Back

North America > American Institute of Certified Public Accountants

Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018



AD ID

0003292

AD STATUS

Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018

ORIGINATOR

American Institute of Certified Public Accountants

TYPE

Safe Harbor

AVAILABILITY

For Purchase

SYNONYMS

SOC2

Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2)

EFFECTIVE

2018-01-01

ADDED

The document as a whole was last reviewed and released on 2021-06-28T00:00:00-0700.

AD ID

0003292

AD STATUS

For Purchase

ORIGINATOR

American Institute of Certified Public Accountants

TYPE

Safe Harbor

AVAILABILITY

SYNONYMS

SOC2

Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2)

EFFECTIVE

2018-01-01

ADDED

The document as a whole was last reviewed and released on 2021-06-28T00:00:00-0700.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
413 Mandated Controls - bold    
111 Implied Controls - italic     1645 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
2169 Total
  • Acquisition or sale of facilities, technology, and services
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Plan for acquiring facilities, technology, or services. CC ID 06892 Acquisition/Sale of Assets or Services Preventive
    Establish, implement, and maintain system acquisition contracts. CC ID 14758 Establish/Maintain Documentation Preventive
    Include security requirements in system acquisition contracts. CC ID 01124 Establish/Maintain Documentation Preventive
    Obtain system documentation before acquiring products and services. CC ID 01445 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285
    [{be accurate}{be relevant}{description of the service organization's system} The description is presented in accordance with the description criteria if the CUECs are complete, accurately described, and relevant to the service organization's achievement of its service commitments and system requirements based on the applicable trust services criteria. When making this evaluation, the service auditor may review system documentation and contracts with user entities, make inquiries of service organization personnel, and perform other such procedures as he or she considers necessary. ¶ 3.41
    {audit evidence}{suitably designed control}To supplement such evidence and other information, the service auditor generally performs a combination of the following procedures: Reading applicable and supporting system documentation ¶ 3.96 Bullet 4
    {audit evidence}{process narrative}The service auditor may perform a variety of procedures to obtain evidence about whether the description presents the system that was designed and implemented in accordance with the description criteria, including a combination of the following: Reading policy and procedure manuals, system documentation, flowcharts, narratives, hardware asset management records, and other system documentation to understand ¶ 3.59 Bullet 9]
    Communicate Preventive
    Establish, implement, and maintain error handling procedures for the sale of products and services. CC ID 13488
    [Processes and procedures the service organization may perform to address the risks associated with interactions with a vendor or business partner are outlined in trust services criterion CC9.2 and include all or a combination of the following: Establishing exception handling procedures for service or product issues related to vendors and business partners ¶ 3.150 Bullet 5]
    Establish/Maintain Documentation Preventive
  • Audits and risk management
    582
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678
    [As previously stated, the service auditor is required to establish, prior to acceptance of the SOC 2® examination, an understanding with service organization management about its responsibilities and those of the service auditor. This section provides an overview of management's responsibilities. Because many of the decisions service organization management makes prior to engaging the service auditor can affect the nature, timing, and extent of procedures the service auditor performs, this section also discusses those aspects of managements' responsibilities in more detail. ¶ 2.03
    When planning a SOC 2® examination, a service auditor may decide that engaging or assigning a specialist with specific skills and knowledge is necessary to execute the planned examination. If a service auditor's specialist will be used in the SOC 2® examination, paragraph .36 of AT-C section 205 requires the service auditor to do the following: Agree with the specialist regarding the respective roles and responsibilities of the service auditor and the specialist; ¶ 2.160(c)(ii)
    If the service organization has an internal audit function, as part of understanding the service organization's system, the service auditor ordinarily obtains an understanding of the following: The nature of the internal audit function's responsibilities and how the internal audit function fits into the service organization's organizational structure ¶ 2.134(a)
    {SOC 2 engagement}Paragraph .08 of AT-C section 205 states that the agreed-upon terms of the engagement should include the following: The responsibilities of the responsible party and the responsibilities of the engaging party, if different ¶ 2.71(d)
    {description of the service organization's system}{description of the subservice organization's system}If the inclusive method is used, matters to be agreed on or coordinated by the service organization and the subservice organization include the following: The representatives of the subservice organization and the service organization and who will be responsible for providing each entity's description and ¶ 2.98 Bullet 4 Sub-Bullet 1
    {description of the service organization's system}{description of the subservice organization's system}If the inclusive method is used, matters to be agreed on or coordinated by the service organization and the subservice organization include the following: The representatives of the subservice organization and the service organization and who will be responsible for integrating the descriptions ¶ 2.98 Bullet 4 Sub-Bullet 2
    {external requirement} Unless the subservice organization is also an engaging party (which is not the case in most SOC 2® examinations in which the inclusive method is used), subservice organization management is not responsible for complying with any of the requirements in AT-C sections 105 or 205 that relate to an engaging party (for example, the requirement in paragraph .07 of AT-C section 205 for the service auditor to agree on the terms of the engagement with the engaging party.) A non-engaging-party subservice organization has no contractual relationship with the service auditor. ¶ 2.102
    {be responsible}{description of the service organization's system}{refrain from sharing} The responsibility to report on the description of the system, the suitability of design of controls, and, in a type 2 examination, the operating effectiveness of controls rests solely with the service auditor and cannot be shared with the internal audit function. Therefore, the judgments about the significance of deviations in the effectiveness of controls, the sufficiency of procedures performed, the evaluation of identified deficiencies, and other matters that affect the service auditor's opinion are those of the service auditor. In making judgments about the extent of the effect of the work of the internal audit function on the service auditor's procedures, the service auditor may determine, based on the risk associated with the controls and the significance of the judgments relating to them, that the service auditor will perform the work relating to some or all of the controls, rather than using the work performed by the internal audit function. ¶ 3.175
    Prior to engaging a service auditor to perform a SOC 2® examination, service organization management is responsible for making a variety of decisions that affect the nature, timing, and extent of procedures to be performed in a SOC 2® examination, including the following: ¶ 2.04
    If the inclusive method is used, matters to be agreed on or coordinated by the service organization and the subservice organization include the following: The representatives of the subservice organization and the service organization and who will be responsible for ¶ 2.98 Bullet 4
    {principal system requirement}{be the same} For a SOC 3® examination, service organization management's responsibilities are substantially the same as those for a SOC 2® examination except that management does not prepare a system description. Although management does not prepare a system description, it does disclose the boundaries of the system and the service organization's principal service commitments and system requirements as part of its written assertion. That is discussed beginning in paragraph 4.112. ¶ 2.167
    {description of the service organization's system}{principal system requirement}{SOC 2 engagement} Service organization management is responsible for achieving its service commitments and system requirements. It is also responsible for stating in the description the service organization's principal service commitments and system requirements with sufficient clarity to enable report users to understand how the system operates and how management and the service auditor evaluated the suitability of the design of controls and, in a type 2 examination, the operating effectiveness of controls. Because of the importance of the service commitments and system requirements to the SOC 2® examination, the principal service commitments and system requirements disclosed by management should be appropriate for the engagement. Chapter 2 , "Accepting and Planning a SOC 2® Examination," discusses the service auditor's responsibility for assessing whether the principal service commitments and system requirements disclosed by service organization management in the description are appropriate. ¶ 1.49
    {description of the service organization's system}{principal system requirement}{SOC 2 engagement} Service organization management is responsible for achieving its service commitments and system requirements. It is also responsible for stating in the description the service organization's principal service commitments and system requirements with sufficient clarity to enable report users to understand how the system operates and how management and the service auditor evaluated the suitability of the design of controls and, in a type 2 examination, the operating effectiveness of controls. Because of the importance of the service commitments and system requirements to the SOC 2® examination, the principal service commitments and system requirements disclosed by management should be appropriate for the engagement. Chapter 2 , "Accepting and Planning a SOC 2® Examination," discusses the service auditor's responsibility for assessing whether the principal service commitments and system requirements disclosed by service organization management in the description are appropriate. ¶ 1.49]
    Establish Roles Preventive
    Manage supply chain audits. CC ID 01203
    [{SOC 2 examination} Because of the additional complexities involved with the use of the inclusive method, both the service organization and the subservice organization ought to agree on the use of the inclusive approach before it is selected for the examination. In addition, to facilitate the process, service organization management generally coordinates the use of the inclusive method with the subservice organization. If the inclusive method is used, matters to be agreed on or coordinated by the service organization and the subservice organization include the following: ¶ 2.98]
    Audits and Risk Management Preventive
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and Risk Management Preventive
    Rotate auditors, as necessary. CC ID 15589 Audits and Risk Management Preventive
    Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 Establish Roles Preventive
    Assign the Board of Directors to address audit findings. CC ID 12396 Human Resources Management Corrective
    Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184
    [{be appropriate}Factors that may affect the service auditor's evaluation of objectivity include the following: Whether those charged with governance oversee employment decisions related to the internal audit function, for example, whether they determine the appropriate remuneration in accordance with policy ¶ 2.141(c)]
    Establish Roles Preventive
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Establish Roles Preventive
    Report audit findings by the internal audit manager directly to senior management. CC ID 01152 Testing Detective
    Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 Establish Roles Preventive
    Define and assign the internal audit staff's roles and responsibilities. CC ID 00681
    [If the service organization has an internal audit function, the service auditor's understanding of the service organization's system should include the following: The nature of the internal audit function's responsibilities and how the internal audit function fits in the service organization's organizational structure ¶ 2.112(a)]
    Establish Roles Preventive
    Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 Establish Roles Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683
    [As previously stated, the service auditor is required to establish, prior to acceptance of the SOC 2® examination, an understanding with service organization management about its responsibilities and those of the service auditor. This section provides an overview of management's responsibilities. Because many of the decisions service organization management makes prior to engaging the service auditor can affect the nature, timing, and extent of procedures the service auditor performs, this section also discusses those aspects of managements' responsibilities in more detail. ¶ 2.03
    Paragraph .31 of AT-C section 105 indicates that when the service auditor expects to use the work of an other practitioner, the service auditor has the following reporting options: Assume responsibility for the work of the other practitioner ¶ 2.155(a)
    {SOC 2 engagement}Paragraph .08 of AT-C section 205 states that the agreed-upon terms of the engagement should include the following: The responsibilities of the service auditor ¶ 2.71(b)
    {audit procedure}{be appropriate}{be effective}{be efficient} When planning the SOC 2® examination, the engagement partner and other key members of the engagement team develop an overall strategy for the scope, timing, and conduct of the engagement and an engagement plan, consisting of a detailed approach for the nature, timing, and extent of procedures to be performed. Adequate planning helps the service auditor devote appropriate attention to important areas of the engagement, identify potential problems on a timely basis, and properly organize and manage the engagement to make sure it is performed in an effective and efficient manner. Adequate planning also assists the service auditor in properly assigning work to engagement team members and facilitates the direction, supervision, and review of their work. Furthermore, if the work of internal auditors, other service auditors, or specialists is used in the engagement, proper planning helps the service auditor coordinate their work. ¶ 2.91
    When planning a SOC 2® examination, a service auditor may decide that engaging or assigning a specialist with specific skills and knowledge is necessary to execute the planned examination. If a service auditor's specialist will be used in the SOC 2® examination, paragraph .36 of AT-C section 205 requires the service auditor to do the following: Agree with the specialist regarding the respective roles and responsibilities of the service auditor and the specialist; ¶ 2.160(c)(ii)
    {third party} If the service auditor identifies or suspects noncompliance with laws or regulations that are not relevant to the subject matters of the SOC 2® examination, the service auditor should determine whether he or she has a responsibility to report the identified or suspected noncompliance to parties other than management (and the engaging party, if different). ¶ 3.194
    {SOC 2 Report}{specified party} When engaged by the service organization, the service auditor provides the report to management of the service organization, and management distributes the report to the parties to whom use of the report is restricted. A service auditor is not responsible for controlling a client's distribution of a restricted-use report. ¶ 4.91
    The quality control requirements for competence and ethical behavior are reiterated in paragraph .27 of AT-C section 105, which states that the service auditor should accept or continue a SOC 2® examination only when the service auditor has reached a common understanding with the engaging party of the terms of the engagement, including the service auditor's reporting responsibilities. (Chapter 4 discusses reporting in a SOC 2® examination.) ¶ 2.32(d)
    {ethical requirement} Prior to accepting a SOC 2® examination, AT-C section 105, Concepts Common to All Attestation Engagements, requires the service auditor to determine that certain preconditions are met. Among other things, those preconditions require the service auditor to determine whether the engagement team meets the ethical and competency requirements set forth in the professional standards and whether the engagement meets the relevant requirements of the attestation standards. Prior to engagement acceptance, a service auditor is also required to establish an understanding with management about its responsibilities and those of the service auditor in the SOC 2® examination. ¶ 2.01
    An internal audit function performs assurance and consulting activities designed to evaluate and improve the effectiveness of the service organization's governance, risk management, and internal control processes. Activities similar to those performed by an internal audit function may be conducted by functions with other titles within a service organization. Some or all of the activities of an internal audit function may also be outsourced to a third-party service provider. For example, a service organization may engage a service provider to perform (a) penetration testing, (b) responsibilities of the internal audit function that the function itself does not have the competency or qualifications to perform (for example, performing the IT internal audit function), or (c) a one-time special assessment at the request of the board of directors. Neither the title of the function nor whether it is performed by the service organization or a third-party service provider is a sole determinant of whether the service auditor can use the work of internal auditors. Rather, it is the nature of the activities, the extent to which the internal audit function's organizational status and relevant policies and procedures support the objectivity of the internal auditors, the competence of internal auditors, and the systematic and disciplined approach of the function that are relevant. References in this guide to the work of the internal audit function include relevant activities of other functions or third-party providers that have these characteristics. ¶ 2.132
    {audit procedure}{audit evidence} Some relevant factors in determining whether to use the work of the internal audit function to obtain evidence about the operating effectiveness of controls include the pervasiveness of the control, the potential for management override of the control, and the degree of judgment and subjectivity required to evaluate the effectiveness of the control. As the significance of these factors increases, so does the need for the service auditor, rather than the internal audit function, to perform the procedures, and conversely, as these factors decrease in significance, the need for the service auditor to perform the tests decreases. ¶ 2.147
    {audit evidence} Some relevant factors in determining whether to use the work of the internal audit function to obtain evidence about the operating effectiveness of controls include the pervasiveness of the control, the potential for management override of the control, and the degree of judgment and subjectivity required to evaluate the effectiveness of the control. As the significance of these factors increases, so does the need for the service auditor, rather than the internal audit function, to perform the procedures, and conversely, as these factors decrease in significance, the need for the service auditor to perform the tests decreases. ¶ 3.169
    {audit evidence} The extent to which the service auditor plans to use the work of the internal audit function is a matter of professional judgment. Because the service auditor has sole responsibility for expressing an opinion on the description, on the suitability of design of controls and, in a type 2 examination, the operating effectiveness of controls, the service auditor makes all significant judgments in the examination, including when to use the work of the internal audit function in obtaining evidence. ¶ 2.145]
    Establish Roles Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102
    [{engagement team}{be appropriate} When considering the competence and capabilities of engagement team members, the engagement partner should be satisfied that the team assigned to the engagement collectively has the appropriate competence or capabilities. Such competencies and capabilities include the following: ¶ 2.40
    {legal requirement}{engagement team}When considering the competence and capabilities of engagement team members, the engagement partner should be satisfied that the team assigned to the engagement collectively has the appropriate competence or capabilities. Such competencies and capabilities include the following: An understanding of legal and regulatory requirements relevant to the examination ¶ 2.40 Bullet 9
    {engagement team}When considering the competence and capabilities of engagement team members, the engagement partner should be satisfied that the team assigned to the engagement collectively has the appropriate competence or capabilities. Such competencies and capabilities include the following: Knowledge of relevant IT systems and technology, such as CPUs, networking, firewalls or firewall techniques, security protocols, operating systems, and databases ¶ 2.40 Bullet 4
    {engagement team}When considering the competence and capabilities of engagement team members, the engagement partner should be satisfied that the team assigned to the engagement collectively has the appropriate competence or capabilities. Such competencies and capabilities include the following: Knowledge of any uncommon technologies or industry-specific technology used by the service organization ¶ 2.40 Bullet 5
    {Information Technology control}{engagement team}When considering the competence and capabilities of engagement team members, the engagement partner should be satisfied that the team assigned to the engagement collectively has the appropriate competence or capabilities. Such competencies and capabilities include the following: An understanding of IT processes and controls, such as the management of operating systems, networking, and virtualization software and related security techniques; security principles and concepts; software development; and incident management and information risk management ¶ 2.40 Bullet 6
    {Information Technology control}{engagement team}When considering the competence and capabilities of engagement team members, the engagement partner should be satisfied that the team assigned to the engagement collectively has the appropriate competence or capabilities. Such competencies and capabilities include the following: An understanding of IT processes and controls, such as the management of operating systems, networking, and virtualization software and related security techniques; security principles and concepts; software development; and incident management and information risk management ¶ 2.40 Bullet 6
    {Information Technology control}{engagement team}When considering the competence and capabilities of engagement team members, the engagement partner should be satisfied that the team assigned to the engagement collectively has the appropriate competence or capabilities. Such competencies and capabilities include the following: An understanding of IT processes and controls, such as the management of operating systems, networking, and virtualization software and related security techniques; security principles and concepts; software development; and incident management and information risk management ¶ 2.40 Bullet 6
    {Information Technology control}{engagement team}When considering the competence and capabilities of engagement team members, the engagement partner should be satisfied that the team assigned to the engagement collectively has the appropriate competence or capabilities. Such competencies and capabilities include the following: An understanding of IT processes and controls, such as the management of operating systems, networking, and virtualization software and related security techniques; security principles and concepts; software development; and incident management and information risk management ¶ 2.40 Bullet 6
    {Information Technology control}{engagement team}When considering the competence and capabilities of engagement team members, the engagement partner should be satisfied that the team assigned to the engagement collectively has the appropriate competence or capabilities. Such competencies and capabilities include the following: An understanding of IT processes and controls, such as the management of operating systems, networking, and virtualization software and related security techniques; security principles and concepts; software development; and incident management and information risk management ¶ 2.40 Bullet 6
    {control at the service organization} The service auditor's understanding of the service organization's system and related controls should be sufficient to enable the service auditor to do the following: ¶ 2.120
    When planning a SOC 2® examination, a service auditor may decide that engaging or assigning a specialist with specific skills and knowledge is necessary to execute the planned examination. If a service auditor's specialist will be used in the SOC 2® examination, paragraph .36 of AT-C section 205 requires the service auditor to do the following: Obtain an understanding of the specialist's field of expertise to enable the service auditor to determine the nature, scope, and objectives of the specialist's work and to evaluate the adequacy of that work. ¶ 2.160(b)
    {Planning to Use the Work of a Service Auditor's Specialist}The nature, timing, and extent of the service auditor's procedures to evaluate the matters discussed in this section vary depending on the circumstances of the engagement. When determining the nature, timing, and extent of those procedures, paragraph .38 of AT-C section 205 states that the service auditor should consider the following: The service auditor's knowledge of and experience with previous work performed by the service auditor's specialist ¶ 2.165(d)
    Other overall responses a service auditor may select to address the assessed risks of material misstatement include the following: Assigning more experienced staff or using specialists ¶ 3.03 Bullet 2
    Chapter 2 discusses the service auditor's responsibilities when a service auditor's specialist will be used in the SOC 2® examination. Those responsibilities include (a) evaluating the specialist's competence, capabilities, and objectivity; (b) obtaining an understanding of the specialist's field of expertise to enable the service auditor to determine the nature, scope, and objectives of the specialist's work and to evaluate the adequacy of that work; and (c) agreeing with the specialist on the terms of the engagement and other matters. In addition to those responsibilities, paragraph .36 of AT-C section 205 requires the service auditor to evaluate the adequacy of the work of the service auditor's specialist for the service auditor's purposes. ¶ 3.178
    {SOC 2 engagement}{professional standard}{regulatory requirement}{be relevant}{be appropriate} When considering the relevance of the service auditor's specialist's field of expertise to the engagement, the service auditor should consider (a) whether the specialist's field includes areas of specialty relevant to the engagement, (b) whether professional or other standards and regulatory or legal requirements apply, (c) assumptions and methods used by the specialist and whether they are generally accepted within the specialist's field and appropriate in the engagement circumstances, and (d) the nature of internal and external data or information used by the service auditor's specialist. ¶ 2.164
    {be appropriate} Chapter 1, "Introduction and Background," of this guide discusses quality in the SOC 2® examination. Maintaining appropriate quality in the engagement involves having the work performed by engagement team members with the appropriate competence and capabilities. For that reason, as discussed in paragraph 2.33, the service auditor should not accept the SOC 2® examination unless he or she has determined that the individuals who would perform the engagement have the appropriate competence and capabilities to perform it. ¶ 2.39
    {engagement team}When considering the competence and capabilities of engagement team members, the engagement partner should be satisfied that the team assigned to the engagement collectively has the appropriate competence or capabilities. Such competencies and capabilities include the following: An understanding of business processes and controls ¶ 2.40 Bullet 3
    {engagement team}When considering the competence and capabilities of engagement team members, the engagement partner should be satisfied that the team assigned to the engagement collectively has the appropriate competence or capabilities. Such competencies and capabilities include the following: An understanding, or the ability to obtain an understanding, of systems used to provide services, including operating and security of such systems, gained either through experience with engagements of a similar nature and complexity or through appropriate training and participation ¶ 2.40 Bullet 1
    {engagement team}When considering the competence and capabilities of engagement team members, the engagement partner should be satisfied that the team assigned to the engagement collectively has the appropriate competence or capabilities. Such competencies and capabilities include the following: Knowledge of the service organization's industry and business, including whether the industry in which the service organization operates is subject to specific types of or unusual security risks ¶ 2.40 Bullet 2
    {previous engagement}The service auditor's professional judgment regarding what constitutes appropriate sufficient evidence is influenced by factors such as the following: The experience gained during previous consulting or examination engagements with respect to similar potential description misstatements and deficiencies ¶ 4.09 Bullet 3
    {SOC 2 engagement}{stipulated timeframe}{applicable requirement}{be sufficient} By communicating with the service auditor's specialist about these matters early in the engagement, the service auditor will be in a better position to plan the scope and timing of the specialist's work on the engagement. In addition, he or she will be better able to plan the nature, timing, and extent of any procedures that relate to the work of the specialist, including the direction, supervision, and review of the specialist's work, particularly if that work will be used during initial engagement planning and risk assessment. Though not required, the service auditor should consider documenting, in an engagement letter or other appropriate form of written communication, the understanding reached with the service auditor's specialist about the matters discussed. When evaluating the service auditor specialist's competence and capabilities, the service auditor may obtain information from a variety of sources, including discussions with the specialist, personal experience with the specialist's work, discussions with others who are familiar with the specialist's work, or published papers or books written by the specialist, among other things. In addition, the service auditor needs to determine that the specialist has a sufficient understanding of the attestation standards relevant to the SOC 2® examination and this guide to enable the specialist to understand how his or her work will help achieve the objectives of the engagement. ¶ 2.161
    When evaluating competence, the service auditor should consider the attainment and maintenance of knowledge and skills of the internal audit function at the level required to enable assigned tasks to be performed diligently and with the appropriate level of quality, particularly as it relates to the work of the internal audit function that is to be used or, when using individuals for direct assistance, the individual. Consideration of factors such as the following may assist the service auditor with that evaluation: Knowledge of the areas being examined, including industry-specific or technical knowledge required to perform the work ¶ 2.140(d)
    {SOC 2 Report}{SOC 2 Engagement}In some situations, the service auditor may be requested to also include in the report a description of the service auditor's tests of controls or procedures performed to evaluate the existing or additional subject matter against the existing or additional criteria and the detailed results of those tests. In that case, paragraph .A85 of AT-C section 205 provides the following factors for the service auditor to consider before agreeing to include such information in the report: Whether the parties understand the nature and subject matter of the engagement and have experience in using the information in such reports ¶ 1.53 Bullet 3
