitably the controls related to the
designed to achieve control applicable trust services criteria
objectives were suitably designed to meet
those criteria

© Becker Professional Education Corporation. All rights reserved.
 Summary of Management Assertions by Engagement Type
Management's Assertions by SOC Engagement and Report Type

Report Type SOC 1® SOC 2® SOC 3®
Type 2 Management's system Management's system Management's description of
description description the service organization's
system boundaries and copy of
Management's written assertion Management's written assertion its privacy notice if addressing
about whether the description about whether the description the privacy principle
fairly presents the system that fairly presents the system that
was designed and implemented was designed and implemented Management's written assertion
throughout the specified period, throughout the specified period, concerning whether effective
AND AND controls over the system related
the controls were suitably the controls were suitably to applicable trust services
designed throughout the designed throughout the period criteria
period to achieve control to achieve applicable trust
objectives, services criteria,
AND AND
the controls operated effectively the controls operated effectively
throughout the period to achieve throughout the period to meet
control objectives applicable trust services criteria
© Becker Professional Education Corporation. All rights reserved.
 Contents of the
Service Auditor's
Report for a SOC 1®

Engagement: Part 1

© Becker Professional Education Corporation. All rights reserved.
 Contents of the SOC 1® Report
The SOC 1® report includes the following key components:
1. Management's Description of the System
2. Management's Assertion
3. Independent Service Auditor's Report
4. Auditor's Tests of Controls and Results of Tests

© Becker Professional Education Corporation. All rights reserved.
 Contents of the SOC 1® Report
Management's Description of the System
Management's description of the system as of a specified date (Type 1)
or throughout the specified period ( Type 2).

© Becker Professional Education Corporation. All rights reserved.
 Contents of the SOC 1® Report
Management's Assertion
Addresses whether, based on the criteria in a management's assertion:
o Management's description of the service organization's system fairly
presents the service organization's system that was designed and
implemented as of a specified date (Type 1) or throughout the
specified period (Type 2).
o The controls related to the control objectives stated in management's
description of the service organization's system were suitability
designed to achieve those control objectives as of the specified date
(Type 1) or throughout the specified period (Type 2).
o The controls related to the control objectives stated in management's
description of the service organization's system operated effectively to
achieve those control objectives (Type 2 only).

© Becker Professional Education Corporation. All rights reserved.
 Contents of the SOC 1® Report
Independent Service Auditor's Report
The service auditor's opinion about whether:
o Management's description of the service organization's system fairly
presents the service organization's system that was designed and
implemented as of a specified date (Type 1) or throughout the
specified period (Type 2).
o The controls related to the control objectives stated in management's
description of the service organization's system were suitability
designed to achieve those control objectives as of the specified date
(Type 1) or throughout the specified period (Type 2).
o The controls related to the control objectives stated in management's
description of the service organization's system operated effectively to
achieve those control objectives (Type 2 only).

© Becker Professional Education Corporation. All rights reserved.
 Contents of the SOC 1® Report
Auditor's Tests of Controls and Results of Tests
Description of the service auditor's tests of controls and results
thereof (Type 2 only).

© Becker Professional Education Corporation. All rights reserved.
 Contents of the Service
Auditor's Report for a
®
SOC 1 Engagement:
Part 2

© Becker Professional Education Corporation. All rights reserved.
 Elements of the Service Auditor's SOC 1® Report
The elements to be included in a service auditor's SOC 1® report include:
SOC 1® Type 1
Independent Service Auditor's SOC 1® Report
Title A title that includes the word independent.

Addressee An appropriate addressee as required by
the circumstances of the engagement.

© Becker Professional Education Corporation. All rights reserved.
 Elements of the Service Auditor's SOC 1® Report
Independent Service Auditor's SOC 1® Report
Scope Identification of the following: SOC 1® Type 1
Management's description of the service organization's
system, the function performed by the system, and the
period to which the description relates.
The criteria against which the fairness of the
presentation of the description and the suitability of the
design and operating effectiveness (Type 2) of the
controls to achieve the related control objectives stated
in the description were evaluated.
Any information included in a document containing the
service auditor's report that is not covered by the service
auditor's report.