    {control at the service organization} The service auditor should obtain an understanding of the service organization's system, including controls within the system. That understanding should include the service organization's processes and procedures used to do the following: ¶ 2.110
    {control at the service organization} Obtaining an understanding of the service organization's system, including related controls, assists the service auditor in the following: ¶ 2.113
    During engagement acceptance and planning, the service auditor is responsible for the following: Performing procedures to assess the risk of material misstatement, including obtaining an understanding of the service organization's system and how the system controls were designed, implemented, and operated to provide reasonable assurance that the service organization's service commitments and system requirements are achieved based on the applicable trust services criteria (see paragraph 2.111) ¶ 2.30 Bullet 5
    The service auditor's professional judgment regarding what constitutes appropriate sufficient evidence is influenced by factors such as the following: The service auditor's understanding of the service organization and its environment ¶ 4.09 Bullet 7]
    Audits and Risk Management Preventive
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Establish/Maintain Documentation Preventive
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189
    [{SOC engagement} Independence, as defined by the AICPA Code of Professional Conduct, is required for examination-level engagements to report on controls at a service organization. The independence assessment process may address matters such as scope of services, fee arrangements, firm and individual financial relationships, firm business relationships, and alumni and familial relationships with the client and client personnel. ¶ 2.35
    {SOC 2 engagement}In establishing the overall engagement strategy, the service auditor ordinarily would do the following: Consider the results of preliminary engagement activities, such as client acceptance and, when applicable, whether knowledge gained on other engagements performed by the engagement partner for the service organization is relevant. ¶ 2.92(d)]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 Establish/Maintain Documentation Preventive
    Include a change control clause in external auditor outsourcing contracts. CC ID 01192
    [If, after using professional judgment, the service auditor believes there is reasonable justification to change the terms of the engagement from those originally contemplated, the service auditor would issue an appropriate report on the service organization's system. The attestation standards do not require the service auditor's report to include a reference to (a) the original engagement, (b) any procedures that may have been performed, or (c) scope limitations that resulted in the changed engagement. The service auditor may also decide to document the change in the engagement in an addendum to the engagement agreement to evidence agreement to the change among the parties. ¶ 2.77]
    Establish/Maintain Documentation Preventive
    Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 Establish/Maintain Documentation Preventive
    Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194
    [{description of the service organization's system}{refrain from describing}{level of detail} Although the description should include disclosures about each description criterion, such disclosures are not intended to be made at such a detailed level that they might increase the likelihood that a hostile party could exploit a security vulnerability, thereby compromising the service organization's ability to achieve its service commitments and system requirements. ¶ 3.18]
    Establish/Maintain Documentation Preventive
    Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 Establish/Maintain Documentation Preventive
    Include communication protocols in external auditor outsourcing contracts. CC ID 01201
    [{SOC 2 engagement}In establishing the overall engagement strategy, the service auditor ordinarily would do the following: Ascertain the expected timing and nature of required communications. ¶ 2.92(b)
    {review procedure}As a basis for coordinating the respective activities between the service auditor and the internal auditors when planning to use the work of the internal audit function, it may be useful to address the following: Review and reporting procedures ¶ 2.149 Bullet 6
    When the service auditor plans to use the work of the internal audit function, the service auditor may find it helpful to review the internal audit function's audit plan and discuss with management the planned use of the work of the internal audit function as a basis for coordinating the work of internal auditors with the service auditor's procedures. The audit plan provides information about the nature, timing, extent, and scope of the work performed by the internal audit function, as well as the work that is planned to be performed. ¶ 2.148
    {be permissible}If management refuses to correct or delete the other information containing a material inconsistency or a material misstatement of fact, paragraph .A67 of AT-C section 205 identifies the following examples of further actions the service auditor may take: If required or permissible, communicating with third parties (for example, a regulator) ¶ 4.102 Bullet 3
    If management refuses to correct or delete the other information containing a material inconsistency or a material misstatement of fact, paragraph .A67 of AT-C section 205 identifies the following examples of further actions the service auditor may take: Requesting the appropriate party or parties to consult with a qualified third party, such as the appropriate party's legal counsel ¶ 4.102 Bullet 1
    {be appropriate}{SOC 2 engagement}{take into account} Coordination between the service auditor and the internal audit function is effective when discussions take place at appropriate intervals throughout the period to which management's assertion pertains. It is important that the service auditor inform the internal audit function of significant matters as they arise during the engagement. Equally important is that the service auditor has access to relevant reports of the internal audit function and is advised of any significant matters that come to the attention of the internal auditors, when such matters may affect the scope of the examination and the potential nature, timing, or extent of the examination procedures. Communication throughout the engagement provides opportunities for internal auditors to bring up matters that may affect the service auditor's work. The service auditor is then able to take such information into account (for example, when assessing the risks that the description does not present the system that was designed and implemented in accordance with the description criteria or that controls were not suitably designed or, in a type 2 examination, not operating effectively). ¶ 2.150
    {be appropriate}{SOC 2 engagement}{take into account} Coordination between the service auditor and the internal audit function is effective when discussions take place at appropriate intervals throughout the period to which management's assertion pertains. It is important that the service auditor inform the internal audit function of significant matters as they arise during the engagement. Equally important is that the service auditor has access to relevant reports of the internal audit function and is advised of any significant matters that come to the attention of the internal auditors, when such matters may affect the scope of the examination and the potential nature, timing, or extent of the examination procedures. Communication throughout the engagement provides opportunities for internal auditors to bring up matters that may affect the service auditor's work. The service auditor is then able to take such information into account (for example, when assessing the risks that the description does not present the system that was designed and implemented in accordance with the description criteria or that controls were not suitably designed or, in a type 2 examination, not operating effectively). ¶ 2.150
    {SOC 2 engagement}{stipulated timeframe}{applicable requirement}{be sufficient} By communicating with the service auditor's specialist about these matters early in the engagement, the service auditor will be in a better position to plan the scope and timing of the specialist's work on the engagement. In addition, he or she will be better able to plan the nature, timing, and extent of any procedures that relate to the work of the specialist, including the direction, supervision, and review of the specialist's work, particularly if that work will be used during initial engagement planning and risk assessment. Though not required, the service auditor should consider documenting, in an engagement letter or other appropriate form of written communication, the understanding reached with the service auditor's specialist about the matters discussed. When evaluating the service auditor specialist's competence and capabilities, the service auditor may obtain information from a variety of sources, including discussions with the specialist, personal experience with the specialist's work, discussions with others who are familiar with the specialist's work, or published papers or books written by the specialist, among other things. In addition, the service auditor needs to determine that the specialist has a sufficient understanding of the attestation standards relevant to the SOC 2® examination and this guide to enable the specialist to understand how his or her work will help achieve the objectives of the engagement. ¶ 2.161
    {fraud}{noncompliance}{identify}Paragraph .A29 of AT-C section 205 indicates that in these circumstances (unless prohibited by law, regulation, or ethics standards), it may be appropriate for the service auditor to, for example, do the following: Communicate with third parties (for example, a regulator). ¶ 3.158 Bullet 5
    In addition to responding to known and suspected fraud and noncompliance with laws or regulations, the service auditor should communicate information regarding those matters, along with information regarding any uncorrected description misstatements or material deficiencies, to the appropriate levels of management (and to the engaging party, if different). The service auditor may also consider whether to communicate other matters. ¶ 3.193
    {be material}{description of the service organization's system} As discussed in chapter 2, the service auditor has a responsibility to consider known or suspected incidents of fraud and noncompliance with laws or regulations. Such incidents may include, for example, the intentional bypassing of controls and the intentional misstatement of one or more aspects of the description. As discussed in paragraph 3.163, when a deficiency or deviation is the result of an intentional act, it is likely to be considered more material than a deficiency or deviation caused by an unintentional act, particularly if the intentional act was perpetrated by a member of senior management. The service auditor determines the effect of such incidents on the description; the suitability of design of controls; in a type 2 examination, the operating effectiveness of controls; and the service auditor's report. Additionally, the service auditor communicates such information to appropriate parties. ¶ 3.190]
    Establish/Maintain Documentation Preventive
    Review the external audit scope, as necessary. CC ID 01202
    [{SOC engagement} Independence, as defined by the AICPA Code of Professional Conduct, is required for examination-level engagements to report on controls at a service organization. The independence assessment process may address matters such as scope of services, fee arrangements, firm and individual financial relationships, firm business relationships, and alumni and familial relationships with the client and client personnel. ¶ 2.35]
    Audits and Risk Management Preventive
    Review the external audit assertion for accuracy. CC ID 06977
    [According to paragraph .36 of AT-C section 205, evaluating the adequacy of the work of the service auditor's specialist involves consideration of the following: If the work of the service auditor's specialist involves the use of source data that are significant to the work of the service auditor's specialist, the relevance, completeness, and accuracy of that source data ¶ 3.179(c)
    {external requirement} When service organization management elects to use the inclusive method, subservice organization management is also a responsible party in the SOC 2® examination. Accordingly, subservice organization management has to comply with the requirements of AT-C sections 105 and 205 that relate to the responsible party, including providing the service auditor with a written assertion and representation letter at the conclusion of the examination. Therefore, use of the inclusive method involves extensive planning and communication among the service auditor, the service organization, and the subservice organization. ¶ 2.96
    {audit evidence} Although a service organization can contract with a subservice organization to perform functions that form a portion of the service organization's system, it still retains obligations to user entities with regard to those functions. As a result, part of its system of internal control includes activities to manage the risks associated with vendors and business partners, including activities to manage the risks associated with the functions performed by the subservice organization. In evaluating the suitability of the design and operating effectiveness of controls, the service auditor considers the nature and extent of the service organization's monitoring controls when determining the nature, timing, and extent of testing to perform. For example, if the service organization has obtained a type 2 report from a subservice organization, the service auditor would review the report to determine whether management has adequately evaluated it by assessing (a) the relevance of the system description and CSOCs to the service organization's system and (b) any deviations requiring further evaluation and response by service organization management. If service organization management has been unable to obtain a type 2 report, the service auditor should consider whether management has directly tested the subservice organization's controls by obtaining evidence about the effectiveness of the subservice organization's controls. However, unless the service auditor is reperforming management's tests of the subservice organization's controls, the service auditor's performance of tests directly on the subservice organization's controls would not provide evidence about the suitability of the design and operating effectiveness of the service organization's controls. In any event, the service auditor should obtain sufficient appropriate evidence of the effectiveness of the CSOCs. In addition, the service auditor needs to consider whether the subservice organization's use of its own IT system and connections to the service organization's IT network represents new vulnerabilities that need to be assessed and addressed as part of the service organization's risk assessment. ¶ 3.154]
    Testing Detective
    Review the risk assessments as compared to the in scope controls. CC ID 06978
    [{understand}{risk assessment documentation} An understanding of the process for determining the risks that would prevent the service organization's controls from providing reasonable assurance that the service organization's service commitments and system requirements were achieved, and for designing and implementing controls to address those risks, may assist the service auditor in identifying deficiencies in the design of controls. Some service organizations have a formal risk assessment process based on the applicable trust services criteria. In those circumstances, the service auditor may be able to inspect the risk assessment and controls documentation prepared by management to obtain an understanding of this process. ¶ 2.118
    Service organization management is responsible for designing and implementing controls to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria, identifying the risks that threaten the achievement of the service commitments and system requirements, modifying the controls as necessary based on new and evolving risks, and evaluating the linkage between the controls and the evolving risks and threats that threaten the achievement of the service commitments and system requirements. ¶ 3.80
    {suitably designed control}{description of the service organization's system}When making this evaluation, the service auditor does the following: Evaluates the linkage between the controls identified in the description and those risks ¶ 3.81 Bullet 2
    {audit conclusion} In certain situations, the service auditor may become aware of information that causes the service auditor to reconsider some of the conclusions reached to that point. For example, when obtaining the written representations from management, the service auditor may learn about a previously unknown security incident or a suspected fraud. The discovery of such information at this point in the examination should lead the service auditor to consider the effect of the matter on his or her risk assessment and other conclusions that the service auditor has reached. In some cases, the service auditor may conclude that reassessment of the risks of material misstatement is necessary, which may lead to the need to perform further procedures. Depending on the circumstances, the service auditor should also consider the guidance in the next section with respect to other actions that may be appropriate. ¶ 3.208
    {qualified opinion}{SOC 2 examination}{SOC 2 Engagement} The service auditor may also consider whether management has realistic expectations about the examination or whether the service organization may experience significant negative consequences if the service auditor's opinion is qualified because of a lack of appropriate controls and related documentation. In such situations, the service auditor may choose to decline the engagement. ¶ 2.34]
    Testing Detective
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014
    [{fraud}{noncompliance}{outside party} The service auditor may be precluded from reporting such incidents to parties outside the service organization because of the service auditor's professional duty to maintain the confidentiality of client information. However, the service auditor's legal responsibilities may vary by jurisdiction and, in certain circumstances, the duty of confidentiality may be overridden by statute, law, or courts of law. A duty to notify parties outside the entity may exist ¶ 3.195]
    Audits and Risk Management Detective
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190
    [If the service auditor expects to use the work of the other practitioner, paragraph .31 of AT-C section 105 requires the service auditor to do the following: Communicate clearly with the other practitioner about the scope and timing of the other practitioner's work and findings. (Such communication enables the service auditor to plan the nature, timing, and extent of any procedures that relate to the work of the other practitioner, including the involvement of the service auditor in the work of the other practitioner. Due to complexities involved in the planning of the engagement and obtaining agreement between all parties, using the work of an other practitioner is most likely to be successful when these matters are addressed early in engagement planning.) ¶ 2.156(c)
    If the service auditor expects to use the work of the other practitioner, paragraph .31 of AT-C section 105 requires the service auditor to do the following: Be involved in the work of the other practitioner, if assuming responsibility for the work of the other practitioner. ¶ 2.156(d)
    Chapter 2 discusses the service auditor's responsibilities when a service auditor's specialist will be used in the SOC 2® examination. Those responsibilities include (a) evaluating the specialist's competence, capabilities, and objectivity; (b) obtaining an understanding of the specialist's field of expertise to enable the service auditor to determine the nature, scope, and objectives of the specialist's work and to evaluate the adequacy of that work; and (c) agreeing with the specialist on the terms of the engagement and other matters. In addition to those responsibilities, paragraph .36 of AT-C section 205 requires the service auditor to evaluate the adequacy of the work of the service auditor's specialist for the service auditor's purposes. ¶ 3.178
    {audit opinion} The service auditor uses professional judgment in performing procedures to evaluate the work performed by the members of the entity's internal audit function. As discussed in chapter 2, the service auditor is responsible for determining the work to be performed and obtaining sufficient appropriate evidence for the opinion. The service auditor has sole responsibility for the opinion expressed in the service auditor's report, and that responsibility is not reduced by the service auditor's use of the work of the internal audit function. ¶ 3.170
    {description of the service organization's system} Paragraph .48 of AT-C section 205 does not require the service auditor to perform any procedures regarding the description, the suitability of design of controls, or the operating effectiveness of controls after the date of the service auditor's report. However, paragraph .49 of AT-C section 205 clarifies that the service auditor is responsible for responding appropriately to facts that become known after the date of the report that, had they been known as of the report date, may have caused the service auditor to revise the report. ¶ 3.216
    {engagement letter} In addition to these matters, the service auditor may decide to include other matters in the understanding, such as the identification of the service organization's service commitments and system requirements. Additional matters that may affect the service auditor's understanding of the terms of the engagement and how the terms should be documented in a recurring engagement are discussed in paragraph .09 of AT-C section 205. ¶ 2.73
    {Planning to Use the Work of a Service Auditor's Specialist}The nature, timing, and extent of the service auditor's procedures to evaluate the matters discussed in this section vary depending on the circumstances of the engagement. When determining the nature, timing, and extent of those procedures, paragraph .38 of AT-C section 205 states that the service auditor should consider the following: The nature of the matter to which the service auditor's specialist's work relates ¶ 2.165(b)
    {SOC 2 engagement}{stipulated timeframe}{applicable requirement}{be sufficient} By communicating with the service auditor's specialist about these matters early in the engagement, the service auditor will be in a better position to plan the scope and timing of the specialist's work on the engagement. In addition, he or she will be better able to plan the nature, timing, and extent of any procedures that relate to the work of the specialist, including the direction, supervision, and review of the specialist's work, particularly if that work will be used during initial engagement planning and risk assessment. Though not required, the service auditor should consider documenting, in an engagement letter or other appropriate form of written communication, the understanding reached with the service auditor's specialist about the matters discussed. When evaluating the service auditor specialist's competence and capabilities, the service auditor may obtain information from a variety of sources, including discussions with the specialist, personal experience with the specialist's work, discussions with others who are familiar with the specialist's work, or published papers or books written by the specialist, among other things. In addition, the service auditor needs to determine that the specialist has a sufficient understanding of the attestation standards relevant to the SOC 2® examination and this guide to enable the specialist to understand how his or her work will help achieve the objectives of the engagement. ¶ 2.161]
    Establish/Maintain Documentation Preventive
    Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 Establish/Maintain Documentation Preventive
    Include access to work papers in external auditor outsourcing contracts. CC ID 01193 Establish/Maintain Documentation Preventive
    Review the external auditor's qualifications. CC ID 01197
    [{engagement team}When considering the competence and capabilities of engagement team members, the engagement partner should be satisfied that the team assigned to the engagement collectively has the appropriate competence or capabilities. Such competencies and capabilities include the following: Experience with evaluating the suitability of design and operating effectiveness of controls relevant to security, availability, processing integrity, confidentiality, and privacy ¶ 2.40 Bullet 7
    {engagement team}When considering the competence and capabilities of engagement team members, the engagement partner should be satisfied that the team assigned to the engagement collectively has the appropriate competence or capabilities. Such competencies and capabilities include the following: An understanding, or the ability to obtain an understanding, of systems used to provide services, including operating and security of such systems, gained either through experience with engagements of a similar nature and complexity or through appropriate training and participation ¶ 2.40 Bullet 1
    {examination engagement}With respect to the acceptance and continuance of client relationships and specific engagements, paragraph .27 of QC section 10, A Firm's System of Quality Control, states that the firm should establish policies and procedures for the acceptance and continuance of client relationships and specific engagements, designed to provide the firm with reasonable assurance that it will undertake or continue relationships and engagements only when the firm is competent to perform the examination and has the capabilities, including time and resources, to do so; ¶ 2.31(a)]
    Audits and Risk Management Preventive
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198
    [{SOC 2 engagement}{SOC 2 examination}{be sufficient} Paragraph .44 of AT-C section 205 requires the service auditor, before the completion of the engagement, to evaluate whether the use of the work of the internal audit function or the use of internal auditors to provide direct assistance results in the service auditor still being sufficiently involved in the examination, given the service auditor's sole responsibility for the opinion expressed. ¶ 3.177]
    Audits and Risk Management Preventive
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199
    [If the service auditor expects to use the work of the other practitioner, paragraph .31 of AT-C section 105 requires the service auditor to do the following: Evaluate whether the other practitioner's work is adequate for the service auditor's purposes. (Upon completion of the other practitioner's work, the service auditor should obtain an understanding of the results of the other practitioner's work and findings associated with that work. The service auditor may obtain such an understanding through review of the report of the results of the other practitioner's procedures, discussions with the other practitioner, and inspection of the other practitioner's working papers.) ¶ 2.156(e)
    {Planning to Use the Work of a Service Auditor's Specialist}{SOC 2 engagement}The nature, timing, and extent of the service auditor's procedures to evaluate the matters discussed in this section vary depending on the circumstances of the engagement. When determining the nature, timing, and extent of those procedures, paragraph .38 of AT-C section 205 states that the service auditor should consider the following: The significance of the service auditor's specialist's work in the context of the engagement ¶ 2.165(a)
    Chapter 2 discusses the service auditor's responsibilities when a service auditor's specialist will be used in the SOC 2® examination. Those responsibilities include (a) evaluating the specialist's competence, capabilities, and objectivity; (b) obtaining an understanding of the specialist's field of expertise to enable the service auditor to determine the nature, scope, and objectives of the specialist's work and to evaluate the adequacy of that work; and (c) agreeing with the specialist on the terms of the engagement and other matters. In addition to those responsibilities, paragraph .36 of AT-C section 205 requires the service auditor to evaluate the adequacy of the work of the service auditor's specialist for the service auditor's purposes. ¶ 3.178
    Chapter 2 discusses the service auditor's responsibilities when a service auditor's specialist will be used in the SOC 2® examination. Those responsibilities include (a) evaluating the specialist's competence, capabilities, and objectivity; (b) obtaining an understanding of the specialist's field of expertise to enable the service auditor to determine the nature, scope, and objectives of the specialist's work and to evaluate the adequacy of that work; and (c) agreeing with the specialist on the terms of the engagement and other matters. In addition to those responsibilities, paragraph .36 of AT-C section 205 requires the service auditor to evaluate the adequacy of the work of the service auditor's specialist for the service auditor's purposes. ¶ 3.178
    {evaluate}{adequacy}If the work of the service auditor's specialist involves the use of significant assumptions and methods, evaluating the relevance and reasonableness of those assumptions and methods in the circumstances, giving consideration to the rationale and support provided by the service auditor's specialist, and in relation to the service auditor's other findings and conclusions ¶ 3.179(b)(ii)
    {SOC 2 engagement}{professional standard}{regulatory requirement}{be relevant}{be appropriate} When considering the relevance of the service auditor's specialist's field of expertise to the engagement, the service auditor should consider (a) whether the specialist's field includes areas of specialty relevant to the engagement, (b) whether professional or other standards and regulatory or legal requirements apply, (c) assumptions and methods used by the specialist and whether they are generally accepted within the specialist's field and appropriate in the engagement circumstances, and (d) the nature of internal and external data or information used by the service auditor's specialist. ¶ 2.164
    {audit procedure}As in other attestation engagements, documentation in the SOC 2® examination would ordinarily also include a record of the following: If the service auditor uses the work of the internal audit function, other practitioners, or the service auditor's specialists, documentation of conclusions reached by the service auditor regarding the evaluation of the adequacy of the work and the procedures performed on that work ¶ 3.224 Bullet 5]
    Establish/Maintain Documentation Preventive
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200
    [{audit procedure}{be appropriate}{be effective}{be efficient} When planning the SOC 2® examination, the engagement partner and other key members of the engagement team develop an overall strategy for the scope, timing, and conduct of the engagement and an engagement plan, consisting of a detailed approach for the nature, timing, and extent of procedures to be performed. Adequate planning helps the service auditor devote appropriate attention to important areas of the engagement, identify potential problems on a timely basis, and properly organize and manage the engagement to make sure it is performed in an effective and efficient manner. Adequate planning also assists the service auditor in properly assigning work to engagement team members and facilitates the direction, supervision, and review of their work. Furthermore, if the work of internal auditors, other service auditors, or specialists is used in the engagement, proper planning helps the service auditor coordinate their work. ¶ 2.91
    {quantitative analysis}{audit result}{audit procedure}{description of the service organization's system}{do not operate effectively} The service auditor evaluates the results of all procedures performed and conducts both a quantitative (for example, rates of deviations in testing a control using a sample-based testing strategy) and qualitative analysis of whether identified description misstatements and deficiencies in the suitability of design and, in a type 2 examination, deviations in the operating effectiveness of controls result in a description that is not presented in accordance with the description criteria or in controls that are not suitably designed or operating effectively. As an example, assume that, when investigating the follow-up and resolution of two identified system incidents, the service auditor determined that the resolution took longer than the management-prescribed resolution requirement to complete, but that difference was not material (for example, final resolution took two days longer than prescribed). In such an instance, the service auditor may conclude that the deficiencies were not material. However, if the service auditor's testing determined that entity personnel failed to follow up at all for the two instances, he or she might conclude that the controls were not effective in achieving one or more service commitments or system requirements based on the applicable trust services criteria. ¶ 3.184
    {audit evidence}{audit opinion}When forming an opinion, paragraph .59 of AT-C section 205, Examination Engagements, requires the service auditor to evaluate the service auditor's conclusion about the sufficiency and appropriateness of evidence obtained during the examination and ¶ 4.04(a)
    {audit procedure}The service auditor's professional judgment regarding what constitutes appropriate sufficient evidence is influenced by factors such as the following: The results of procedures performed, including whether such procedures identified specific description misstatements and deficiencies ¶ 4.09 Bullet 4
    {subsequent event}{significant effect}{description of the service organization's system}{suitability of design}{operating effectiveness}For example, the service auditor may obtain evidence by inquiring about and considering information about the operating effectiveness of controls by inspecting the following: Reports on other professional engagements for that entity ¶ 3.215 Bullet 4
    {audit evidence}Examples of procedures that may be performed to obtain such evidence include the following: Obtaining and evaluating a SOC 2® report on the subservice organization's system prepared using this guide ¶ 3.99 Bullet 3
    {audit conclusion} In certain situations, the service auditor may become aware of information that causes the service auditor to reconsider some of the conclusions reached to that point. For example, when obtaining the written representations from management, the service auditor may learn about a previously unknown security incident or a suspected fraud. The discovery of such information at this point in the examination should lead the service auditor to consider the effect of the matter on his or her risk assessment and other conclusions that the service auditor has reached. In some cases, the service auditor may conclude that reassessment of the risks of material misstatement is necessary, which may lead to the need to perform further procedures. Depending on the circumstances, the service auditor should also consider the guidance in the next section with respect to other actions that may be appropriate. ¶ 3.208
    {audit conclusion} In certain situations, the service auditor may become aware of information that causes the service auditor to reconsider some of the conclusions reached to that point. For example, when obtaining the written representations from management, the service auditor may learn about a previously unknown security incident or a suspected fraud. The discovery of such information at this point in the examination should lead the service auditor to consider the effect of the matter on his or her risk assessment and other conclusions that the service auditor has reached. In some cases, the service auditor may conclude that reassessment of the risks of material misstatement is necessary, which may lead to the need to perform further procedures. Depending on the circumstances, the service auditor should also consider the guidance in the next section with respect to other actions that may be appropriate. ¶ 3.208
    {audit evidence}According to paragraph .36 of AT-C section 205, evaluating the adequacy of the work of the service auditor's specialist involves consideration of the following: The relevance and reasonableness of the findings and conclusions of the specialist and their consistency with other evidence ¶ 3.179(a)
    As in other attestation engagements, documentation in the SOC 2® examination would ordinarily also include a record of the following: Conclusions reached regarding the acceptance and continuance of client relationships and attestation engagements ¶ 3.224 Bullet 3]
    Establish/Maintain Documentation Preventive
    Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 Behavior Preventive
    Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992
    [{Requested Written Representations Not Provided or Not Reliable}In such circumstances, the guidance in that paragraph states that the service auditor should discuss the matter with the appropriate party or parties, ¶ 3.210 Bullet 1]
    Behavior Preventive
    Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993
    [{Requested Written Representations Not Provided or Not Reliable}{responsible individual}{audit evidence}In such circumstances, the guidance in that paragraph states that the service auditor should reevaluate the integrity of those from whom the representations were requested or received and evaluate the effect that this may have on the reliability of representations and evidence in general, and ¶ 3.210 Bullet 2
    {description of the service organization's system}{audit opinion} Ordinarily, in the SOC 2® examination, service organization management's refusal to furnish evidence in the form of written representations constitutes a limitation on the scope of the examination sufficient to preclude an unmodified opinion on either the description or the effectiveness of controls. Usually, the scope limitation is sufficient to cause the service auditor to disclaim an opinion on both or to withdraw from the engagement. ¶ 3.211]
    Establish/Maintain Documentation Preventive
    Take appropriate action if missing audit documentation compromises the audit. CC ID 06994
    [{Requested Written Representations Not Provided or Not Reliable}In such circumstances, the guidance in that paragraph states that the service auditor should if any of the matters are not resolved to the service auditor's satisfaction, take appropriate action. ¶ 3.210 Bullet 3]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an audit program. CC ID 00684
    [{engagement strategy} Planning is a cumulative and iterative process that occurs throughout the engagement. Accordingly, the service auditor may need to revise the overall strategy and engagement plan based on unexpected events, changes in conditions, or evidence obtained that contradicts information previously considered. ¶ 2.95
    {audit procedure}{be appropriate}{be effective}{be efficient} When planning the SOC 2® examination, the engagement partner and other key members of the engagement team develop an overall strategy for the scope, timing, and conduct of the engagement and an engagement plan, consisting of a detailed approach for the nature, timing, and extent of procedures to be performed. Adequate planning helps the service auditor devote appropriate attention to important areas of the engagement, identify potential problems on a timely basis, and properly organize and manage the engagement to make sure it is performed in an effective and efficient manner. Adequate planning also assists the service auditor in properly assigning work to engagement team members and facilitates the direction, supervision, and review of their work. Furthermore, if the work of internal auditors, other service auditors, or specialists is used in the engagement, proper planning helps the service auditor coordinate their work. ¶ 2.91
    In a SOC 3® examination, the responsibilities of the service auditor are substantially the same as those in a SOC 2® examination and include the following: Establishing an overall strategy for the examination ¶ 2.172 Bullet 4
    {SOC 2 engagement} Paragraph .11 of AT-C section 205 requires a service auditor to establish an overall engagement strategy that sets the scope, timing, and direction of the engagement and guides in the development of the engagement plan. In establishing the overall engagement strategy, the service auditor ordinarily would do the following: ¶ 2.92
    {examination engagement}During engagement acceptance and planning, the service auditor is responsible for the following: Establishing an overall strategy for the examination that sets the scope, timing, and direction of the engagement and guides the development of the engagement plan, including the consideration of materiality and the identification of the risks of material misstatement (see paragraph 2.92) ¶ 2.30 Bullet 4
    When evaluating the application by the internal audit function of a systematic and disciplined approach, including quality control, the service auditor may consider the function's approach to planning, performing, supervising, reviewing, and documenting its activities. Relevant factors to consider may include, among others, (a) the existence, adequacy, and use of documented internal audit procedures or guidance covering such areas as risk assessments, work programs, documentation, and reporting or (b) whether the internal audit function has appropriate quality control policies and procedures. ¶ 2.142
    {evaluate}{suitability of design}Qualitative factors the service auditor considers include the following: Relevance to compliance with laws and regulations. If the service organization is subject to requirements specified by laws or regulations related to security and the other trust services categories included within the scope of the SOC 2® examination, identified deficiencies and deviations related to compliance are likely to be significant because they may have additional consequences to the organization. Requirements established by laws and regulations may therefore need to be included in the consideration of materiality and the related engagement strategy. For laws and regulations that have a direct effect (for example, laws protecting sensitive personal information), the service organization may establish service commitments and system requirements about compliance with such laws. Other laws and regulations may be less directly linked to security and the other trust services categories; however, they may still be relevant to the examination (for example, regulations over the physical storage ofbiohazard materials, when the materials are stored in a warehouse with access secured by an electronic badging system). ¶ 3.163 Bullet 4]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain audit policies. CC ID 13166 Establish/Maintain Documentation Preventive
    Assign the audit to impartial auditors. CC ID 07118
    [{SOC engagement} Independence, as defined by the AICPA Code of Professional Conduct, is required for examination-level engagements to report on controls at a service organization. The independence assessment process may address matters such as scope of services, fee arrangements, firm and individual financial relationships, firm business relationships, and alumni and familial relationships with the client and client personnel. ¶ 2.35
    {SOC engagement} Independence, as defined by the AICPA Code of Professional Conduct, is required for examination-level engagements to report on controls at a service organization. The independence assessment process may address matters such as scope of services, fee arrangements, firm and individual financial relationships, firm business relationships, and alumni and familial relationships with the client and client personnel. ¶ 2.35
    A service auditor should accept or continue an engagement to examine and report on controls at a service organization only if the preconditions for an attestation engagement identified in paragraphs .24–.25 of AT-C section 105 are met: The service auditor is independent in accordance with the AICPA Code of Professional Conduct. (See paragraph 2.36.) ¶ 2.43(a)
    If the service auditor expects to use the work of the other practitioner, paragraph .31 of AT-C section 105 requires the service auditor to do the following: Obtain an understanding of whether the other practitioner understands, and will comply with, the ethical requirements that are relevant to the engagement and, in particular, is independent. (The discussion beginning in paragraph 2.36 also applies to the other practitioner.) ¶ 2.156(a)
    When performing engagements in which independence is required in accordance with the attestation standards, the service auditor needs to be independent with respect to the responsible party (or parties), as defined in those standards. If the service organization uses a subservice organization, and management elects to use the inclusive method to present certain information about the subservice organization in its description of the service organization's system, subservice organization management is also a responsible party. Consequently, the service auditor should also be independent of the subservice organization. The service auditor need not be independent of each user entity of the service organization. ¶ 2.37
    When performing engagements in which independence is required in accordance with the attestation standards, the service auditor needs to be independent with respect to the responsible party (or parties), as defined in those standards. If the service organization uses a subservice organization, and management elects to use the inclusive method to present certain information about the subservice organization in its description of the service organization's system, subservice organization management is also a responsible party. Consequently, the service auditor should also be independent of the subservice organization. The service auditor need not be independent of each user entity of the service organization. ¶ 2.37
    Chapter 2 discusses the service auditor's responsibilities when a service auditor's specialist will be used in the SOC 2® examination. Those responsibilities include (a) evaluating the specialist's competence, capabilities, and objectivity; (b) obtaining an understanding of the specialist's field of expertise to enable the service auditor to determine the nature, scope, and objectives of the specialist's work and to evaluate the adequacy of that work; and (c) agreeing with the specialist on the terms of the engagement and other matters. In addition to those responsibilities, paragraph .36 of AT-C section 205 requires the service auditor to evaluate the adequacy of the work of the service auditor's specialist for the service auditor's purposes. ¶ 3.178
    {refrain from allowing} When evaluating objectivity, the service auditor should consider whether the internal audit function as a whole or, when using individuals for direct assistance, the individual performs tasks without allowing bias, conflict of interest, or undue influence of others to override professional judgments. Factors that may affect the service auditor's evaluation of objectivity include the following: ¶ 2.141
    An internal audit function performs assurance and consulting activities designed to evaluate and improve the effectiveness of the service organization's governance, risk management, and internal control processes. Activities similar to those performed by an internal audit function may be conducted by functions with other titles within a service organization. Some or all of the activities of an internal audit function may also be outsourced to a third-party service provider. For example, a service organization may engage a service provider to perform (a) penetration testing, (b) responsibilities of the internal audit function that the function itself does not have the competency or qualifications to perform (for example, performing the IT internal audit function), or (c) a one-time special assessment at the request of the board of directors. Neither the title of the function nor whether it is performed by the service organization or a third-party service provider is a sole determinant of whether the service auditor can use the work of internal auditors. Rather, it is the nature of the activities, the extent to which the internal audit function's organizational status and relevant policies and procedures support the objectivity of the internal auditors, the competence of internal auditors, and the systematic and disciplined approach of the function that are relevant. References in this guide to the work of the internal audit function include relevant activities of other functions or third-party providers that have these characteristics. ¶ 2.132
    When evaluating the objectivity of the service auditor's external specialist, the service auditor may inquire of management (or the engaging party, if different) about any known interests or relationships (such as financial interests, business and personal relationships, and provision of other services by the service auditor's external specialist) that management has with the specialist that may affect the objectivity of the specialist. In certain cases, the service auditor may decide to request written representations from the service auditor's external specialist about any interests or relationships with management (or the engaging party, if different) of which the specialist is aware. ¶ 2.162]
    Establish Roles Preventive
    Exercise due professional care during the planning and performance of the audit. CC ID 07119
    [{examination engagement}With respect to the acceptance and continuance of client relationships and specific engagements, paragraph .27 of QC section 10, A Firm's System of Quality Control, states that the firm should establish policies and procedures for the acceptance and continuance of client relationships and specific engagements, designed to provide the firm with reasonable assurance that it will undertake or continue relationships and engagements only when the firm has considered the integrity of the client and does not have information that would lead it to conclude that the client lacks integrity ¶ 2.31(c)
    {professional judgment}{engagement team}When considering the competence and capabilities of engagement team members, the engagement partner should be satisfied that the team assigned to the engagement collectively has the appropriate competence or capabilities. Such competencies and capabilities include the following: An understanding of professional standards and the ability to apply professional skepticism and judgment in the examination ¶ 2.40 Bullet 8
    {audit evidence} To prevent undue use of the internal audit function in obtaining evidence, the service auditor uses less of the work of the internal audit function and performs more of the work directly when more judgment is involved in planning and performing relevant procedures or in evaluating the evidence obtained. As indicated in paragraph .43 of AT-C section 205, the service auditor should plan to use less of the work of the function and perform more of the work directly, ¶ 2.146
    {audit procedure}{be appropriate}{be effective}{be efficient} When planning the SOC 2® examination, the engagement partner and other key members of the engagement team develop an overall strategy for the scope, timing, and conduct of the engagement and an engagement plan, consisting of a detailed approach for the nature, timing, and extent of procedures to be performed. Adequate planning helps the service auditor devote appropriate attention to important areas of the engagement, identify potential problems on a timely basis, and properly organize and manage the engagement to make sure it is performed in an effective and efficient manner. Adequate planning also assists the service auditor in properly assigning work to engagement team members and facilitates the direction, supervision, and review of their work. Furthermore, if the work of internal auditors, other service auditors, or specialists is used in the engagement, proper planning helps the service auditor coordinate their work. ¶ 2.91
    {audit procedure}{be appropriate}{be effective}{be efficient} When planning the SOC 2® examination, the engagement partner and other key members of the engagement team develop an overall strategy for the scope, timing, and conduct of the engagement and an engagement plan, consisting of a detailed approach for the nature, timing, and extent of procedures to be performed. Adequate planning helps the service auditor devote appropriate attention to important areas of the engagement, identify potential problems on a timely basis, and properly organize and manage the engagement to make sure it is performed in an effective and efficient manner. Adequate planning also assists the service auditor in properly assigning work to engagement team members and facilitates the direction, supervision, and review of their work. Furthermore, if the work of internal auditors, other service auditors, or specialists is used in the engagement, proper planning helps the service auditor coordinate their work. ¶ 2.91
    As indicated in paragraph .43 of AT-C section 205, the service auditor should plan to use less of the work of the function and perform more of the work directly, the higher the assessed risk of material misstatement. ¶ 2.146(b)
    {be insufficient}As indicated in paragraph .43 of AT-C section 205, the service auditor should plan to use less of the work of the function and perform more of the work directly, the lower the level of competence of the internal audit function. ¶ 2.146(d)
    The service auditor may also discuss with the service auditor's specialist any safeguards applicable to the specialist and evaluate whether the safeguards are adequate to reduce known threats to independence to an acceptable level. There may be some circumstances in which safeguards cannot reduce such threats to an acceptable level. For example, if the service auditor's specialist has played a significant role in implementing or operating significant aspects of the service organization's system and controls necessary to achieve its service commitments and system requirements, he or she is likely not objective (independent) when measuring or evaluating the suitability of design of controls or, in a type 2 examination, the operating effectiveness of controls within that program. ¶ 2.163
    {audit opinion} The service auditor uses professional judgment in performing procedures to evaluate the work performed by the members of the entity's internal audit function. As discussed in chapter 2, the service auditor is responsible for determining the work to be performed and obtaining sufficient appropriate evidence for the opinion. The service auditor has sole responsibility for the opinion expressed in the service auditor's report, and that responsibility is not reduced by the service auditor's use of the work of the internal audit function. ¶ 3.170
    {be sufficient} When using the work of the internal audit function, paragraph .40 of AT-C section 205 requires the service auditor to perform sufficient procedures, including reperformance, on the body of work of the internal audit function that the service auditor plans to use in order to evaluate whether such work is adequate for the service auditor's purposes. ¶ 3.167
    {audit evidence}{be persuasive}{be important}{audit procedure} Determining the nature and extent of evidence needed to assess the reliability of information produced by the service organization is a matter of professional judgment. The service auditor may obtain evidence about the reliability of such information when testing controls or may develop specific procedures that address this information. The more important the information or the control, the more persuasive the evidence about the reliability of the information should be. Because a type 2 report covers a period, the service auditor should evaluate the reliability of the information produced by the service organization throughout the period. ¶ 3.129
    If the service organization has an internal audit function, as part of understanding the service organization's system, the service auditor ordinarily obtains an understanding of the following: The activities performed or to be performed by the internal audit function as they relate to the SOC 2® examination ¶ 2.134(b)
    {SOC 2 engagement}In establishing the overall engagement strategy, the service auditor ordinarily would do the following: Consider the factors that, in the service auditor's professional judgment, are significant in directing the engagement team's efforts. ¶ 2.92(c)
    {audit evidence}As indicated in paragraph .43 of AT-C section 205, the service auditor should plan to use less of the work of the function and perform more of the work directly, the more judgment is involved in evaluating the evidence obtained. ¶ 2.146(a)(ii)
    {qualitative materiality}{quantitative materiality} Paragraph .A15 of AT-C section 205 states that materiality in an attestation engagement is considered in the context of qualitative factors and, when applicable, quantitative factors. The relative importance of each of those factors when considering materiality in a particular engagement is a matter of professional judgment, and those judgments are made in light of the surrounding circumstances. ¶ 3.05
    Whether sufficient appropriate evidence has been obtained on which to base the service auditor's opinion is a matter of professional judgment. The service auditor's professional judgment regarding what constitutes appropriate sufficient evidence is influenced by factors such as the following: ¶ 4.09
    Before service organization management can fulfill those responsibilities, management may need clarification of certain matters from the service auditor. For example, management may have questions about whether certain processes are part of the system used to provide the services, whether a vendor is a subservice organization, and whether to use the inclusive or the carve-out method to present information about a subservice organization. When providing assistance to management, the service auditor needs to exercise care that he or she does not make decisions on management's behalf, which would impair the service auditor's independence. Independence is discussed beginning in paragraph 2.36. ¶ 2.05
    As a basis for coordinating the respective activities between the service auditor and the internal auditors when planning to use the work of the internal audit function, it may be useful to address the following: The nature of the work performed ¶ 2.149 Bullet 1
    If the service organization has an internal audit function, the service auditor's understanding of the service organization's system should include the following: The activities performed or to be performed by the internal audit function as it relates to the service organization ¶ 2.112(b)
    {SOC 2 engagement}If a modified opinion is appropriate, the service auditor determines whether to issue a qualified opinion, an adverse opinion, or a disclaimer of opinion. As indicated in paragraph .A103 of AT-C section 205, the decision regarding which type of modified opinion is appropriate depends on the following: The service auditor's professional judgment about the pervasiveness of the effects or possible effects of the matter on the subject matter of the engagement ¶ 4.45(b)
    Other overall responses a service auditor may select to address the assessed risks of material misstatement include the following: Emphasizing to the engagement team the need to maintain professional skepticism ¶ 3.03 Bullet 1
    {description of the service organization's system} When evaluating whether the description is presented in accordance with the description criteria, the service auditor should consider the implementation guidance for each criterion in supplement A. The implementation guidance presents factors to consider when making judgments about the nature and extent of disclosures called for by each criterion. Because the implementation guidance does not address all possible situations, the service auditor should consider the specific facts and circumstances of the service organization when applying the description criteria. ¶ 3.21
    {audit procedure} Nevertheless, effective entity-level controls, particularly those designed and implemented to meet the control environment criteria, may enable the service auditor to place greater confidence in the processes and controls the service organization has designed, implemented, and operated to provide reasonable assurance that its service commitments and system requirements were achieved. Thus, effective entity-level controls may reduce the nature and extent of the procedures the service auditor believes are necessary to perform to obtain sufficient appropriate evidence about the operating effectiveness of the controls stated in the description to support the opinion. They may also affect decisions related to when such procedures are planned to be performed. ¶ 2.128
    {audit procedure}As indicated in paragraph .43 of AT-C section 205, the service auditor should plan to use less of the work of the function and perform more of the work directly, the more judgment is involved in planning and performing relevant procedures or ¶ 2.146(a)(i)
    {be inadequate}As indicated in paragraph .43 of AT-C section 205, the service auditor should plan to use less of the work of the function and perform more of the work directly, the less the internal audit function's organizational status and relevant policies and procedures adequately support the objectivity of the internal auditors. ¶ 2.146(c)
    The service auditor's consideration of materiality is a matter of professional judgment and is affected by the service auditor's perception of the common information needs of the broad range of report users as a group. In this context, it is reasonable for the service auditor to assume that report users possess a certain level of knowledge as described in paragraph 1.08. ¶ 2.107
    {audit procedure}{audit evidence} Some relevant factors in determining whether to use the work of the internal audit function to obtain evidence about the operating effectiveness of controls include the pervasiveness of the control, the potential for management override of the control, and the degree of judgment and subjectivity required to evaluate the effectiveness of the control. As the significance of these factors increases, so does the need for the service auditor, rather than the internal audit function, to perform the procedures, and conversely, as these factors decrease in significance, the need for the service auditor to perform the tests decreases. ¶ 2.147
    {test of control} The extent of the service auditor's testing refers to the size of the sample tested or the number of observations of a control activity. The extent of testing is based on the service auditor's professional judgment after considering the tolerable rate of deviation, the expected rate of deviation, the frequency with which the control operates, the relevance and reliability of the evidence that can be obtained to support the conclusion that the controls are operating effectively, the length of the testing period, the significance of the control to the achievement of the service organization's service commitments and system requirements based on the applicable trust services criteria, and the extent to which audit evidence is obtained from tests of other controls that support the achievement of those service commitments and system requirements based on the applicable trust services criteria. ¶ 3.134
    {audit evidence} Some relevant factors in determining whether to use the work of the internal audit function to obtain evidence about the operating effectiveness of controls include the pervasiveness of the control, the potential for management override of the control, and the degree of judgment and subjectivity required to evaluate the effectiveness of the control. As the significance of these factors increases, so does the need for the service auditor, rather than the internal audit function, to perform the procedures, and conversely, as these factors decrease in significance, the need for the service auditor to perform the tests decreases. ¶ 3.169
    {audit evidence} The extent to which the service auditor plans to use the work of the internal audit function is a matter of professional judgment. Because the service auditor has sole responsibility for expressing an opinion on the description, on the suitability of design of controls and, in a type 2 examination, the operating effectiveness of controls, the service auditor makes all significant judgments in the examination, including when to use the work of the internal audit function in obtaining evidence. ¶ 2.145
    {description of the service organization's system} As previously discussed, applying the description criteria requires judgment. One of those judgments involves the informational needs of report users. For most SOC 2® reports, there is a broad range of specified parties. Therefore, the description is intended to meet the common informational needs of the specified parties and does not ordinarily include information about every aspect of the system that may be considered important to each individual report user. However, an understanding of the perspectives and information needs of the broad range of intended SOC 2® report users is necessary to determine whether the description is presented in accordance with the description criteria and is sufficient to meet their needs. As discussed in chapter 1, "Introduction and Background," users of a SOC 2® report are expected to have sufficient knowledge and understanding of the service organization, the services it provides, and the system used to provide them, among other matters. As a result, the service auditor assumes that the report users have such knowledge and understanding. ¶ 3.72]
    Behavior Preventive
    Include resource requirements in the audit program. CC ID 15237 Establish/Maintain Documentation Preventive
    Include risks and opportunities in the audit program. CC ID 15236 Establish/Maintain Documentation Preventive
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959
    [{SOC 2 engagement}{professional standard}{regulatory requirement}{be relevant}{be appropriate} When considering the relevance of the service auditor's specialist's field of expertise to the engagement, the service auditor should consider (a) whether the specialist's field includes areas of specialty relevant to the engagement, (b) whether professional or other standards and regulatory or legal requirements apply, (c) assumptions and methods used by the specialist and whether they are generally accepted within the specialist's field and appropriate in the engagement circumstances, and (d) the nature of internal and external data or information used by the service auditor's specialist. ¶ 2.164]