© Becker Professional Education Corporation. All rights reserved.
 Elements of the Service Auditor's SOC 1® Report
Independent Service Auditor's SOC 1® Report
Scope Any services performed by a subservice organization SOC 1® Type 1
and whether the carve-out method or the inclusive
method was used in relation to them.
o If the carve-out method was used, a statement that:
Management's description of the service
organization's system excludes the control
objectives and related controls of the relevant
subservice organizations.
Certain control objectives specified by the service
organization can be achieved only if
complementary subservice organization controls
assumed in the design of the service
organization's controls are suitably designed and
operating effectively.

© Becker Professional Education Corporation. All rights reserved.
 Elements of the Service Auditor's SOC 1® Report
Independent Service Auditor's SOC 1® Report
Scope Any services performed by a subservice organization SOC 1® Type 1
and whether the carve-out method or the inclusive
method was used in relation to them.
o If the carve-out method was used, a statement that:
The service auditor's procedures do not extend to
such complementary subservice organization
controls.
Management's description of the service
organization's system includes the subservice
organization's specified control objectives and
related controls, and that the service auditor's
procedures included procedures related to the
subservice organization.

© Becker Professional Education Corporation. All rights reserved.
 Elements of the Service Auditor's SOC 1® Report
Independent Service Auditor's SOC 1® Report
Scope A statement that the controls and control objectives SOC 1® Type 1
included in the description are those that management
believes are likely to be relevant to user entities'
internal control over financial reporting, and the
description does not include those aspects of the
system that are not likely to be relevant to user entities'
internal control over financial reporting.
o If management's description of the service
organization's system refers to the need for
complementary user entity controls, a statement that:
The service auditor has not evaluated the
suitability of the design or operating effectiveness
of complementary user entity controls, and that
the control objectives stated in the description can
be achieved only if complementary user entity CEUC
controls are suitably designed and operating
effectively, along with the controls at the service
organization.

© Becker Professional Education Corporation. All rights reserved.
 Elements of the Service Auditor's SOC 1® Report
Independent Service Auditor's SOC 1® Report
Service A reference to management's assertion and a SOC 1® Type 1
Organization's statement that management is responsible for:
Responsibilities o Preparing the description of the service
organization's system and the assertion, including
the completeness, accuracy, and method of
presentation of the description and assertion.
o Providing the services covered by the description of
the service organization's system.
o Specifying the control objectives and stating them in
the description of the service organization's system.
o Identifying the risks that threaten the achievement
of the control objectives.
o Selecting the criteria.
o Designing, implementing, and documenting controls
that are suitably designed and operating effectively
to achieve the related control objectives stated in
the description of the service organization's system.

© Becker Professional Education Corporation. All rights reserved.
 Elements of the Service Auditor's SOC 1® Report
Independent Service Auditor's SOC 1® Report
Service A statement that the service auditor is responsible SOC 1® Type 1
Auditor's for expressing an opinion on the fairness of the
Responsibilities presentation of management's description of the
service organization's system and on the suitability
of the design and operating effectiveness (Type 2) of
the controls to achieve the related control objectives
stated in the description based on the service
auditor's examination.

© Becker Professional Education Corporation. All rights reserved.
 Elements of the Service Auditor's SOC 1® Report
Independent Service Auditor's SOC 1® Report
Service A statement that: SOC 1® Type 1
Auditor's o The examination was conducted in accordance
Responsibilities with attestation standards established by the
AICPA.
o The standards require the service auditor to plan
and perform the examination to obtain reasonable
assurance about whether, in all material respects,
based on the criteria in management's assertion,
management's description of the system is fairly
presented and the controls are suitably designed
and operating effectively (Type 2), as of the
specified date (Type 1) or throughout the
specified period (Type 2), to achieve the related
control objectives.
o The service auditor believes the evidence
obtained is sufficient and appropriate to provide a
reasonable basis for the service auditor's opinion.

© Becker Professional Education Corporation. All rights reserved.
 Elements of the Service Auditor's SOC 1® Report
Independent Service Auditor's SOC 1® Report
Service A statement that an examination of management's SOC 1® Type 1
Auditor's description of a service organization's system and
Responsibilities the suitability of the design and operating
effectiveness (Type 2) of the service organization's
controls to achieve the related control objectives
stated in the description involves:
o Performing procedures to obtain evidence about
the fairness of the presentation of the description
and the suitability of the design and operating
effectiveness (Type 2) of the controls to achieve
the related control objectives stated in the
description based on the criteria in
management's assertion.
o Assessing the risks that management's
description of the service organization's system is
not fairly presented and that the controls were not