    Audits and Risk Management Preventive
    Establish and maintain audit terms. CC ID 13880
    [Paragraph .07 of AT-C section 205 requires the service auditor to agree on, and document in a written communication such as an engagement letter, the terms of the engagement with the engaging party. A written agreement reduces the risk that either the service auditor or service organization management may misinterpret the needs or expectations of the other party. For example, it reduces the risk that management may rely on the service auditor to protect the service organization against certain risks or to perform certain management functions. ¶ 2.70
    {type 1 examination}{type 2 examination}Prior to engaging a service auditor to perform a SOC 2® examination, service organization management is responsible for making a variety of decisions that affect the nature, timing, and extent of procedures to be performed in a SOC 2® examination, including the following: Defining the scope of the examination, which includes the following: Determining the type (type 1 or type 2) of SOC 2® examination to be performed ¶ 2.04 Bullet 1 Sub-Bullet 5]
    Establish/Maintain Documentation Preventive
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973
    [After the engagement agreement is executed but prior to the completion of the engagement, management may communicate a desire to change the scope of the engagement (for example, a change from the inclusive method to the carve-out method for subservice organizations or a change in the trust sevices category or categories, services, boundaries of the service organization's system, or components of the system covered by the examination). A change in the services covered by the examination might occur, for example, because the service organization has discontinued providing a particular part of its service. When management requests a change in the scope of the engagement, paragraph .29 of AT-C section 105 states that the service auditor should not agree to the change in the terms of the engagement unless there is reasonable justification for the change. Examples of situations in which there may be reasonable justification for a change include the following: ¶ 2.75]
    Process or Activity Preventive
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883
    [{SOC 2 engagement}Paragraph .08 of AT-C section 205 states that the agreed-upon terms of the engagement should include the following: A statement about the inherent limitations of an examination engagement ¶ 2.71(e)
    {audit opinion}Disclosures about the boundaries of the system would typically include matters such as the following: Any other information that is likely to assist report users in understanding the limitations on the service auditor's examination and opinion ¶ 4.113 Bullet 3]
    Establish/Maintain Documentation Preventive
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882
    [{SOC 2 engagement}Paragraph .08 of AT-C section 205 states that the agreed-upon terms of the engagement should include the following: A statement that the engagement will be conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants ¶ 2.71(c)
    {SOC 2 engagement}{regulatory requirement}{audit report} When using the work of an other practitioner, paragraph .A57 of AT-C section 205 clarifies that the service auditor is responsible for directing, supervising, and performing the engagement in compliance with professional standards, applicable regulatory and legal requirements, and the firm's policies and procedures. The service auditor is also responsible for determining whether the report issued is appropriate in the circumstances. ¶ 2.158
    {SOC 2 examination}{audit procedure}{be necessary}{not comply} A service auditor may express an unmodified opinion only when he or she has conducted the examination in accordance with the attestation standards. If the service auditor has been unable to apply all of the procedures considered necessary in the circumstances, the service auditor would not have complied with the attestation standards. ¶ 4.56
    {ethical requirement} Prior to accepting a SOC 2® examination, AT-C section 105, Concepts Common to All Attestation Engagements, requires the service auditor to determine that certain preconditions are met. Among other things, those preconditions require the service auditor to determine whether the engagement team meets the ethical and competency requirements set forth in the professional standards and whether the engagement meets the relevant requirements of the attestation standards. Prior to engagement acceptance, a service auditor is also required to establish an understanding with management about its responsibilities and those of the service auditor in the SOC 2® examination. ¶ 2.01
    {audit conclusion} In certain situations, the service auditor may become aware of information that causes the service auditor to reconsider some of the conclusions reached to that point. For example, when obtaining the written representations from management, the service auditor may learn about a previously unknown security incident or a suspected fraud. The discovery of such information at this point in the examination should lead the service auditor to consider the effect of the matter on his or her risk assessment and other conclusions that the service auditor has reached. In some cases, the service auditor may conclude that reassessment of the risks of material misstatement is necessary, which may lead to the need to perform further procedures. Depending on the circumstances, the service auditor should also consider the guidance in the next section with respect to other actions that may be appropriate. ¶ 3.208
    {SOC 2 Type 2 Report}In applying these requirements, the service auditor generally includes in the report the following statements: The examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Table 4-3 Column 3 Row 8 ¶ 1(1)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an in scope system description. CC ID 14873
    [During the SOC 2® examination, service organization management is responsible for the following: Preparing a description of the service organization's system, including the completeness, accuracy, and method of presentation of the description ¶ 2.26 Bullet 1
    {examination engagement}{description of the service organization's system}The responsibilities of management of the service organization toward the end of the engagement include the following: Modifying the description, if appropriate (chapter 4, "Forming the Opinion and Preparing the Service Auditor's Report," describes a few situations in which the service auditor would recommend that management modify the description) ¶ 2.29 Bullet 1
    {be responsible}{description of the service organization's system} In addition to providing the service auditor with a written assertion and representation letter at the end of the examination, subservice organization management is also responsible for preparing a description of the subservice organization's system, including the completeness, accuracy, and method of presentation of the description. Service organization management is responsible for evaluating the description of the subservice organization's system, as well as its own. ¶ 2.100
    {be responsible}{description of the service organization's system} In addition to providing the service auditor with a written assertion and representation letter at the end of the examination, subservice organization management is also responsible for preparing a description of the subservice organization's system, including the completeness, accuracy, and method of presentation of the description. Service organization management is responsible for evaluating the description of the subservice organization's system, as well as its own. ¶ 2.100
    {be responsible}{description of the service organization's system} In addition to providing the service auditor with a written assertion and representation letter at the end of the examination, subservice organization management is also responsible for preparing a description of the subservice organization's system, including the completeness, accuracy, and method of presentation of the description. Service organization management is responsible for evaluating the description of the subservice organization's system, as well as its own. ¶ 2.100
    Service organization management may use either a formal or an informal process to prepare the description of the service organization's system. For example, a small service organization that prepares only one report per year is likely to have an informal process in which a few employees with personal knowledge of the operation of the system are assigned responsibility for drafting the description of the service organization's system and the draft is reviewed by senior management. A large service organization with many interrelated services and multiple reports that address systems that span many functional units is more likely to have a formal process. Such a process is likely to include a project management role that coordinates preparation of the description by different functional areas and review of the description by key executives across the organization. These two different types of processes are likely to be subject to different sources of misstatement. An understanding of the service organization's process for preparing the description may assist the service auditor in ¶ 2.117
    {description of the service organization's system} When a service organization uses multiple subservice organizations, it may prepare its description using the carve-out method for one or more subservice organizations and the inclusive method for others. ¶ 2.13
    {audit evidence}{description of the service organization's system} In other situations, the service organization may perform several control activities directed at meeting an applicable trust services criterion in order to achieve its service commitments and service requirements. Consequently, if the service auditor evaluates certain control activities as being ineffective in meeting a particular criterion, the service auditor may be able to obtain evidence about the operating effectiveness of other implemented control activities. If the service auditor determines that the identified control is not suitably designed to meet the criterion, and determines that one or more other implemented controls are suitably designed to meet it, the service auditor would ordinarily ask management to revise the description to exclude the control that is not suitably designed and include the control or controls that are suitably designed to meet the criterion. ¶ 3.94
    {description of the service organization's system} Service organization management is responsible for preparing the description of the system that was designed and implemented in accordance with the description criteria presented in supplement A, "2018 Description Criteria for a Description ofa Service Organization's System in a SOC 2® Report." Generally, management prepares the description from documentation supporting the system of internal control and system operations, as well as from consideration of the policies, processes, and procedures (controls) within the system used to provide the services. ¶ 3.13
    {description of the service organization's system} If the vendor is a subservice organization, the service organization's description of its system would include the information set forth in description criterion DC7 presented in supplement A, "2018 Description Criteria for a Description of a Service Organization's System in a SOC 2® Report," depending on whether the inclusive or carve-out method is used with respect to the subservice organization. ¶ 2.11]
    Establish/Maintain Documentation Preventive
    Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 Audits and Risk Management Preventive
    Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 Audits and Risk Management Preventive
    Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 Audits and Risk Management Preventive
    Include third party data in the audit assertion's in scope system description. CC ID 16554 Audits and Risk Management Preventive
    Include third party personnel in the audit assertion's in scope system description. CC ID 16552 Audits and Risk Management Preventive
    Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 Audits and Risk Management Preventive
    Include third party assets in the audit assertion's in scope system description. CC ID 16550 Audits and Risk Management Preventive
    Include third party services in the audit assertion's in scope system description. CC ID 16503 Establish/Maintain Documentation Preventive
    Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 Establish/Maintain Documentation Preventive
    Include availability commitments in the audit assertion's in scope system description. CC ID 14914
    [{description of the service organization's system} As stated in chapter 1, service organization management is responsible for achieving the service commitments it makes to user entities as well as for the requirements of the system that will enable the service organization to achieve them. Because of the importance of disclosures about the service organization's service commitments and system requirements to users of a SOC 2® report, description criterion DC2 requires service organization management to disclose the principal service commitments, which are those that are likely to be relevant to the broad range of SOC 2® report users. Such disclosure enables report users to better understand how the system operates and how management and the service auditor evaluated whether controls were suitably designed and, in a type 2 examination, operated effectively. For example, it may be common for a service organization to make the same system availability commitment to the majority of its user entities. Because information about the availability commitment common to most user entities is likely to be relevant to the broad range of SOC 2® report users, that commitment would be a principal service commitment and service organization management would describe it in the description. ¶ 2.59]
    Establish/Maintain Documentation Preventive
    Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 Audits and Risk Management Preventive
    Include changes in the audit assertion's in scope system description. CC ID 14894
    [{be significant}{description of the service organization's system}{audit opinion} When performing the SOC 2® examination, the service auditor should also obtain an understanding of changes in the service organization's system implemented during the period covered by the examination. If the service auditor believes that the changes would be considered significant by the broad range of report users, the service auditor should determine whether those changes have been included in the description. The narrative discussing the change would be expected to contain an appropriate level of detail, including the date the change occurred and how the affected aspects of the system differed before and after the change. If such changes have not been included in the description, the service auditor may ask management to amend the description to include that information. If service organization management refuses to include this information in the description, the service auditor should consider the effect on his or her opinion on the description. ¶ 3.62]
    Establish/Maintain Documentation Preventive
    Include external communications in the audit assertion's in scope system description. CC ID 14913
    [{be responsible}{description of the service organization's system} Trust services criterion CC2.3 states The entity communicates with external parties regarding matters affecting the functioning of internal control, which would include communication of user responsibilities. However, because user responsibilities are often voluminous, they are often communicated through other methods (for example, by describing them in user manuals). Consequently, disclosure of user entity responsibilities in the description is usually not practical. As a result, description criterion DC7 does not require service organization management to disclose user entity responsibilities. Instead, management identifies in the description the types of communications it makes to external users about user entity responsibilities. The form and content of such communication is the responsibility of service organization management. ¶ 3.38
    {audit evidence}Examples of procedures that may be performed to obtain such evidence include the following: Reading contracts and other communications with the subservice organization to determine whether they identify the types of controls expected to be implemented at the subservice organization ¶ 3.99 Bullet 1]
    Establish/Maintain Documentation Preventive
    Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 Establish/Maintain Documentation Preventive
    Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911
    [{SOC 2 Type 2 Report}The report should identify the subject matter of a SOC 2® examination, which generally includes the following: A description of the service organization's system, the function performed by the system, and the period to which the description relates Table 4-3 Column 3 Row 4 ¶ 1(1)]
    Establish/Maintain Documentation Preventive
    Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896
    [{description of the service organization's system}Specifically, the description should include the following information about each incident: Extent (or effect) of the incident and its disposition ¶ 3.33 Bullet 3]
    Establish/Maintain Documentation Preventive
    Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895
    [{description of the service organization's system}Specifically, the description should include the following information about each incident: Extent (or effect) of the incident and its disposition ¶ 3.33 Bullet 3]
    Establish/Maintain Documentation Preventive
    Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891
    [{description of the service organization's system}Specifically, the description should include the following information about each incident: Timing surrounding the incident ¶ 3.33 Bullet 2]
    Establish/Maintain Documentation Preventive
    Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889
    [{description of the service organization's system}Specifically, the description should include the following information about each incident: Nature of the incident ¶ 3.33 Bullet 1]
    Establish/Maintain Documentation Preventive
    Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897
    [{separate}{description of the service organization's system} Controls at the subservice organization may also include aspects of the subservice organization's control environment, risk assessment process, information and communications, and monitoring activities to the extent that they are relevant to controls at the service organization. The description should separately identify controls at the service organization and controls at the subservice organization; however, there is no prescribed format for differentiating between controls at the service organization and controls at the subservice organization. ¶ 3.44]
    Establish/Maintain Documentation Preventive
    Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 Establish/Maintain Documentation Preventive
    Include the timing of each control in the audit assertion's in scope system description. CC ID 14916
    [{Information About Controls to Be Included in the Description of the System} When: The frequency with which the control is performed, or the timing of its occurrence Table 3-1 Column 1 Row 5]
    Establish/Maintain Documentation Preventive
    Include the nature of the control in the audit assertion's in scope system description. CC ID 14910
    [{Information About Controls to Be Included in the Description of the System} How: The nature of the activity performed, including sources of information used in performing the control Table 3-1 Column 1 Row 4]
    Establish/Maintain Documentation Preventive
    Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909
    [{Information About Controls to Be Included in the Description of the System} How: The nature of the activity performed, including sources of information used in performing the control Table 3-1 Column 1 Row 4]
    Establish/Maintain Documentation Preventive
    Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907
    [{Information About Controls to Be Included in the Description of the System} Who: The party responsible for performing the control Table 3-1 Column 1 Row 3]
    Establish/Maintain Documentation Preventive
    Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904
    [{Information About Controls to Be Included in the Description of the System} What: The subject matter to which the control is applied Table 3-1 Column 1 Row 2]
    Establish/Maintain Documentation Preventive
    Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893
    [Ordinarily, a description of a service organization's system in a SOC 2® examination is presented in accordance with the description criteria when it does the following: Does not inadvertently or intentionally omit or distort information that is likely to be relevant to report users' decisions ¶ 3.17 Bullet 3]
    Establish/Maintain Documentation Preventive
    Include the timing of each change in the audit assertion's in scope system description. CC ID 14892
    [{be significant}{description of the service organization's system}{audit opinion} When performing the SOC 2® examination, the service auditor should also obtain an understanding of changes in the service organization's system implemented during the period covered by the examination. If the service auditor believes that the changes would be considered significant by the broad range of report users, the service auditor should determine whether those changes have been included in the description. The narrative discussing the change would be expected to contain an appropriate level of detail, including the date the change occurred and how the affected aspects of the system differed before and after the change. If such changes have not been included in the description, the service auditor may ask management to amend the description to include that information. If service organization management refuses to include this information in the description, the service auditor should consider the effect on his or her opinion on the description. ¶ 3.62]
    Establish/Maintain Documentation Preventive
    Include the system boundaries in the audit assertion's in scope system description. CC ID 14887
    [{description of the service organization's system} A service organization may have controls that it considers to be outside the boundaries of the system, such as controls related to the conversion of new user entities to the service organization's systems. To avoid misunderstanding by report users, the description should clearly delineate the boundaries of the system included within the scope of the engagement. ¶ 3.32
    {management assertion}{SOC 3 engagement} As discussed in the preceding paragraph, as part of its assertion, management describes the boundaries of the system and the principal service commitments and system requirements. The boundaries of a system addressed by the examination need to be clearly understood, defined, and communicated to report users. Report users need that information to enable them to understand the scope of the service auditor's examination. They also need information about the service organization's principal service commitments and system requirements to enable them to understand how the effectiveness of controls was evaluated based on the applicable trust services criteria. ¶ 4.112
    {management assertion}{SOC 3 engagement} As discussed in the preceding paragraph, as part of its assertion, management describes the boundaries of the system and the principal service commitments and system requirements. The boundaries of a system addressed by the examination need to be clearly understood, defined, and communicated to report users. Report users need that information to enable them to understand the scope of the service auditor's examination. They also need information about the service organization's principal service commitments and system requirements to enable them to understand how the effectiveness of controls was evaluated based on the applicable trust services criteria. ¶ 4.112
    Disclosures about the boundaries of the system and the principal service commitments and system requirements ordinarily would be included in management's assertion or in an exhibit thereto. If management does not include those disclosures in its assertion (or in an exhibit thereto), the service auditor would need to modify the language of the SOC 3® report to include them. ¶ 4.114
    The boundaries of a system addressed by a SOC 2® examination need to be clearly understood, defined, and communicated to report users. For example, a financial reporting system is likely to be bounded by the components of the system related to financial transaction initiation, authorization, recording, processing, and reporting. The boundaries of a system related to processing integrity (system processing is complete, accurate, timely, and authorized), however, may extend to other operations (for example, risk management, internal audit, information technology, or customer call center processes). ¶ 1.21
    {be internal} In a SOC 2® examination that addresses the security, availability, or processing integrity criteria, the system boundaries would cover, at a minimum, all the system components as they relate to the transaction processing or service life cycle including initiation, authorization, processing, recording, and reporting of the transactions processed for or services provided to user entities. The system boundaries would not include instances in which transaction-processing information is combined with other information for secondary purposes internal to the service organization, such as customer metrics tracking. ¶ 1.22
    {be internal} In a SOC 2® examination that addresses the security, availability, or processing integrity criteria, the system boundaries would cover, at a minimum, all the system components as they relate to the transaction processing or service life cycle including initiation, authorization, processing, recording, and reporting of the transactions processed for or services provided to user entities. The system boundaries would not include instances in which transaction-processing information is combined with other information for secondary purposes internal to the service organization, such as customer metrics tracking. ¶ 1.22
    {management assertion}The elements of a SOC 3® report are as follows: An assertion by service organization management about whether the controls were effective throughout the period to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. As part of that assertion, management describes the boundaries of the system and the service organization's principal service commitments and system requirements. ¶ 4.111 ¶ 1(a)]
    Establish/Maintain Documentation Preventive
    Determine the presentation method of the audit assertion's in scope system description. CC ID 14885
    [During the SOC 2® examination, service organization management is responsible for the following: Preparing a description of the service organization's system, including the completeness, accuracy, and method of presentation of the description ¶ 2.26 Bullet 1
    {be responsible}{description of the service organization's system} In addition to providing the service auditor with a written assertion and representation letter at the end of the examination, subservice organization management is also responsible for preparing a description of the subservice organization's system, including the completeness, accuracy, and method of presentation of the description. Service organization management is responsible for evaluating the description of the subservice organization's system, as well as its own. ¶ 2.100
    {description of the service organization's system} Use of the inclusive method becomes more complex when the service organization uses multiple subservice organizations. When the services of more than one subservice organization are likely to be relevant to report users, service organization management may use the inclusive method for one or more subservice organizations and the carve-out method for other subservice organizations. In these instances, the description needs to clearly state which subservice organizations and related functions are included in the description and which are carved out. The presentation of any subservice organizations should adhere to the approach that service organization management has selected, whether that approach is the inclusive or the carve-out method. ¶ 2.97]
    Establish/Maintain Documentation Detective
    Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884
    [Paragraph .A1 of AT-C section 105 states that the subject matter of an attestation examination may be "as of a point in time" or "for a specified period of time." Service organization management is responsible for determining the time frame to be covered by the description of the service organization's system. Generally, in a type 1 examination, the time frame is as of a point in time; in a type 2 examination, it is for a specified period of time. Regardless of the time frame selected, the SOC 2® examination contemplates that the time frame is the same for both the description and management's assertion. Furthermore, the discussions in this guide about type 2 examinations contemplate that management has elected to have the examination performed for a specified period of time. ¶ 1.24
    {SOC 2 Type 2 Report}The report should identify the subject matter of a SOC 2® examination, which generally includes the following: A description of the service organization's system, the function performed by the system, and the period to which the description relates Table 4-3 Column 3 Row 4 ¶ 1(1)]
    Establish/Maintain Documentation Preventive
    Include commitments to third parties in the audit assertion. CC ID 14899
    [Prior to engaging a service auditor to perform a SOC 2® examination, service organization management is responsible for making a variety of decisions that affect the nature, timing, and extent of procedures to be performed in a SOC 2® examination, including the following: Specifying the principal service commitments made to user entities and the system requirements needed to operate the system ¶ 2.04 Bullet 2
    Management's responsibilities during acceptance and planning of a SOC 3® examination include the following: Specifying the principal service commitments made to user entities and the system requirements needed to operate the system ¶ 2.168 Bullet 2
    {evaluate}{suitability of design}Qualitative factors the service auditor considers include the following: Relevance to compliance with laws and regulations. If the service organization is subject to requirements specified by laws or regulations related to security and the other trust services categories included within the scope of the SOC 2® examination, identified deficiencies and deviations related to compliance are likely to be significant because they may have additional consequences to the organization. Requirements established by laws and regulations may therefore need to be included in the consideration of materiality and the related engagement strategy. For laws and regulations that have a direct effect (for example, laws protecting sensitive personal information), the service organization may establish service commitments and system requirements about compliance with such laws. Other laws and regulations may be less directly linked to security and the other trust services categories; however, they may still be relevant to the examination (for example, regulations over the physical storage ofbiohazard materials, when the materials are stored in a warehouse with access secured by an electronic badging system). ¶ 3.163 Bullet 4
    {management assertion}{SOC 3 engagement} As discussed in the preceding paragraph, as part of its assertion, management describes the boundaries of the system and the principal service commitments and system requirements. The boundaries of a system addressed by the examination need to be clearly understood, defined, and communicated to report users. Report users need that information to enable them to understand the scope of the service auditor's examination. They also need information about the service organization's principal service commitments and system requirements to enable them to understand how the effectiveness of controls was evaluated based on the applicable trust services criteria. ¶ 4.112
    Service organization management is responsible for establishing its service commitments and system requirements. Service commitments are the declarations made by service organization management to user entities (its customers) about the system used to provide the service. Commitments can be communicated in written individualized agreements, standardized contracts, service level agreements, or published statements (for example, a security practices statement). Commitments may be made on many different aspects of the service being provided, including the following: ¶ 1.45
    {description of the service organization's system}{principal system requirement}{SOC 2 engagement} Service organization management is responsible for achieving its service commitments and system requirements. It is also responsible for stating in the description the service organization's principal service commitments and system requirements with sufficient clarity to enable report users to understand how the system operates and how management and the service auditor evaluated the suitability of the design of controls and, in a type 2 examination, the operating effectiveness of controls. Because of the importance of the service commitments and system requirements to the SOC 2® examination, the principal service commitments and system requirements disclosed by management should be appropriate for the engagement. Chapter 2 , "Accepting and Planning a SOC 2® Examination," discusses the service auditor's responsibility for assessing whether the principal service commitments and system requirements disclosed by service organization management in the description are appropriate. ¶ 1.49
    A service organization's system of internal control is evaluated by using the trust services criteria to determine whether the service organization's controls provide reasonable assurance that its business objectives and sub-objectives are achieved. When a service organization provides services to user entities, its objectives and sub-objectives relate primarily to (a) the achievement of the service commitments made to user entities related to the system used to provide the services and the system requirements necessary to achieve those commitments, (b) compliance with laws and regulations regarding the provision of the services by the system, and (c) the achievement of the other objectives the service organization has for the system. These are referred to as the service organization's service commitments and system requirements. ¶ 1.44
    {description of the service organization's system} When the description addresses privacy, service organization management discloses the service commitments and system requirements identified in the service organization's privacy notice or in its privacy policy that are relevant to the system being described. When making such disclosures, it may also be helpful to report users if service organization management describes the purposes, uses, and disclosures of personal information as permitted by user entity agreements. ¶ 2.61
    Disclosures about the boundaries of the system and the principal service commitments and system requirements ordinarily would be included in management's assertion or in an exhibit thereto. If management does not include those disclosures in its assertion (or in an exhibit thereto), the service auditor would need to modify the language of the SOC 3® report to include them. ¶ 4.114
    {management assertion}The elements of a SOC 3® report are as follows: An assertion by service organization management about whether the controls were effective throughout the period to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. As part of that assertion, management describes the boundaries of the system and the service organization's principal service commitments and system requirements. ¶ 4.111 ¶ 1(a)]
    Establish/Maintain Documentation Preventive
    Determine the completeness of the audit assertion's in scope system description. CC ID 14883
    [During the SOC 2® examination, service organization management is responsible for the following: Preparing a description of the service organization's system, including the completeness, accuracy, and method of presentation of the description ¶ 2.26 Bullet 1
    {be responsible}{description of the service organization's system} In addition to providing the service auditor with a written assertion and representation letter at the end of the examination, subservice organization management is also responsible for preparing a description of the subservice organization's system, including the completeness, accuracy, and method of presentation of the description. Service organization management is responsible for evaluating the description of the subservice organization's system, as well as its own. ¶ 2.100]
    Establish/Maintain Documentation Preventive
    Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 Audits and Risk Management Detective
    Include system requirements in the audit assertion's in scope system description. CC ID 14881
    [Prior to engaging a service auditor to perform a SOC 2® examination, service organization management is responsible for making a variety of decisions that affect the nature, timing, and extent of procedures to be performed in a SOC 2® examination, including the following: Specifying the principal system requirements related to commitments made to business partners ¶ 2.04 Bullet 3
    System requirements are the specifications about how the system should function to (a) meet the service organization's service commitments to user entities and others (such as user entities' customers); (b) meet the service organization's commitments to vendors and business partners; (c) comply with relevant laws and regulations and guidelines of industry groups, such as business or trade associations; and (d) achieve other objectives of the service organization that are relevant to the trust services categories addressed by the description. Requirements are often specified in the service organization's system policies and procedures, system design documentation, contracts with customers, and in government regulations. The following are examples of system requirements: ¶ 1.47
    {description of the service organization's system} Likewise, management should disclose only the principal system requirements that are relevant to the trust services category or categories addressed by the description and that are likely to be relevant to the broad range of SOC 2® report users. When identifying which system requirements to disclose, service organization management may consider matters such as internal policies that are relevant to the system being described, key decisions made in the design and operation of the system, and other business requirements for the system. For example, management would ordinarily not disclose internal requirements related to the operating margin for the services associated with the system because such information is unlikely to be relevant to the broad range of SOC 2® report users. ¶ 2.63
    Management's responsibilities during acceptance and planning of a SOC 3® examination include the following: Specifying the principal service commitments made to user entities and the system requirements needed to operate the system ¶ 2.168 Bullet 2
    {evaluate}{suitability of design}Qualitative factors the service auditor considers include the following: Relevance to compliance with laws and regulations. If the service organization is subject to requirements specified by laws or regulations related to security and the other trust services categories included within the scope of the SOC 2® examination, identified deficiencies and deviations related to compliance are likely to be significant because they may have additional consequences to the organization. Requirements established by laws and regulations may therefore need to be included in the consideration of materiality and the related engagement strategy. For laws and regulations that have a direct effect (for example, laws protecting sensitive personal information), the service organization may establish service commitments and system requirements about compliance with such laws. Other laws and regulations may be less directly linked to security and the other trust services categories; however, they may still be relevant to the examination (for example, regulations over the physical storage ofbiohazard materials, when the materials are stored in a warehouse with access secured by an electronic badging system). ¶ 3.163 Bullet 4
    {management assertion}{SOC 3 engagement} As discussed in the preceding paragraph, as part of its assertion, management describes the boundaries of the system and the principal service commitments and system requirements. The boundaries of a system addressed by the examination need to be clearly understood, defined, and communicated to report users. Report users need that information to enable them to understand the scope of the service auditor's examination. They also need information about the service organization's principal service commitments and system requirements to enable them to understand how the effectiveness of controls was evaluated based on the applicable trust services criteria. ¶ 4.112
    Service organization management is responsible for establishing its service commitments and system requirements. Service commitments are the declarations made by service organization management to user entities (its customers) about the system used to provide the service. Commitments can be communicated in written individualized agreements, standardized contracts, service level agreements, or published statements (for example, a security practices statement). Commitments may be made on many different aspects of the service being provided, including the following: ¶ 1.45
    {description of the service organization's system}{principal system requirement}{SOC 2 engagement} Service organization management is responsible for achieving its service commitments and system requirements. It is also responsible for stating in the description the service organization's principal service commitments and system requirements with sufficient clarity to enable report users to understand how the system operates and how management and the service auditor evaluated the suitability of the design of controls and, in a type 2 examination, the operating effectiveness of controls. Because of the importance of the service commitments and system requirements to the SOC 2® examination, the principal service commitments and system requirements disclosed by management should be appropriate for the engagement. Chapter 2 , "Accepting and Planning a SOC 2® Examination," discusses the service auditor's responsibility for assessing whether the principal service commitments and system requirements disclosed by service organization management in the description are appropriate. ¶ 1.49
    A service organization's system of internal control is evaluated by using the trust services criteria to determine whether the service organization's controls provide reasonable assurance that its business objectives and sub-objectives are achieved. When a service organization provides services to user entities, its objectives and sub-objectives relate primarily to (a) the achievement of the service commitments made to user entities related to the system used to provide the services and the system requirements necessary to achieve those commitments, (b) compliance with laws and regulations regarding the provision of the services by the system, and (c) the achievement of the other objectives the service organization has for the system. These are referred to as the service organization's service commitments and system requirements. ¶ 1.44
    {description of the service organization's system} When the description addresses privacy, service organization management discloses the service commitments and system requirements identified in the service organization's privacy notice or in its privacy policy that are relevant to the system being described. When making such disclosures, it may also be helpful to report users if service organization management describes the purposes, uses, and disclosures of personal information as permitted by user entity agreements. ¶ 2.61
    Disclosures about the boundaries of the system and the principal service commitments and system requirements ordinarily would be included in management's assertion or in an exhibit thereto. If management does not include those disclosures in its assertion (or in an exhibit thereto), the service auditor would need to modify the language of the SOC 3® report to include them. ¶ 4.114
    {management assertion}The elements of a SOC 3® report are as follows: An assertion by service organization management about whether the controls were effective throughout the period to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. As part of that assertion, management describes the boundaries of the system and the service organization's principal service commitments and system requirements. ¶ 4.111 ¶ 1(a)]
    Establish/Maintain Documentation Preventive
    Include third party controls in the audit assertion's in scope system description. CC ID 14880
    [{description of the service organization's system} When using the carve-out method, the description would identify the types of CSOCs that the subservice organization is assumed to have implemented. Examples of the types of CSOCs the subservice organization is assumed to have implemented include the following: ¶ 2.18
    In evaluating the appropriateness of the subject matter when determining whether to accept or continue a SOC 2® examination, relevant matters to consider may include the functions performed by the system, how subservice organizations are used, how information about subservice organizations will be presented in the description of the service organization's system (inclusive or carve-out method), the relevance to the system of the trust services category or categories included within the scope of the examination, and the period of time covered by the examination. For example, assume that service organization management wishes to engage the service auditor to perform a type 2 examination for a period of less than two months. In such circumstances, the service auditor may conclude that it is unlikely that sufficient appropriate evidence can be obtained to support an opinion. ¶ 2.46
    If there are CUECs, description criterion DC6 requires that fact to be disclosed in the description of the service organization's system. In addition, because the service auditor does not examine the controls implemented at user entities, disclosure of that information in the service auditor's report is necessary to inform report users about that limitation on the examination. In addition, the service auditor's report should include a statement that the service auditor has not evaluated the suitability of the design or operating effectiveness of CUECs and that the service organization can achieve its service commitments and system requirements based on the applicable trust services criteria stated in the description only if CUECs are suitably designed and operating effectively, along with the related controls at the service organization. Illustrative language related to CUECs and CSOCs is shown in boldface italics in table 4-3. ¶ 4.37
    {description of the service organization's system} If the service organization obtains the subservice organization's type 1 or type 2 report that identifies the need for CUECs, during planning, service organization management considers how to address that information in its description. For example, a service organization that outsources aspects of its technology infrastructure to a subservice organization may find that the subservice organization's description of its systems includes the following CUEC: ¶ 3.90
    {description of the service organization's system} Use of the inclusive method becomes more complex when the service organization uses multiple subservice organizations. When the services of more than one subservice organization are likely to be relevant to report users, service organization management may use the inclusive method for one or more subservice organizations and the carve-out method for other subservice organizations. In these instances, the description needs to clearly state which subservice organizations and related functions are included in the description and which are carved out. The presentation of any subservice organizations should adhere to the approach that service organization management has selected, whether that approach is the inclusive or the carve-out method. ¶ 2.97]
    Establish/Maintain Documentation Preventive
    Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 Audits and Risk Management Preventive
    Identify personnel who should attend the closing meeting. CC ID 15261 Business Processes Preventive
    Confirm audit requirements during the opening meeting. CC ID 15255 Audits and Risk Management Detective
    Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 Audits and Risk Management Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965
    [{SOC 2 examination} Because of the additional complexities involved with the use of the inclusive method, both the service organization and the subservice organization ought to agree on the use of the inclusive approach before it is selected for the examination. In addition, to facilitate the process, service organization management generally coordinates the use of the inclusive method with the subservice organization. If the inclusive method is used, matters to be agreed on or coordinated by the service organization and the subservice organization include the following: ¶ 2.98
    If the service auditor expects to use the work of the other practitioner, paragraph .31 of AT-C section 105 requires the service auditor to do the following: Obtain an understanding of whether the other practitioner understands, and will comply with, the ethical requirements that are relevant to the engagement and, in particular, is independent. (The discussion beginning in paragraph 2.36 also applies to the other practitioner.) ¶ 2.156(a)
    {description of the service organization's system}{design effectiveness}{SOC 2 engagement}{audit opinion} If management refuses to provide a written assertion, paragraph .82 of AT-C section 205 requires the service auditor to withdraw from the engagement when withdrawal is possible under applicable laws and regulations. Consequently, it is important to obtain management's agreement to provide the written assertion prior to engagement acceptance. If law or regulation does not allow the service auditor to withdraw, the service auditor should disclaim an opinion on the description, the suitability of design of controls, and, in a type 2 examination, the operating effectiveness of controls. ¶ 2.68
    Paragraph .07 of AT-C section 205 requires the service auditor to agree on, and document in a written communication such as an engagement letter, the terms of the engagement with the engaging party. A written agreement reduces the risk that either the service auditor or service organization management may misinterpret the needs or expectations of the other party. For example, it reduces the risk that management may rely on the service auditor to protect the service organization against certain risks or to perform certain management functions. ¶ 2.70
    During engagement acceptance and planning, the service auditor is responsible for the following: Agreeing on the terms of the engagement with service organization management, including establishing an understanding about the responsibilities of management and the service auditor (see paragraph 2.71) ¶ 2.30 Bullet 2
    If the inclusive method is used, matters to be agreed on or coordinated by the service organization and the subservice organization include the following: Acknowledgment from subservice organization management that it will provide the service auditor with a written assertion and representation letter (Both service organization management and subservice organization management are responsible for providing the service auditor with a written assertion and representation letter.) ¶ 2.98 Bullet 2
    {audit opinion}{management assertion} AT-C section 205 does not include requirements for the service auditor to perform procedures to determine whether management has a reasonable basis for its assertion. However, because of the relationship between (a) the evaluation of the suitability of design of controls and, in a type 2 examination, the operating effectiveness of controls and (b) monitoring, the service auditor ordinarily discusses with management the basis for its assertion prior to engagement acceptance. This will assist the service auditor in determining whether the basis appears reasonable for the size and complexity of the service organization and whether the service auditor expects to be able to obtain sufficient appropriate evidence to arrive at his or her opinion, which is also a precondition of the examination. ¶ 2.51
    In a SOC 3® examination, the responsibilities of the service auditor are substantially the same as those in a SOC 2® examination and include the following: Agreeing on the terms of the engagement ¶ 2.172 Bullet 2
    Chapter 2 discusses the service auditor's responsibilities when a service auditor's specialist will be used in the SOC 2® examination. Those responsibilities include (a) evaluating the specialist's competence, capabilities, and objectivity; (b) obtaining an understanding of the specialist's field of expertise to enable the service auditor to determine the nature, scope, and objectives of the specialist's work and to evaluate the adequacy of that work; and (c) agreeing with the specialist on the terms of the engagement and other matters. In addition to those responsibilities, paragraph .36 of AT-C section 205 requires the service auditor to evaluate the adequacy of the work of the service auditor's specialist for the service auditor's purposes. ¶ 3.178
    Although it is not the objective of a service auditor's engagement, a service auditor may develop recommendations to improve a service organization's controls. The service auditor and service organization management agree on whether and how such recommendations will be communicated. Typically, the service auditor includes this information in a separate written communication provided only to service organization management. ¶ 4.94
    When establishing the terms of the engagement, the service auditor's understanding with the engaging party may include the fact that the use of the SOC 2® report will be restricted to the parties identified in the report. In addition, the service auditor should consider informing the engaging party that restricted-use reports are not intended for distribution to non-specified parties, and the service auditor should obtain from the engaging party an agreement that the engaging party and the specified parties will not distribute the report to parties other than those identified in the report. ¶ 4.93
    {SOC 2 engagement}{stipulated timeframe}{applicable requirement}{be sufficient} By communicating with the service auditor's specialist about these matters early in the engagement, the service auditor will be in a better position to plan the scope and timing of the specialist's work on the engagement. In addition, he or she will be better able to plan the nature, timing, and extent of any procedures that relate to the work of the specialist, including the direction, supervision, and review of the specialist's work, particularly if that work will be used during initial engagement planning and risk assessment. Though not required, the service auditor should consider documenting, in an engagement letter or other appropriate form of written communication, the understanding reached with the service auditor's specialist about the matters discussed. When evaluating the service auditor specialist's competence and capabilities, the service auditor may obtain information from a variety of sources, including discussions with the specialist, personal experience with the specialist's work, discussions with others who are familiar with the specialist's work, or published papers or books written by the specialist, among other things. In addition, the service auditor needs to determine that the specialist has a sufficient understanding of the attestation standards relevant to the SOC 2® examination and this guide to enable the specialist to understand how his or her work will help achieve the objectives of the engagement. ¶ 2.161
    {does not have} Quality control policies and procedures to comply with the quality control requirements often include consideration of the integrity and reputation of service organization management and significant shareholders or principal owners to determine whether the firm's reputation is likely to suffer by association. Generally, the service auditor will accept or continue a client relationship only after he or she has considered the integrity of service organization management, significant shareholders, or principal owners and has no information that would lead the service auditor to believe that the client lacks integrity. Absent such information, a service auditor generally would conclude that it is unlikely that association with the client would expose the service auditor to undue risk of damage to his or her professional reputation or financial loss. ¶ 2.33
    If the inclusive method is used, matters to be agreed on or coordinated by the service organization and the subservice organization include the following: The planned content and format of the inclusive description ¶ 2.98 Bullet 3
    {system boundary}{audit criteria}{be capable}{audit opinion} According to paragraph .A37 of AT-C section 105, subject matter is appropriate if it is identifiable, capable of consistent measurement or evaluation based on the criteria, and can be subjected to procedures for obtaining sufficient appropriate evidence to support an opinion. In a SOC 2® examination, the service auditor should consider whether the system used to provide the services is identifiable. For instance, the boundaries of a system addressed by a SOC 2® examination may not be as clear as the boundaries of a financial reporting system addressed by a SOC 1® examination; therefore, before accepting a SOC 2® examination, the service auditor and management should agree on the system being reported on and its boundaries. In doing so, management and the service auditor consider the relationship between the boundaries of each of the components of the system used to provide the services, as discussed in paragraph 1.21. ¶ 2.45
    When planning a SOC 2® examination, a service auditor may decide that engaging or assigning a specialist with specific skills and knowledge is necessary to execute the planned examination. If a service auditor's specialist will be used in the SOC 2® examination, paragraph .36 of AT-C section 205 requires the service auditor to do the following: Agree with the specialist regarding the nature, scope, and objectives of the specialist's work; ¶ 2.160(c)(i)
    The quality control requirements for competence and ethical behavior are reiterated in paragraph .27 of AT-C section 105, which states that the service auditor should accept or continue a SOC 2® examination only when the service auditor has reached a common understanding with the engaging party of the terms of the engagement, including the service auditor's reporting responsibilities. (Chapter 4 discusses reporting in a SOC 2® examination.) ¶ 2.32(d)
    {SOC 2 engagement}In establishing the overall engagement strategy, the service auditor ordinarily would do the following: Obtain an understanding of the services provided by the service organization, the system used to provide them, and the service organization's service commitments and system requirements that define the engagement. ¶ 2.92(a)
    {be relevant} Although not required by the attestation standards, the service auditor would ordinarily expect the engaging party to sign the engagement letter. The engaging party's refusal to sign the engagement letter would be a relevant factor in the service auditor's consideration of the integrity of the client and the service auditor's decision about whether to accept or continue the engagement. If service organization management is the engaging party and refuses to sign the engagement letter, the service auditor should decline to accept or perform the SOC 2® examination, unless that is not allowed by applicable law or regulation. ¶ 2.74
    {SOC 2 Examination}During engagement acceptance and planning, the service auditor is responsible for the following: Reaching an understanding with management regarding their willingness and ability to provide a written assertion at the conclusion of the examination (see paragraph 2.67) ¶ 2.30 Bullet 3]
    Establish/Maintain Documentation Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077
    [Prior to engaging a service auditor to perform a SOC 2® examination, service organization management is responsible for making a variety of decisions that affect the nature, timing, and extent of procedures to be performed in a SOC 2® examination, including the following: Defining the scope of the examination, which includes the following: ¶ 2.04 Bullet 1
    {audit opinion}{audit evidence} During planning, the service auditor should determine whether the subservice organization will provide a written assertion and representation letter. In addition, the service auditor should determine whether it will be possible to obtain evidence that supports the portion of the opinion that addresses the subservice organization. If service organization management wishes to use the inclusive method, but subservice organization management refuses to provide a written assertion, the service organization will not be able to use the inclusive method but may be able to use the carve-out method instead. ¶ 2.99
    If the inclusive method is used, matters to be agreed on or coordinated by the service organization and the subservice organization include the following: The scope of the examination and the period to be covered by the service auditor's report ¶ 2.98 Bullet 1
    Accordingly, the service auditor should consider the nature of threats and the likelihood and magnitude of the risks arising from those threats to the achievement of the service organization's service commitments and system requirements based on the applicable trust services criteria. For example, the service auditor should consider the technical environment and whether the realization of security-related threats or exploitation of vulnerabilities related to the security of specific information assets, which appear inconsequential, could expose (either directly or indirectly) information assets and thereby result in failure to achieve the service organization's service commitments and system requirements. If access to another system (used to provide other services not addressed by the SOC 2® examination) could provide access to the service organization's system that is being examined, and the service auditor determines there is a high likelihood that such a vulnerability might be exploited, the service auditor is likely to consider access to the other system in the SOC 2® examination. ¶ 2.106
    {be incomplete}{be unsatisfactory}{be reasonable} Other changes to the scope of the engagement, however, may not be considered reasonable if they relate to information that is incorrect, incomplete, or otherwise unsatisfactory. For example, a request to change the period covered by the examination, or exclude portions of the system from the scope of the examination, may be unreasonable because of the likelihood that the service auditor's opinion would be modified. A request to change the scope of the examination to prevent the disclosure of deviations identified at a subservice organization by changing from the inclusive method to the carve-out method would also be unreasonable. ¶ 2.76
    Management's responsibilities during acceptance and planning of a SOC 3® examination include the following: Defining the scope of the examination, as discussed in paragraph 2.04 ¶ 2.168 Bullet 1
    {timely manner}{time period}{audit scope} Regardless of whether the carve-out or inclusive method is selected, the description of the service organization's system and the scope of the service auditor's examination include the controls designed, implemented, and operated at the service organization to monitor the effectiveness of controls at the subservice organization. Controls over subservice organizations are usually a necessary part of a system of internal control in order for it to provide reasonable assurance that the service organization's service commitments and system requirements were achieved. These types of controls are evaluated using trust services criterion CC9.2, The entity assesses and manages risks associated with vendors and business partners. Such monitoring controls may include some combination of (1) ongoing monitoring to determine that potential issues are identified timely and (2) separate evaluations to determine that internal controls are effective over time. Examples of monitoring controls include reviewing and reconciling output reports, holding periodic discussions with subservice organization personnel, making regular site visits to the subservice organization, performing tests of controls at the subservice organization by members of the service organization's internal audit function, reviewing type 1 or type 2 reports on the subservice organization's system, and monitoring external communications (such as customer complaints) relevant to the services provided by the subservice organization. ¶ 3.50
    As a basis for coordinating the respective activities between the service auditor and the internal auditors when planning to use the work of the internal audit function, it may be useful to address the following: The extent of coverage ¶ 2.149 Bullet 3
    {carve-out method}{inclusive method} If the service organization uses a subservice organization, management is responsible for determining whether to carve out or include the subservice organization's controls within the scope of the examination. Management of a service organization may need assistance in understanding the differences between the two methods and the implications that arise from the choice of one method over the other. The two methods are defined as follows: ¶ 2.12
    {SOC 2 engagement} Paragraph .11 of AT-C section 205 requires a service auditor to establish an overall engagement strategy that sets the scope, timing, and direction of the engagement and guides in the development of the engagement plan. In establishing the overall engagement strategy, the service auditor ordinarily would do the following: ¶ 2.92
    {examination engagement}During engagement acceptance and planning, the service auditor is responsible for the following: Establishing an overall strategy for the examination that sets the scope, timing, and direction of the engagement and guides the development of the engagement plan, including the consideration of materiality and the identification of the risks of material misstatement (see paragraph 2.92) ¶ 2.30 Bullet 4
    In other cases, however, the service organization may make a different commitment about system availability to an individual user entity that requires greater system availability than most user entities. Service organization management ordinarily would not disclose that commitment because it is unlikely to be relevant to the broad range of SOC 2® report users. Because that service commitment is not disclosed in the description, the individual user entity understands that the evaluation of the suitability of design of controls and, in a type 2 examination, the operating effectiveness of controls was made based on the service organization's achievement of its principal service commitments and system requirements (that is, those common to the majority of user entities); therefore, the individual user entity may need to obtain additional information from the service organization regarding the achievement of its specific availability commitment. ¶ 2.60
    {principal system requirement}{be the same} For a SOC 3® examination, service organization management's responsibilities are substantially the same as those for a SOC 2® examination except that management does not prepare a system description. Although management does not prepare a system description, it does disclose the boundaries of the system and the service organization's principal service commitments and system requirements as part of its written assertion. That is discussed beginning in paragraph 4.112. ¶ 2.167]
    Establish/Maintain Documentation Preventive
    Include third party assets in the audit scope. CC ID 16504 Audits and Risk Management Preventive
    Include audit subject matter in the audit program. CC ID 07103
    [The information contained in the description of a service organization's system, the suitability of design of controls and, in a type 2 examination, the operating effectiveness of the controls, which are the subject matters of a SOC 2® examination, are relevant to user entities, business partners, and the other parties specified in the SOC 2® report. Consequently, those subject matters are usually appropriate for a SOC 2® examination. However, in certain situations, the subject matters may not be appropriate due to specific circumstances. The service auditor should determine whether aspects of the subject matters impair their appropriateness before accepting the engagement. ¶ 2.44
    {SOC 2 engagement} Paragraph .11 of AT-C section 205 requires a service auditor to establish an overall engagement strategy that sets the scope, timing, and direction of the engagement and guides in the development of the engagement plan. In establishing the overall engagement strategy, the service auditor ordinarily would do the following: ¶ 2.92
    {SOC 2® examination}Defining the scope of the examination, which includes the following: Identifying the services provided to user entities, which will establish the subject matter of the examination ¶ 2.04 Bullet 1 Sub-Bullet 1
    {examination engagement}During engagement acceptance and planning, the service auditor is responsible for the following: Establishing an overall strategy for the examination that sets the scope, timing, and direction of the engagement and guides the development of the engagement plan, including the consideration of materiality and the identification of the risks of material misstatement (see paragraph 2.92) ¶ 2.30 Bullet 4
    {system boundary}{audit criteria}{be capable}{audit opinion} According to paragraph .A37 of AT-C section 105, subject matter is appropriate if it is identifiable, capable of consistent measurement or evaluation based on the criteria, and can be subjected to procedures for obtaining sufficient appropriate evidence to support an opinion. In a SOC 2® examination, the service auditor should consider whether the system used to provide the services is identifiable. For instance, the boundaries of a system addressed by a SOC 2® examination may not be as clear as the boundaries of a financial reporting system addressed by a SOC 1® examination; therefore, before accepting a SOC 2® examination, the service auditor and management should agree on the system being reported on and its boundaries. In doing so, management and the service auditor consider the relationship between the boundaries of each of the components of the system used to provide the services, as discussed in paragraph 1.21. ¶ 2.45
    A SOC 2® engagement that includes additional subject matters and additional criteria such as those described in the preceding table is predicated on service organization management providing the service auditor with the following: An appropriate description of the subject matter ¶ 1.51 Bullet 1
    {description of the service organization's system} As stated in chapter 1, service organization management is responsible for achieving the service commitments it makes to user entities as well as for the requirements of the system that will enable the service organization to achieve them. Because of the importance of disclosures about the service organization's service commitments and system requirements to users of a SOC 2® report, description criterion DC2 requires service organization management to disclose the principal service commitments, which are those that are likely to be relevant to the broad range of SOC 2® report users. Such disclosure enables report users to better understand how the system operates and how management and the service auditor evaluated whether controls were suitably designed and, in a type 2 examination, operated effectively. For example, it may be common for a service organization to make the same system availability commitment to the majority of its user entities. Because information about the availability commitment common to most user entities is likely to be relevant to the broad range of SOC 2® report users, that commitment would be a principal service commitment and service organization management would describe it in the description. ¶ 2.59]
    Establish/Maintain Documentation Preventive
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Investigate Preventive
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Establish/Maintain Documentation Preventive
    Examine the measurability of the audit criteria in the audit program. CC ID 07105
    [{system boundary}{audit criteria}{be capable}{audit opinion} According to paragraph .A37 of AT-C section 105, subject matter is appropriate if it is identifiable, capable of consistent measurement or evaluation based on the criteria, and can be subjected to procedures for obtaining sufficient appropriate evidence to support an opinion. In a SOC 2® examination, the service auditor should consider whether the system used to provide the services is identifiable. For instance, the boundaries of a system addressed by a SOC 2® examination may not be as clear as the boundaries of a financial reporting system addressed by a SOC 1® examination; therefore, before accepting a SOC 2® examination, the service auditor and management should agree on the system being reported on and its boundaries. In doing so, management and the service auditor consider the relationship between the boundaries of each of the components of the system used to provide the services, as discussed in paragraph 1.21. ¶ 2.45]
    Establish/Maintain Documentation Preventive
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Establish/Maintain Documentation Preventive
    Examine the relevance of the audit criteria in the audit program. CC ID 07107
    [Paragraph 2.45 indicates that, as one of the preconditions of the SOC 2® examination, the service auditor should determine whether the subject matters are appropriate for the engagement. According to paragraph .A36 of AT-C section 105, one element of the appropriateness of the subject matters is the existence of a reasonable basis for measuring or evaluating the subject matters. ¶ 2.49
    As discussed in chapter 2, during the engagement acceptance process, the service auditor considers whether the service commitments and system requirements stated in the description are appropriate for the engagement. The prior section of this chapter discusses considerations for determining whether related disclosures are appropriate in accordance with description criterion DC2. This section discusses the situation in which, after accepting the SOC 2® examination, the service auditor becomes aware of information that causes him or her to believe that the principal service commitments and system requirements stated in the description are not, in fact, appropriate for the engagement. ¶ 3.27
    A service auditor should accept or continue an engagement to examine and report on controls at a service organization only if the preconditions for an attestation engagement identified in paragraphs .24–.25 of AT-C section 105 are met: The subject matters of the SOC 2® examination are appropriate. (The subject matters of SOC 2® examinations are discussed beginning at paragraph 1.04; determining whether the subject matters are appropriate is discussed beginning at paragraph 2.45.) ¶ 2.43(c)
    {description of the service organization's system} When evaluating whether the description is presented in accordance with the description criteria, the service auditor should consider the implementation guidance for each criterion in supplement A. The implementation guidance presents factors to consider when making judgments about the nature and extent of disclosures called for by each criterion. Because the implementation guidance does not address all possible situations, the service auditor should consider the specific facts and circumstances of the service organization when applying the description criteria. ¶ 3.21
    The Committee of Sponsoring Organizations of the Treadway Commission defines internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance." For a service organization's system, these objectives are the achievement of service commitments made to user entities and other system requirements that service organization management establishes for the functioning of the system. Consequently, when the trust services criteria are used to evaluate the suitability of design of controls and, in a type 2 examination, the operating effectiveness of controls to provide reasonable assurance that the service organization's system objectives were achieved, the controls are evaluated against their ability to achieve the service organization's service commitments and system requirements. Therefore, the service auditor obtains the service organization's service commitments and system requirements and assesses their appropriateness. ¶ 2.58
    {be available}{be suitable}{audit criteria}A service auditor should accept or continue an engagement to examine and report on controls at a service organization only if the preconditions for an attestation engagement identified in paragraphs .24–.25 of AT-C section 105 are met: The criteria used to prepare and evaluate the subject matters are both suitable and available to users of the report. (The suitability and availability of both the description criteria and the trust services criteria are discussed at paragraphs 1.29 and 1.36; the appropriateness of the principal service commitments and system requirements stated in the description is discussed beginning at paragraph 2.60.) ¶ 2.43(d)
    {audit evidence}The service auditor may perform a variety of procedures to obtain evidence about whether the description presents the system that was designed and implemented in accordance with the description criteria, including a combination of the following: Reading the service organization's service commitments and system requirements to determine whether they are appropriate for the specific engagement circumstances (Paragraphs 2.60 and 3.27 discuss the appropriateness of the service organization's service commitments and system requirements.) ¶ 3.59 Bullet 3
    {description of the service organization's system} Because of the close relationship between the trust services criteria and the service organization's service commitments and system requirements, the service auditor should consider, prior to accepting the examination, whether the principal service commitments and system requirements to be stated in the description are appropriate for the SOC 2® examination. (The service auditor, however, does not have a responsibility to opine on the appropriateness of the commitments and requirements.) ¶ 2.64
    {significant change} When performing a type 2 examination, description criterion DC9 indicates that a description should disclose relevant details of changes to the service organization's system during that period. If the service auditor believes changes to the system would be considered significant by report users, the service auditor should determine whether the description includes such information. In addition, the service auditor should consider whether superseded controls are relevant to the achievement of one or more service commitments or system requirements based on the applicable trust services criteria. If so, the service auditor should, if possible, test the superseded controls before the change. If the service organization has used the inclusive method, the service auditor should consider changes to controls at both the service organization and the subservice organization. Paragraph 4.72 presents an example of a separate paragraph that would be added to the service auditor's report when information about such changes is omitted from the description of the service organization's system. ¶ 3.108
    In evaluating the appropriateness of the subject matter when determining whether to accept or continue a SOC 2® examination, relevant matters to consider may include the functions performed by the system, how subservice organizations are used, how information about subservice organizations will be presented in the description of the service organization's system (inclusive or carve-out method), the relevance to the system of the trust services category or categories included within the scope of the examination, and the period of time covered by the examination. For example, assume that service organization management wishes to engage the service auditor to perform a type 2 examination for a period of less than two months. In such circumstances, the service auditor may conclude that it is unlikely that sufficient appropriate evidence can be obtained to support an opinion. ¶ 2.46]
    Establish/Maintain Documentation Preventive
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and Risk Management Preventive
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116
    [{audit procedure} When using internal auditors to provide direct assistance, paragraph .42 of AT-C section 205 requires the service auditor to direct, supervise, and review the work of the internal auditors. The service auditor fulfills that responsibility by (a) informing the internal auditors of their responsibilities, the objectives of the procedures they are to perform, and matters that may affect the nature, timing, and extent of their procedures and by (b) supervising and reviewing the work performed by internal auditors in a manner similar to the review of work performed by the firm's own staff. ¶ 3.176
    {audit procedure} When using internal auditors to provide direct assistance, paragraph .42 of AT-C section 205 requires the service auditor to direct, supervise, and review the work of the internal auditors. The service auditor fulfills that responsibility by (a) informing the internal auditors of their responsibilities, the objectives of the procedures they are to perform, and matters that may affect the nature, timing, and extent of their procedures and by (b) supervising and reviewing the work performed by internal auditors in a manner similar to the review of work performed by the firm's own staff. ¶ 3.176
    In addition, the engagement partner should make sure that team members are informed of their responsibilities, including the objectives of the procedures that they are to perform and matters that may affect the nature, timing, and extent of such procedures. The engagement partner should also be satisfied that engagement team members have been directed to bring to the partner's attention any significant questions raised during the engagement. ¶ 2.41
    {be available}{be suitable}{audit criteria}A service auditor should accept or continue an engagement to examine and report on controls at a service organization only if the preconditions for an attestation engagement identified in paragraphs .24–.25 of AT-C section 105 are met: The criteria used to prepare and evaluate the subject matters are both suitable and available to users of the report. (The suitability and availability of both the description criteria and the trust services criteria are discussed at paragraphs 1.29 and 1.36; the appropriateness of the principal service commitments and system requirements stated in the description is discussed beginning at paragraph 2.60.) ¶ 2.43(d)]
    Establish/Maintain Documentation Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961
    [{SOC 2 engagement} Paragraph .11 of AT-C section 205 requires a service auditor to establish an overall engagement strategy that sets the scope, timing, and direction of the engagement and guides in the development of the engagement plan. In establishing the overall engagement strategy, the service auditor ordinarily would do the following: ¶ 2.92
    {SOC 2 engagement}In establishing the overall engagement strategy, the service auditor ordinarily would do the following: Ascertain the nature, timing, and extent of resources necessary to perform the engagement. ¶ 2.92(i)]
    Audits and Risk Management Preventive
    Include in scope information in the audit program. CC ID 16198 Establish/Maintain Documentation Preventive
    Include the out of scope material or out of scope products in the audit program. CC ID 08962
    [{description of the service organization's system}{carve-out method} The description would not include the detailed processing or controls performed at the subservice organization. ¶ 3.47 ¶ 1]
    Establish/Maintain Documentation Preventive
    Provide a representation letter in support of the audit assertion. CC ID 07158
    [{SOC 2 engagement}Paragraph .08 of AT-C section 205 states that the agreed-upon terms of the engagement should include the following: An acknowledgment that the engaging party agrees to provide the service auditor with a representation letter at the conclusion of the engagement ¶ 2.71(g)
    {SOC 2 engagement}During the SOC 2® examination, service organization management is responsible for the following: Providing the service auditor with written representations at the conclusion of the engagement ¶ 2.26 Bullet 6
    As a responsible party, subservice organization management is also responsible for complying with the following based on AT-C section 205: Providing the service auditor with written representations at the conclusion of the engagement ¶ 2.101 Bullet 3
    {SOC 2 engagement} Service organization management is also required to provide the service auditor with written representations at the conclusion of the engagement. It may be useful for the service auditor to provide management with an example of the expected representations prior to engagement acceptance. Appendix G, "Illustrative Management Representation Letters," presents examples of representation letters that might be appropriate in a type 1 and type 2 examination. ¶ 2.69
    {examination engagement}The responsibilities of management of the service organization toward the end of the engagement include the following: Providing the service auditor with written representations (see discussion beginning at paragraph 3.197) ¶ 2.29 Bullet 3
    If the inclusive method is used, matters to be agreed on or coordinated by the service organization and the subservice organization include the following: Acknowledgment from subservice organization management that it will provide the service auditor with a written assertion and representation letter (Both service organization management and subservice organization management are responsible for providing the service auditor with a written assertion and representation letter.) ¶ 2.98 Bullet 2
    {representation letter} When the engaging party is not the responsible party, paragraph .52 of AT-C section 205 requires the service auditor to request written representations from the engaging party, in addition to those requested from the responsible party, in the form of a letter addressed to the service auditor. Those representations should do the following: ¶ 3.212
    Paragraph .50 of AT-C section 205 indicates that, in an examination, a service auditor should request written representations in the form of a letter from the responsible party. The representations in the SOC 2® examination should do the following: ¶ 3.201
    {be responsible}{be knowledgeable} In some cases, the party making the assertion may be indirectly responsible for and knowledgeable about specified matters covered in the representations. For example, the CIO of the service organization may be knowledgeable about certain matters through personal experience and about other matters through employees who report to the CIO. The service auditor may request that individuals who are directly or indirectly responsible for and knowledgeable about matters covered in the written representations provide their own representations. ¶ 3.199
    {be appropriate} The service auditor should determine the appropriate person or persons within the service organization's management or governance structure with whom to interact, including considering which person or persons have the appropriate responsibilities for and knowledge of the matters concerned. In addition, in certain circumstances, the service auditor may obtain written representations from parties in addition to service organization management, such as those charged with governance. ¶ 3.198
    {Management Responsibilities During the Examination} Management acknowledges these responsibilities in an engagement letter or other suitable form of written communication. Appendix A, "Information for Service Organization Management," provides further information about management's responsibilities in the SOC 2® examination. ¶ 2.27
    Written representations ordinarily confirm representations explicitly or implicitly given to the service auditor, indicate and document the continuing appropriateness of such representations, and reduce the possibility of a misunderstanding concerning the matters that are the subject of the representations. ¶ 3.200
    {audit evidence}{description of the service organization's system} During the SOC 2® examination, service organization management makes many oral and written representations to the service auditor in response to specific inquiries or through the presentation of the description and management's assertion. Such representations from management are part of the evidence the service auditor obtains. However, they cannot replace other evidence the service auditor could reasonably expect to be available, nor do they provide sufficient appropriate evidence on their own about any of the matters with which they deal. Furthermore, the fact that the service auditor has received reliable written representations does not affect the nature or extent of other evidence that the service auditor obtains. ¶ 3.197
    {fraud}{noncompliance}{identify}{SOC 2 engagement}Paragraph .A29 of AT-C section 205 indicates that in these circumstances (unless prohibited by law, regulation, or ethics standards), it may be appropriate for the service auditor to, for example, do the following: Consider the implications of the matter in relation to other aspects of the engagement, including the service auditor's risk assessment and the reliability of written representations from the responsible party. ¶ 3.158 Bullet 3
    When evaluating the objectivity of the service auditor's external specialist, the service auditor may inquire of management (or the engaging party, if different) about any known interests or relationships (such as financial interests, business and personal relationships, and provision of other services by the service auditor's external specialist) that management has with the specialist that may affect the objectivity of the specialist. In certain cases, the service auditor may decide to request written representations from the service auditor's external specialist about any interests or relationships with management (or the engaging party, if different) of which the specialist is aware. ¶ 2.162
    The written representations required are separate from, and in addition to, management's written assertions. They are usually made in the form of a representation letter addressed to the service auditor, dated as of the date of the service auditor's report, and address the subject matters and periods referred to in the service auditor's opinion. ¶ 3.204
    Paragraph .41 of AT-C section 205 indicates that, if the service auditor plans to use internal auditors to provide direct assistance, prior to doing so, the service auditor should obtain written acknowledgment from the responsible party (management of the service organization) that internal auditors providing direct assistance to the service auditor will be allowed to follow the service auditor's instructions and that the responsible party will not intervene in the work the internal auditors perform for the service auditor. If the engaging party is the responsible party, the service auditor may wish to include this matter in the engagement letter. ¶ 2.72
    {be responsible}{description of the service organization's system} In addition to providing the service auditor with a written assertion and representation letter at the end of the examination, subservice organization management is also responsible for preparing a description of the subservice organization's system, including the completeness, accuracy, and method of presentation of the description. Service organization management is responsible for evaluating the description of the subservice organization's system, as well as its own. ¶ 2.100]
    Establish/Maintain Documentation Preventive
    Include the date of the audit in the representation letter. CC ID 16517 Audits and Risk Management Preventive
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Establish/Maintain Documentation Preventive
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Establish/Maintain Documentation Preventive
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884
    [{written representation}{engaging party}{management assertion}Those representations should do the following: State that the engaging party is not aware of any material misstatements in the subject matter or assertion. ¶ 3.212(d)
    {be attributable}In many SOC 2® examinations, the service auditor also requests additional representations about whether service organization management has disclosed any of the following of which it is aware: Instances of noncompliance with laws and regulations or uncorrected misstatements attributable to the service organization ¶ 3.203(a)
    {written representation}The representations in the SOC 2® examination should do the following: State that management believes the effects of uncorrected misstatements (description misstatements and deficiencies) are immaterial, individually and in the aggregate, to the subject matters. ¶ 3.201(f)]
    Establish/Maintain Documentation Preventive
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Establish/Maintain Documentation Preventive
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159
    [{written representation}{engaging party}{management assertion}Those representations should do the following: Acknowledge that the responsible party is responsible for the subject matter and assertion. ¶ 3.212(a)
    {written representation}{management assertion}The representations in the SOC 2® examination should do the following: Acknowledge responsibility for the subject matters and the assertion, ¶ 3.201(c)(i)]
    Establish/Maintain Documentation Preventive
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160
    [{written representation}{engaging party}{audit criteria}Those representations should do the following: Acknowledge the engaging party's responsibility for selecting the criteria, when applicable. ¶ 3.212(b)
    {written representation}{audit criteria}The representations in the SOC 2® examination should do the following: Acknowledge responsibility for selecting the criteria, and ¶ 3.201(c)(ii)]
    Establish/Maintain Documentation Preventive
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161
    [{written representation}{engaging party}{audit criteria}Those representations should do the following: Acknowledge the engaging party's responsibility for determining that such criteria are appropriate for its purposes. ¶ 3.212(c)
    {written representation}{audit criteria}The representations in the SOC 2® examination should do the following: Acknowledge responsibility for determining that such criteria are appropriate for management's purposes. ¶ 3.201(c)(iii)
    Written representations ordinarily confirm representations explicitly or implicitly given to the service auditor, indicate and document the continuing appropriateness of such representations, and reduce the possibility of a misunderstanding concerning the matters that are the subject of the representations. ¶ 3.200]
    Establish/Maintain Documentation Preventive
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162
    [{written representation}{engaging party}{be appropriate}Those representations should do the following: Address other matters as the service auditor deems appropriate. ¶ 3.212(f)
    {written representation}{audit criteria}The representations in the SOC 2® examination should do the following: Include management's assertion about the subject matters based on the criteria. ¶ 3.201(a)
    {written representation}{management assertion}{be relevant}The representations in the SOC 2® examination should do the following: State that all relevant matters are reflected in the measurement or evaluation of the subject matters or assertion. ¶ 3.201(b)(i)
    {written representation}{be appropriate}The representations in the SOC 2® examination should do the following: State that management has disclosed to the service auditor other matters the service auditor deems appropriate. ¶ 3.201(g)(iv)
    Written representations ordinarily confirm representations explicitly or implicitly given to the service auditor, indicate and document the continuing appropriateness of such representations, and reduce the possibility of a misunderstanding concerning the matters that are the subject of the representations. ¶ 3.200
    The written representations required are separate from, and in addition to, management's written assertions. They are usually made in the form of a representation letter addressed to the service auditor, dated as of the date of the service auditor's report, and address the subject matters and periods referred to in the service auditor's opinion. ¶ 3.204]
    Establish/Maintain Documentation Preventive
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163
    [{written representation}{management assertion}{gap period}{third party}The representations in the SOC 2® examination should do the following: State that all known matters contradicting the subject matters or assertion and any communication from regulatory agencies or others affecting the subject matters or assertion have been disclosed to the service auditor, including communications received between the end of the period addressed in the written assertion and the date of the service auditor's report. ¶ 3.201(b)(ii)]
    Establish/Maintain Documentation Preventive
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164
    [{written representation}The representations in the SOC 2® examination should do the following: State that management has provided the service auditor with all relevant information and access. ¶ 3.201(e)]
    Establish/Maintain Documentation Preventive
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165
    [{written representation}{engaging party}{management assertion}Those representations should do the following: State that the engaging party has disclosed to the service auditor all known events subsequent to the period (or point in time) of the subject matter being reported on that would have a material effect on the subject matter or assertion. ¶ 3.212(e)
    {written representation}{management assertion}The representations in the SOC 2® examination should do the following: State that any known events subsequent to the period (or point in time) of the subject matters being reported on that would have a material effect on the subject matters or assertion have been disclosed to the service auditor. ¶ 3.201(d)
    {subsequent event}{time period}During the SOC 2® examination, service organization management is responsible for the following: Disclosing to the service auditor the following: Any events subsequent to the period covered by the description of the service organization's system, up to the date of the service auditor's report, that could have a significant effect on management's assertion (paragraph .50 of AT-C section 205) ¶ 2.26 Bullet 9 Sub-Bullet 6
    As a responsible party, subservice organization management is also responsible for complying with the following based on AT-C section 205: Disclosing to the service auditor the following: Any events subsequent to the period covered by the description of the service organization's system, up to the date of the service auditor's report, that could have a significant effect on subservice management's assertion (paragraph .50 of AT-C section 205) ¶ 2.101 Bullet 6 Sub-Bullet 6]
    Establish/Maintain Documentation Preventive
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899
    [During the SOC 2® examination, service organization management is responsible for the following: Disclosing to the service auditor the following: Any deficiencies in the design of controls of which it is aware ¶ 2.26 Bullet 9 Sub-Bullet 3
    {written representation}The representations in the SOC 2® examination should do the following: State that management has disclosed to the service auditor all deficiencies in internal control relevant to the SOC 2® examination of which it is aware; ¶ 3.201(g)(i)
    As a responsible party, subservice organization management is also responsible for complying with the following based on AT-C section 205: Disclosing to the service auditor the following: Any deficiencies in the design of controls of which it is aware ¶ 2.101 Bullet 6 Sub-Bullet 3]
    Establish/Maintain Documentation Preventive
    Establish and maintain audit assertions, as necessary. CC ID 14871
    [{system description}{be the same} Subservice organization management's assertion ordinarily would be expected to address the same matters addressed by service organization management in its assertion, including (a) whether the description presents the services that the subservice organization provides to the service organization and to user entities, which are part of the service organization's system, in accordance with the description criteria; (b) the suitability of the design of the controls; and, (c) in a type 2 examination, the operating effectiveness of controls. However, in some cases, service organization management might design the controls for the subservice organization. This may happen, for instance, when the controls of the subservice organization are necessary, in combination with the controls of the service organization, to provide reasonable assurance that one or more of the service organization's service commitments or system requirements were achieved. When service organization management designs the controls for the subservice organization, service organization management takes responsibility for the suitability of the design of its own controls and the subservice organization's controls; therefore, the subservice organization's assertion may be limited to whether the description presents the services provided by the subservice organization to the service organization and user entities in accordance with the description criteria and whether the controls at the subservice organization operated as described. ¶ 2.103
    Disclosures about the boundaries of the system and the principal service commitments and system requirements ordinarily would be included in management's assertion or in an exhibit thereto. If management does not include those disclosures in its assertion (or in an exhibit thereto), the service auditor would need to modify the language of the SOC 3® report to include them. ¶ 4.114]
    Establish/Maintain Documentation Detective
    Include an in scope system description in the audit assertion. CC ID 14872
    [{description of the service organization's system} Paragraph .10 of AT-C section 205 requires the service auditor to request a written assertion from the responsible party that addresses all the subject matters in the SOC 2® examination. Specifically, the assertion addresses whether (a) the description presents the system designed and implemented in accordance with the description criteria, (b) the controls were suitably designed to provide reasonable assurance that the service organization's service commitments and system requirements were achieved, and (c) in a type 2 examination, the controls operated effectively to provide reasonable assurance that the service organization's service commitments and system requirements were achieved. ¶ 2.66
    {system description}{be the same} Subservice organization management's assertion ordinarily would be expected to address the same matters addressed by service organization management in its assertion, including (a) whether the description presents the services that the subservice organization provides to the service organization and to user entities, which are part of the service organization's system, in accordance with the description criteria; (b) the suitability of the design of the controls; and, (c) in a type 2 examination, the operating effectiveness of controls. However, in some cases, service organization management might design the controls for the subservice organization. This may happen, for instance, when the controls of the subservice organization are necessary, in combination with the controls of the service organization, to provide reasonable assurance that one or more of the service organization's service commitments or system requirements were achieved. When service organization management designs the controls for the subservice organization, service organization management takes responsibility for the suitability of the design of its own controls and the subservice organization's controls; therefore, the subservice organization's assertion may be limited to whether the description presents the services provided by the subservice organization to the service organization and user entities in accordance with the description criteria and whether the controls at the subservice organization operated as described. ¶ 2.103]
    Establish/Maintain Documentation Preventive
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Establish/Maintain Documentation Preventive
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Establish/Maintain Documentation Preventive
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027
    [{description of the service organization's system} However, if any applicable trust services criteria are not addressed because they are not relevant to a particular service organization's system (for example, because the related controls are performed by a subservice organization or are otherwise not relevant to the services being provided), then the service organization's description needs to include an explanation of why the criteria are not addressed. ¶ 4.87]
    Establish/Maintain Documentation Preventive
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970
    [{SOC 2® examination}Defining the scope of the examination, which includes the following: Identifying the system used to provide those services ¶ 2.04 Bullet 1 Sub-Bullet 2
    {description of the service organization's system} As discussed in chapter 2, description criterion DC2, The principal service commitments and system requirements, requires service organization management to disclose the principal service commitments and system requirements in the description. Disclosure of a service organization's principal service commitments and system requirements is necessary to enable report users to understand how the system operates and how management and the service auditor evaluated the suitability of the design of controls and, in a type 2 examination, the operating effectiveness of controls. (Although DC2 only requires disclosure of the principal service commitments and system requirements, service organization management is responsible for designing the system to achieve the service commitments it makes to user entities and the system requirements that are necessary to enable the system to achieve them.) ¶ 3.24
    Prior to engaging a service auditor to perform a SOC 2® examination, service organization management is responsible for making a variety of decisions that affect the nature, timing, and extent of procedures to be performed in a SOC 2® examination, including the following: Specifying the principal service commitments made to user entities and the system requirements needed to operate the system ¶ 2.04 Bullet 2
    {system boundary}{audit criteria}{be capable}{audit opinion} According to paragraph .A37 of AT-C section 105, subject matter is appropriate if it is identifiable, capable of consistent measurement or evaluation based on the criteria, and can be subjected to procedures for obtaining sufficient appropriate evidence to support an opinion. In a SOC 2® examination, the service auditor should consider whether the system used to provide the services is identifiable. For instance, the boundaries of a system addressed by a SOC 2® examination may not be as clear as the boundaries of a financial reporting system addressed by a SOC 1® examination; therefore, before accepting a SOC 2® examination, the service auditor and management should agree on the system being reported on and its boundaries. In doing so, management and the service auditor consider the relationship between the boundaries of each of the components of the system used to provide the services, as discussed in paragraph 1.21. ¶ 2.45
    {SOC 2 engagement}In establishing the overall engagement strategy, the service auditor ordinarily would do the following: Obtain an understanding of the services provided by the service organization, the system used to provide them, and the service organization's service commitments and system requirements that define the engagement. ¶ 2.92(a)
    {principal system requirement}{be the same} For a SOC 3® examination, service organization management's responsibilities are substantially the same as those for a SOC 2® examination except that management does not prepare a system description. Although management does not prepare a system description, it does disclose the boundaries of the system and the service organization's principal service commitments and system requirements as part of its written assertion. That is discussed beginning in paragraph 4.112. ¶ 2.167
    {description of the service organization's system} Likewise, management should disclose only the principal system requirements that are relevant to the trust services category or categories addressed by the description and that are likely to be relevant to the broad range of SOC 2® report users. When identifying which system requirements to disclose, service organization management may consider matters such as internal policies that are relevant to the system being described, key decisions made in the design and operation of the system, and other business requirements for the system. For example, management would ordinarily not disclose internal requirements related to the operating margin for the services associated with the system because such information is unlikely to be relevant to the broad range of SOC 2® report users. ¶ 2.63]
    Establish/Maintain Documentation Preventive
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949
    [The service auditor's professional judgment regarding what constitutes appropriate sufficient evidence is influenced by factors such as the following: The source and reliability of the available information ¶ 4.09 Bullet 5]
    Establish/Maintain Documentation Preventive
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028
    [{SOC 2® examination}Defining the scope of the examination, which includes the following: Determining whether subservice organizations, if any, are to be addressed in the report using the inclusive method or the carve-out method (paragraph 2.12) ¶ 2.04 Bullet 1 Sub-Bullet 8
    {SOC 2 engagement}In establishing the overall engagement strategy, the service auditor ordinarily would do the following: Consider the common informational needs of the broad range of intended users of the SOC 2® report. ¶ 2.92(g)
    When service organization management communicates user entity responsibilities only to specified parties (such as in contracts with user entities), the service auditor considers whether other intended users of the SOC 2® report are likely to misunderstand it. If other intended users are likely to misunderstand it, the service auditor should restrict the report to specified parties who are unlikely to misunderstand the examination and the report. If service organization management does not want the service auditor to restrict the use of the report, management would include the significant user entity responsibilities in the description of the service organization's system to prevent users from misunderstanding the system and the service auditor's report. In that case, the service auditor's report would be appropriate for the broad range of SOC 2® report users. ¶ 3.39
    {description of the service organization's system} When the service organization uses a subservice organization, description criterion DC7 requires that certain disclosures about the subservice organization be included in the description. The disclosures to be included depend on whether service organization management has selected the carve-out method or inclusive method, as discussed in chapter 2. ¶ 3.42
    {description of the service organization's system} When service organization management includes significant user entity responsibilities in the description, management and the service auditor evaluate those disclosures as part of the evaluation about whether the description is presented in accordance with the description criteria. ¶ 3.40
    {specified party} Because there is no description of the system in a SOC 3® report, some report users may not have a sufficient understanding of the service organization's system to understand how controls within the system operate. Before agreeing on a SOC 3® examination, management and the service auditor need to consider whether a SOC 3® report, which includes only management's assertion and the service auditor's opinion about the effectiveness of controls at the service organization, is likely to meet the information needs of intended report users or whether it is likely that a SOC 3® report will be misunderstood by potential report users. For example, a service organization that provides security monitoring services to commercial customers may determine that a SOC 3® report is likely to be misunderstood by consumers of its commercial customer user entities because those consumers are unlikely to have an adequate understanding of how commercial customers use the monitoring services. In such instances, management and the service auditor may agree to restrict the use of the SOC 3® report to the subset of potential report users (commercial customers) whose informational needs are likely to be met by a SOC 3® report. ¶ 2.169
    {audit criteria}{test result}{not accept}{SOC 2 examination} The service auditor may also consider whether the intended users of the report are likely to understand the nature of the examination, the criteria used, and the tests performed and results there of (for example, acceptable deviation rates or inherent limitations on the effectiveness of controls). If intended users are unlikely to understand that information, a greater potential exists for them to misunderstand the report; in that case, the service auditor may decide not to accept the examination. ¶ 2.48
    {SOC 2 engagement}{be different}{description of the service organization's system} If service organization management is unwilling to modify its assertion to align with the service auditor's opinion, the service auditor should consider the implications for the service auditor's opinion. For example, the service auditor should consider whether report users are likely to misunderstand a SOC 2® report that includes management's assertion and the service auditor's opinion when management and the service auditor have reached and expressed in the same document different conclusions with respect to the description, the suitability of design or controls, or, in a type 2 examination, the operating effectiveness of controls. If the service auditor believes it is likely that such a report will be misunderstood by report users, the service auditor may decide to withdraw from the engagement. ¶ 3.229
    {description of the service organization's system} As previously discussed, applying the description criteria requires judgment. One of those judgments involves the informational needs of report users. For most SOC 2® reports, there is a broad range of specified parties. Therefore, the description is intended to meet the common informational needs of the specified parties and does not ordinarily include information about every aspect of the system that may be considered important to each individual report user. However, an understanding of the perspectives and information needs of the broad range of intended SOC 2® report users is necessary to determine whether the description is presented in accordance with the description criteria and is sufficient to meet their needs. As discussed in chapter 1, "Introduction and Background," users of a SOC 2® report are expected to have sufficient knowledge and understanding of the service organization, the services it provides, and the system used to provide them, among other matters. As a result, the service auditor assumes that the report users have such knowledge and understanding. ¶ 3.72
    {be material}{evaluate}{suitability of design}Qualitative factors the service auditor considers include the following: Interactions with third parties. Materiality considerations are based on factors such as the likelihood and magnitude of risks arising from interactions with user entities, business partners, subservice organizations, vendors, or others (referred to collectively as third parties) with access to the service organization's system, the degree to which those risks are relevant to the system, and the extent to which the service organization monitors controls performed by those third parties. In some cases, those third parties operate controls that are necessary, in combination with controls at the service organization, to provide reasonable assurance that one or more of the service organization's service commitments and system requirements are achieved based on the applicable trust services criteria. The more necessary those controls are to the service organization's achievement of its service commitments and system requirements based on the applicable trust services criteria, the more material such interactions with third parties are likely to be. ¶ 3.163 Bullet 5]
    Establish/Maintain Documentation Preventive
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971
    [{description of the service organization's system} As discussed in chapter 2, description criterion DC2, The principal service commitments and system requirements, requires service organization management to disclose the principal service commitments and system requirements in the description. Disclosure of a service organization's principal service commitments and system requirements is necessary to enable report users to understand how the system operates and how management and the service auditor evaluated the suitability of the design of controls and, in a type 2 examination, the operating effectiveness of controls. (Although DC2 only requires disclosure of the principal service commitments and system requirements, service organization management is responsible for designing the system to achieve the service commitments it makes to user entities and the system requirements that are necessary to enable the system to achieve them.) ¶ 3.24
    The service commitments that a service organization makes to user entities may vary based on the needs of the user entities. Service organization management need not disclose every service commitment to every user entity; however, it should disclose those that are relevant to the common needs of the broad range of SOC 2® report users. ¶ 3.25
    {SOC 2® examination}Defining the scope of the examination, which includes the following: Identifying the services provided to user entities, which will establish the subject matter of the examination ¶ 2.04 Bullet 1 Sub-Bullet 1
    {description of the service organization's system} When using the carve-out method, description criterion DC7 requires service organization management to include in the description certain disclosures about the use of a subservice organization, including the services provided by the subservice organization and the types of CSOCs it is expected to perform. DC7 also requires disclosure of the types of complementary controls that are assumed to be suitably designed and operated effectively at the subservice organization. ¶ 4.40
    Reading contracts with user entities and business partners (such as performance or service level agreements), marketing materials distributed to user entities and business partners or posted on the service organization's website, and other available documentation to better understand the specific services provided to user entities and ¶ 3.59 Bullet 5 Sub-Bullet 1
    {SOC 2 engagement}In establishing the overall engagement strategy, the service auditor ordinarily would do the following: Obtain an understanding of the services provided by the service organization, the system used to provide them, and the service organization's service commitments and system requirements that define the engagement. ¶ 2.92(a)
    In evaluating the appropriateness of the subject matter when determining whether to accept or continue a SOC 2® examination, relevant matters to consider may include the functions performed by the system, how subservice organizations are used, how information about subservice organizations will be presented in the description of the service organization's system (inclusive or carve-out method), the relevance to the system of the trust services category or categories included within the scope of the examination, and the period of time covered by the examination. For example, assume that service organization management wishes to engage the service auditor to perform a type 2 examination for a period of less than two months. In such circumstances, the service auditor may conclude that it is unlikely that sufficient appropriate evidence can be obtained to support an opinion. ¶ 2.46
    {system description}{be the same} Subservice organization management's assertion ordinarily would be expected to address the same matters addressed by service organization management in its assertion, including (a) whether the description presents the services that the subservice organization provides to the service organization and to user entities, which are part of the service organization's system, in accordance with the description criteria; (b) the suitability of the design of the controls; and, (c) in a type 2 examination, the operating effectiveness of controls. However, in some cases, service organization management might design the controls for the subservice organization. This may happen, for instance, when the controls of the subservice organization are necessary, in combination with the controls of the service organization, to provide reasonable assurance that one or more of the service organization's service commitments or system requirements were achieved. When service organization management designs the controls for the subservice organization, service organization management takes responsibility for the suitability of the design of its own controls and the subservice organization's controls; therefore, the subservice organization's assertion may be limited to whether the description presents the services provided by the subservice organization to the service organization and user entities in accordance with the description criteria and whether the controls at the subservice organization operated as described. ¶ 2.103]
    Establish/Maintain Documentation Preventive
    Include the in scope procedures in the audit assertion. CC ID 06972
    [When evaluating the application by the internal audit function of a systematic and disciplined approach, including quality control, the service auditor may consider the function's approach to planning, performing, supervising, reviewing, and documenting its activities. Relevant factors to consider may include, among others, (a) the existence, adequacy, and use of documented internal audit procedures or guidance covering such areas as risk assessments, work programs, documentation, and reporting or (b) whether the internal audit function has appropriate quality control policies and procedures. ¶ 2.142
    An internal audit function performs assurance and consulting activities designed to evaluate and improve the effectiveness of the service organization's governance, risk management, and internal control processes. Activities similar to those performed by an internal audit function may be conducted by functions with other titles within a service organization. Some or all of the activities of an internal audit function may also be outsourced to a third-party service provider. For example, a service organization may engage a service provider to perform (a) penetration testing, (b) responsibilities of the internal audit function that the function itself does not have the competency or qualifications to perform (for example, performing the IT internal audit function), or (c) a one-time special assessment at the request of the board of directors. Neither the title of the function nor whether it is performed by the service organization or a third-party service provider is a sole determinant of whether the service auditor can use the work of internal auditors. Rather, it is the nature of the activities, the extent to which the internal audit function's organizational status and relevant policies and procedures support the objectivity of the internal auditors, the competence of internal auditors, and the systematic and disciplined approach of the function that are relevant. References in this guide to the work of the internal audit function include relevant activities of other functions or third-party providers that have these characteristics. ¶ 2.132]
    Establish/Maintain Documentation Preventive
    Include the in scope records produced in the audit assertion. CC ID 06968
    [{Determining Whether Management Is Likely to Have a Reasonable Basis for Its Assertion} Service organization management usually documents the assessment in a variety of ways, including through the use of policy manuals, narratives, flowcharts, decision tables, procedural write-ups, or questionnaires. The nature and extent of documentation usually varies, depending on the size and complexity of the service organization and its monitoring activities. ¶ 2.55
    {separate}{description of the service organization's system} Controls at the subservice organization may also include aspects of the subservice organization's control environment, risk assessment process, information and communications, and monitoring activities to the extent that they are relevant to controls at the service organization. The description should separately identify controls at the service organization and controls at the subservice organization; however, there is no prescribed format for differentiating between controls at the service organization and controls at the subservice organization. ¶ 3.44
    {description of the service organization's system}{type 1 report} As previously discussed, service organization management is responsible for monitoring the suitability of design and operating effectiveness of controls at a subservice organization, regardless of whether management has elected to use the inclusive or carve-out method. For that reason, the description needs to disclose the controls that the service organization uses to monitor the services provided by the subservice organization. Controls that a service organization may implement to monitor the services provided and controls performed by a subservice organization are discussed further beginning at paragraph 3.50. In addition, considerations when evaluating the suitability of design and the operating effectiveness of controls used to monitor the controls at the subservice organization are discussed beginning at paragraph 3.154. If a type 1 or type 2 report is used as part of the monitoring of services provided by the subservice organization, the service organization may indicate the type of report used in its description. A service organization may obtain a copy of a type 1 or type 2 report from the subservice organization if one is available. If the subservice organization's type 1 or type 2 report identifies the need for CUECs at the service organization, the description should describe the processes and controls the service organization has implemented to address the CUECs identified in the subservice organization's description of its system. In addition to describing the services provided by the subservice organization, the service organization may indicate in its description whether the subservice organization's report is a type 1 or type 2 report. ¶ 3.88
    {description of the service organization's system}{type 1 report} As previously discussed, service organization management is responsible for monitoring the suitability of design and operating effectiveness of controls at a subservice organization, regardless of whether management has elected to use the inclusive or carve-out method. For that reason, the description needs to disclose the controls that the service organization uses to monitor the services provided by the subservice organization. Controls that a service organization may implement to monitor the services provided and controls performed by a subservice organization are discussed further beginning at paragraph 3.50. In addition, considerations when evaluating the suitability of design and the operating effectiveness of controls used to monitor the controls at the subservice organization are discussed beginning at paragraph 3.154. If a type 1 or type 2 report is used as part of the monitoring of services provided by the subservice organization, the service organization may indicate the type of report used in its description. A service organization may obtain a copy of a type 1 or type 2 report from the subservice organization if one is available. If the subservice organization's type 1 or type 2 report identifies the need for CUECs at the service organization, the description should describe the processes and controls the service organization has implemented to address the CUECs identified in the subservice organization's description of its system. In addition to describing the services provided by the subservice organization, the service organization may indicate in its description whether the subservice organization's report is a type 1 or type 2 report. ¶ 3.88]
    Establish/Maintain Documentation Preventive
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Establish/Maintain Documentation Preventive
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991
    [During the SOC 2® examination, service organization management is responsible for the following: Disclosing to the service auditor the following: All identified system incidents that resulted in a significant impairment of the service organization's achievement of its service commitments and system requirements as of the date of the description (for a type 1 examination) or during the period of time covered by the description (for a type 2 examination) ¶ 2.26 Bullet 9 Sub-Bullet 5
    {description of the service organization's system}{SOC 2 examination} Events or transactions may occur after the period of time covered by the examination, but prior to the date of the service auditor's report, that could have a significant effect on the description, the suitability of design of controls, and, in a type 2 examination, the operating effectiveness of controls. In such circumstances, disclosure of those events and transactions in the description or in management's assertion may be necessary to prevent report users from being misled. ¶ 3.213
    During the SOC 2® examination, service organization management is responsible for the following: Disclosing to the service auditor the following: Incidents of noncompliance with laws and regulations, fraud, or uncorrected misstatements that are clearly not trivial and that may affect one or more user entities and whether such incidents have been communicated appropriately to affected user entities ¶ 2.26 Bullet 9 Sub-Bullet 1
    {does not affect}{subsequent event}{description of the service organization's system}{be important} The service auditor may have determined that the event discovered subsequent to the period covered by the examination would likely have had no effect on the description, the suitability of design of controls, or, in a type 2 examination, the operating effectiveness of controls because the underlying situation did not exist until after the period covered by the SOC 2® report. However, the matter may be sufficiently important to warrant disclosure by management in its description and, potentially, emphasis by the service auditor in the service auditor's report. The following are examples of such events: ¶ 3.220
    {written representation}The representations in the SOC 2® examination should do the following: State that management has disclosed to the service auditor identified system incidents that resulted in a significant impairment of the service organization's achievement of its service commitments and system requirements as of the date of the description (for a type 1 examination) or during the period of time covered by the description (for a type 2 examination); and ¶ 3.201(g)(iii)
    {not be operating effectively}{description of the service organization's system} Description criterion DC4 requires service organization management to include in the description certain information related to system incidents that (a) were the result of controls that were not suitably designed or operating effectively or (b) otherwise resulted in a significant failure in the achievement of one or more of service commitments and system requirements, as of the date of the description (for a type 1 examination) or during the period of time covered by the description (for a type 2 examination), as applicable. Specifically, the description should include the following information about each incident: ¶ 3.33
    {be different}{be ineffective} In performing his or her procedures, the service auditor may become aware of a system incident that has affected a system of the service organization that is not the system under examination. For example, the service organization may experience a breach in an IT system that is not a component of the system under examination. In such situations, the service auditor needs to understand the nature and cause of the breach because it may have occurred as a result of ineffective controls shared between the service organization's systems. If that is the case, the service auditor should reconsider the assessment of the risk of material misstatement. In addition, if the system incident is related to a security breach, the service auditor should consider whether the inherent risks of the environment connected to the system are significantly different than what was originally assessed, or whether controls within the system may have been compromised due to an advanced persistent threat that has not been detected. As a result of the reassessment of risk, the service auditor may determine that additional procedures need to be performed or that management needs to identify additional controls that are suitably designed and operating effectively in order to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. ¶ 3.159]
    Establish/Maintain Documentation Preventive
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974
    [Because of the important effect entity-level controls may have on the operating effectiveness of controls stated in the description, the description of the system often includes disclosures about the entity-level controls designed, implemented, and operated to address the risks that would threaten the service organization's achievement of its service commitments and system requirements. The description of the service organization's system presented in appendix D illustrates such disclosures. It also illustrates, in section 4 of the description, the tests the service auditor may perform to determine whether the entity-level controls operated effectively throughout the period. ¶ 2.131
    {description of the service organization's system} As discussed in chapter 2, when using the carve-out method, there may be situations in which the achievement of one or more of the service organization's service commitments or system requirements based on the applicable trust services criteria is dependent on one or more controls at the subservice organization. Such controls are called complementary subservice organization controls (CSOCs). In such a situation, description criterion DC7 requires that the description identify such CSOCs. To be meaningful to report users, CSOCs stated in the description are those that are specific to the services provided by the service organization's system. Typically, service organization management presents the CSOCs as broad categories of controls or types of controls that the subservice organization should have in place. For example, the service organization might identify the following CSOC to address CC6.1, The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives: ¶ 3.52
    {timely manner}{time period}{audit scope} Regardless of whether the carve-out or inclusive method is selected, the description of the service organization's system and the scope of the service auditor's examination include the controls designed, implemented, and operated at the service organization to monitor the effectiveness of controls at the subservice organization. Controls over subservice organizations are usually a necessary part of a system of internal control in order for it to provide reasonable assurance that the service organization's service commitments and system requirements were achieved. These types of controls are evaluated using trust services criterion CC9.2, The entity assesses and manages risks associated with vendors and business partners. Such monitoring controls may include some combination of (1) ongoing monitoring to determine that potential issues are identified timely and (2) separate evaluations to determine that internal controls are effective over time. Examples of monitoring controls include reviewing and reconciling output reports, holding periodic discussions with subservice organization personnel, making regular site visits to the subservice organization, performing tests of controls at the subservice organization by members of the service organization's internal audit function, reviewing type 1 or type 2 reports on the subservice organization's system, and monitoring external communications (such as customer complaints) relevant to the services provided by the subservice organization. ¶ 3.50
    {understand}{risk assessment documentation} An understanding of the process for determining the risks that would prevent the service organization's controls from providing reasonable assurance that the service organization's service commitments and system requirements were achieved, and for designing and implementing controls to address those risks, may assist the service auditor in identifying deficiencies in the design of controls. Some service organizations have a formal risk assessment process based on the applicable trust services criteria. In those circumstances, the service auditor may be able to inspect the risk assessment and controls documentation prepared by management to obtain an understanding of this process. ¶ 2.118
    {be inappropriate}{audit opinion}{SOC 2 engagement} If service organization management inappropriately omits one or more applicable trust services criteria from the description of the service organization's system, the service auditor requests that management include the omitted criteria and related controls. If management refuses to do so, the service auditor should disclaim an opinion or withdraw from the engagement. ¶ 4.77
    {description of the subservice organization's system} In addition to controls that the service organization expects at the subservice organization, there may be activities that a subservice organization expects the service organization, as a user entity, to perform for the subservice organization's controls to be effective. When the subservice organization has a SOC 2® examination, such activities may be identified in the section of its description that describes CUECs. Such activities may also be described in user documentation published by the subservice organization or the agreement between the service organization and subservice organization. For example, a service organization that outsources aspects of its technology infrastructure to a subservice organization may obtain a type 1 or type 2 SOC 2® report from the subservice organization and discover that the subservice organization's description of its system includes the following CUEC: ¶ 2.24
    {description of the service organization's system}{type 1 report} When a service organization uses a subservice organization, the service organization may need to implement controls to achieve its service commitments and system requirements. The controls to be implemented may be communicated in an authoritative communication or as CUECs in a type 1 or type 2 report provided by the subservice organization. If the subservice organization's type 1 or type 2 report identifies the need for CUECs at the service organization, the service organization controls stated in the description should include controls the service organization has implemented to address the CUECs identified. ¶ 3.89
    {be accurate}{be relevant}{description of the service organization's system} The description is presented in accordance with the description criteria if the CUECs are complete, accurately described, and relevant to the service organization's achievement of its service commitments and system requirements based on the applicable trust services criteria. When making this evaluation, the service auditor may review system documentation and contracts with user entities, make inquiries of service organization personnel, and perform other such procedures as he or she considers necessary. ¶ 3.41
    {description of the service organization's system}{Controls Did Not Operate During the Period Covered by the Report}In these circumstances, service organization management and the service auditor would do the following: Service organization management would continue to include the processes in its description. ¶ 4.86 Bullet 1
    {separate}{description of the service organization's system} Controls at the subservice organization may also include aspects of the subservice organization's control environment, risk assessment process, information and communications, and monitoring activities to the extent that they are relevant to controls at the service organization. The description should separately identify controls at the service organization and controls at the subservice organization; however, there is no prescribed format for differentiating between controls at the service organization and controls at the subservice organization. ¶ 3.44
    A SOC 2® engagement that includes additional subject matters and additional criteria such as those described in the preceding table is predicated on service organization management providing the service auditor with the following: If the criteria are related to controls, a description of the controls intended to meet the control-related criteria ¶ 1.51 Bullet 3
    {be different}{be ineffective} In performing his or her procedures, the service auditor may become aware of a system incident that has affected a system of the service organization that is not the system under examination. For example, the service organization may experience a breach in an IT system that is not a component of the system under examination. In such situations, the service auditor needs to understand the nature and cause of the breach because it may have occurred as a result of ineffective controls shared between the service organization's systems. If that is the case, the service auditor should reconsider the assessment of the risk of material misstatement. In addition, if the system incident is related to a security breach, the service auditor should consider whether the inherent risks of the environment connected to the system are significantly different than what was originally assessed, or whether controls within the system may have been compromised due to an advanced persistent threat that has not been detected. As a result of the reassessment of risk, the service auditor may determine that additional procedures need to be performed or that management needs to identify additional controls that are suitably designed and operating effectively in order to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. ¶ 3.159
    {description of the service organization's system}{type 1 report} As previously discussed, service organization management is responsible for monitoring the suitability of design and operating effectiveness of controls at a subservice organization, regardless of whether management has elected to use the inclusive or carve-out method. For that reason, the description needs to disclose the controls that the service organization uses to monitor the services provided by the subservice organization. Controls that a service organization may implement to monitor the services provided and controls performed by a subservice organization are discussed further beginning at paragraph 3.50. In addition, considerations when evaluating the suitability of design and the operating effectiveness of controls used to monitor the controls at the subservice organization are discussed beginning at paragraph 3.154. If a type 1 or type 2 report is used as part of the monitoring of services provided by the subservice organization, the service organization may indicate the type of report used in its description. A service organization may obtain a copy of a type 1 or type 2 report from the subservice organization if one is available. If the subservice organization's type 1 or type 2 report identifies the need for CUECs at the service organization, the description should describe the processes and controls the service organization has implemented to address the CUECs identified in the subservice organization's description of its system. In addition to describing the services provided by the subservice organization, the service organization may indicate in its description whether the subservice organization's report is a type 1 or type 2 report. ¶ 3.88
    {description of the service organization's system}{type 1 report} As previously discussed, service organization management is responsible for monitoring the suitability of design and operating effectiveness of controls at a subservice organization, regardless of whether management has elected to use the inclusive or carve-out method. For that reason, the description needs to disclose the controls that the service organization uses to monitor the services provided by the subservice organization. Controls that a service organization may implement to monitor the services provided and controls performed by a subservice organization are discussed further beginning at paragraph 3.50. In addition, considerations when evaluating the suitability of design and the operating effectiveness of controls used to monitor the controls at the subservice organization are discussed beginning at paragraph 3.154. If a type 1 or type 2 report is used as part of the monitoring of services provided by the subservice organization, the service organization may indicate the type of report used in its description. A service organization may obtain a copy of a type 1 or type 2 report from the subservice organization if one is available. If the subservice organization's type 1 or type 2 report identifies the need for CUECs at the service organization, the description should describe the processes and controls the service organization has implemented to address the CUECs identified in the subservice organization's description of its system. In addition to describing the services provided by the subservice organization, the service organization may indicate in its description whether the subservice organization's report is a type 1 or type 2 report. ¶ 3.88
    {description of the service organization's system} In addition to describing only controls that have been implemented, the description should provide sufficient details about each control to enable report users, particularly user entities and business partners, to understand how each control may affect their interactions with the service organization. Table 3-1 presents information about each control that generally would be included in the description. ¶ 3.30
    {design effectiveness}{operating effectiveness}As a responsible party, subservice organization management is also responsible for complying with the following based on AT-C section 205: Designing, implementing, and documenting controls that are suitably designed and operating effectively ¶ 2.101 Bullet 1
    {principal system requirement}{be the same} For a SOC 3® examination, service organization management's responsibilities are substantially the same as those for a SOC 2® examination except that management does not prepare a system description. Although management does not prepare a system description, it does disclose the boundaries of the system and the service organization's principal service commitments and system requirements as part of its written assertion. That is discussed beginning in paragraph 4.112. ¶ 2.167
    {audit evidence} Although a service organization can contract with a subservice organization to perform functions that form a portion of the service organization's system, it still retains obligations to user entities with regard to those functions. As a result, part of its system of internal control includes activities to manage the risks associated with vendors and business partners, including activities to manage the risks associated with the functions performed by the subservice organization. In evaluating the suitability of the design and operating effectiveness of controls, the service auditor considers the nature and extent of the service organization's monitoring controls when determining the nature, timing, and extent of testing to perform. For example, if the service organization has obtained a type 2 report from a subservice organization, the service auditor would review the report to determine whether management has adequately evaluated it by assessing (a) the relevance of the system description and CSOCs to the service organization's system and (b) any deviations requiring further evaluation and response by service organization management. If service organization management has been unable to obtain a type 2 report, the service auditor should consider whether management has directly tested the subservice organization's controls by obtaining evidence about the effectiveness of the subservice organization's controls. However, unless the service auditor is reperforming management's tests of the subservice organization's controls, the service auditor's performance of tests directly on the subservice organization's controls would not provide evidence about the suitability of the design and operating effectiveness of the service organization's controls. In any event, the service auditor should obtain sufficient appropriate evidence of the effectiveness of the CSOCs. In addition, the service auditor needs to consider whether the subservice organization's use of its own IT system and connections to the service organization's IT network represents new vulnerabilities that need to be assessed and addressed as part of the service organization's risk assessment. ¶ 3.154
    {description of the service organization's system} Paragraph .10 of AT-C section 205 requires the service auditor to request a written assertion from the responsible party that addresses all the subject matters in the SOC 2® examination. Specifically, the assertion addresses whether (a) the description presents the system designed and implemented in accordance with the description criteria, (b) the controls were suitably designed to provide reasonable assurance that the service organization's service commitments and system requirements were achieved, and (c) in a type 2 examination, the controls operated effectively to provide reasonable assurance that the service organization's service commitments and system requirements were achieved. ¶ 2.66
    {description of the service organization's system} Paragraph .10 of AT-C section 205 requires the service auditor to request a written assertion from the responsible party that addresses all the subject matters in the SOC 2® examination. Specifically, the assertion addresses whether (a) the description presents the system designed and implemented in accordance with the description criteria, (b) the controls were suitably designed to provide reasonable assurance that the service organization's service commitments and system requirements were achieved, and (c) in a type 2 examination, the controls operated effectively to provide reasonable assurance that the service organization's service commitments and system requirements were achieved. ¶ 2.66
    {system description}{be the same} Subservice organization management's assertion ordinarily would be expected to address the same matters addressed by service organization management in its assertion, including (a) whether the description presents the services that the subservice organization provides to the service organization and to user entities, which are part of the service organization's system, in accordance with the description criteria; (b) the suitability of the design of the controls; and, (c) in a type 2 examination, the operating effectiveness of controls. However, in some cases, service organization management might design the controls for the subservice organization. This may happen, for instance, when the controls of the subservice organization are necessary, in combination with the controls of the service organization, to provide reasonable assurance that one or more of the service organization's service commitments or system requirements were achieved. When service organization management designs the controls for the subservice organization, service organization management takes responsibility for the suitability of the design of its own controls and the subservice organization's controls; therefore, the subservice organization's assertion may be limited to whether the description presents the services provided by the subservice organization to the service organization and user entities in accordance with the description criteria and whether the controls at the subservice organization operated as described. ¶ 2.103
    {system description}{be the same} Subservice organization management's assertion ordinarily would be expected to address the same matters addressed by service organization management in its assertion, including (a) whether the description presents the services that the subservice organization provides to the service organization and to user entities, which are part of the service organization's system, in accordance with the description criteria; (b) the suitability of the design of the controls; and, (c) in a type 2 examination, the operating effectiveness of controls. However, in some cases, service organization management might design the controls for the subservice organization. This may happen, for instance, when the controls of the subservice organization are necessary, in combination with the controls of the service organization, to provide reasonable assurance that one or more of the service organization's service commitments or system requirements were achieved. When service organization management designs the controls for the subservice organization, service organization management takes responsibility for the suitability of the design of its own controls and the subservice organization's controls; therefore, the subservice organization's assertion may be limited to whether the description presents the services provided by the subservice organization to the service organization and user entities in accordance with the description criteria and whether the controls at the subservice organization operated as described. ¶ 2.103
    {system description}{be the same} Subservice organization management's assertion ordinarily would be expected to address the same matters addressed by service organization management in its assertion, including (a) whether the description presents the services that the subservice organization provides to the service organization and to user entities, which are part of the service organization's system, in accordance with the description criteria; (b) the suitability of the design of the controls; and, (c) in a type 2 examination, the operating effectiveness of controls. However, in some cases, service organization management might design the controls for the subservice organization. This may happen, for instance, when the controls of the subservice organization are necessary, in combination with the controls of the service organization, to provide reasonable assurance that one or more of the service organization's service commitments or system requirements were achieved. When service organization management designs the controls for the subservice organization, service organization management takes responsibility for the suitability of the design of its own controls and the subservice organization's controls; therefore, the subservice organization's assertion may be limited to whether the description presents the services provided by the subservice organization to the service organization and user entities in accordance with the description criteria and whether the controls at the subservice organization operated as described. ¶ 2.103]
    Establish/Maintain Documentation Preventive
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975
    [In a SOC 3® examination, the responsibilities of the service auditor are substantially the same as those in a SOC 2® examination and include the following: Performing risk assessment procedures ¶ 2.172 Bullet 5
    {understand}{risk assessment documentation} An understanding of the process for determining the risks that would prevent the service organization's controls from providing reasonable assurance that the service organization's service commitments and system requirements were achieved, and for designing and implementing controls to address those risks, may assist the service auditor in identifying deficiencies in the design of controls. Some service organizations have a formal risk assessment process based on the applicable trust services criteria. In those circumstances, the service auditor may be able to inspect the risk assessment and controls documentation prepared by management to obtain an understanding of this process. ¶ 2.118
    {understand}{risk assessment documentation} An understanding of the process for determining the risks that would prevent the service organization's controls from providing reasonable assurance that the service organization's service commitments and system requirements were achieved, and for designing and implementing controls to address those risks, may assist the service auditor in identifying deficiencies in the design of controls. Some service organizations have a formal risk assessment process based on the applicable trust services criteria. In those circumstances, the service auditor may be able to inspect the risk assessment and controls documentation prepared by management to obtain an understanding of this process. ¶ 2.118
    {description of the service organization's system}{design effectiveness}The service auditor's understanding of the service organization's system and related controls should be sufficient to enable the service auditor to do the following: Provide a basis for designing and performing further procedures that are responsive to the assessed risks and for obtaining reasonable assurance to support the service auditor's opinion on the description, the suitability of design of controls, and, in a type 2 examination, the operating effectiveness of controls. ¶ 2.120 Bullet 2
    {SOC 2® examination}Defining the scope of the examination, which includes the following: Identifying the risks from business partners providing intellectual property or services to the service organization related to the system ¶ 2.04 Bullet 1 Sub-Bullet 3
    Based on paragraph .14 of AT-C section 205, the service auditor's understanding should be sufficient to do the following: Provide a basis for designing and performing procedures to respond to the assessed risks and to obtain reasonable assurance to support the service auditor's opinion ¶ 2.111(b)
    {applicable requirement} The service organization designs, implements, and operates controls at the entity level that are necessary to support the achievement of its service commitments and system requirements. That is particularly true for controls that address the trust services criteria for the control environment component of internal control (CC1.1–1.5). Although entity-level controls can also address the achievement of service commitments and system requirements based on the trust services criteria for the communication and information (CC2.1–2.3), risk assessment (CC3.1–3.4), and monitoring (CC4.1–4.2) components of internal control, management often addresses those criteria by designing and implementing controls that operate at the system level. As an example, assume that the service organization performs an enterprise-wide risk assessment and also assesses its information security risk and its infrastructure risk at the system level. Because the latter two assessments are likely to be more relevant in the SOC 2® examination, the service auditor ordinarily devotes more time and attention to obtaining an understanding of those assessments than to the enterprise-wide risk assessment. ¶ 2.127
    {separate}{description of the service organization's system} Controls at the subservice organization may also include aspects of the subservice organization's control environment, risk assessment process, information and communications, and monitoring activities to the extent that they are relevant to controls at the service organization. The description should separately identify controls at the service organization and controls at the subservice organization; however, there is no prescribed format for differentiating between controls at the service organization and controls at the subservice organization. ¶ 3.44
    If the service organization uses a subservice organization, and the controls of the subservice organization are carved out of the description, the service auditor determines whether the subservice organization has identified in its contract or in other communications with the service organization any user entity responsibilities or CUECs that should be in place at the service organization. If the subservice organization has identified such responsibilities or CUECs, the service auditor should evaluate whether service organization management has considered these responsibilities or CUECs in its assessment of risks that would prevent the service organization from achieving one or more of its service commitments or system requirements. ¶ 3.86
    When evaluating the application by the internal audit function of a systematic and disciplined approach, including quality control, the service auditor may consider the function's approach to planning, performing, supervising, reviewing, and documenting its activities. Relevant factors to consider may include, among others, (a) the existence, adequacy, and use of documented internal audit procedures or guidance covering such areas as risk assessments, work programs, documentation, and reporting or (b) whether the internal audit function has appropriate quality control policies and procedures. ¶ 2.142
    {fraud}{noncompliance}{identify}{SOC 2 engagement}Paragraph .A29 of AT-C section 205 indicates that in these circumstances (unless prohibited by law, regulation, or ethics standards), it may be appropriate for the service auditor to, for example, do the following: Consider the implications of the matter in relation to other aspects of the engagement, including the service auditor's risk assessment and the reliability of written representations from the responsible party. ¶ 3.158 Bullet 3
    {suitably designed control}When making this evaluation, the service auditor does the following: Obtains an understanding of management's risk assessment process as discussed in the subsequent paragraph and assesses the completeness and accuracy of management's identification of those risks ¶ 3.81 Bullet 1
    {evaluation}{risk assessment process}{includes}The process service organization management uses to assess risk and design and implement controls to mitigate those risks, ¶ 3.82 Bullet 1 Sub-Bullet 1
    {be material}{evaluate}{suitability of design}Qualitative factors the service auditor considers include the following: Interactions with third parties. Materiality considerations are based on factors such as the likelihood and magnitude of risks arising from interactions with user entities, business partners, subservice organizations, vendors, or others (referred to collectively as third parties) with access to the service organization's system, the degree to which those risks are relevant to the system, and the extent to which the service organization monitors controls performed by those third parties. In some cases, those third parties operate controls that are necessary, in combination with controls at the service organization, to provide reasonable assurance that one or more of the service organization's service commitments and system requirements are achieved based on the applicable trust services criteria. The more necessary those controls are to the service organization's achievement of its service commitments and system requirements based on the applicable trust services criteria, the more material such interactions with third parties are likely to be. ¶ 3.163 Bullet 5
    {audit evidence} Although a service organization can contract with a subservice organization to perform functions that form a portion of the service organization's system, it still retains obligations to user entities with regard to those functions. As a result, part of its system of internal control includes activities to manage the risks associated with vendors and business partners, including activities to manage the risks associated with the functions performed by the subservice organization. In evaluating the suitability of the design and operating effectiveness of controls, the service auditor considers the nature and extent of the service organization's monitoring controls when determining the nature, timing, and extent of testing to perform. For example, if the service organization has obtained a type 2 report from a subservice organization, the service auditor would review the report to determine whether management has adequately evaluated it by assessing (a) the relevance of the system description and CSOCs to the service organization's system and (b) any deviations requiring further evaluation and response by service organization management. If service organization management has been unable to obtain a type 2 report, the service auditor should consider whether management has directly tested the subservice organization's controls by obtaining evidence about the effectiveness of the subservice organization's controls. However, unless the service auditor is reperforming management's tests of the subservice organization's controls, the service auditor's performance of tests directly on the subservice organization's controls would not provide evidence about the suitability of the design and operating effectiveness of the service organization's controls. In any event, the service auditor should obtain sufficient appropriate evidence of the effectiveness of the CSOCs. In addition, the service auditor needs to consider whether the subservice organization's use of its own IT system and connections to the service organization's IT network represents new vulnerabilities that need to be assessed and addressed as part of the service organization's risk assessment. ¶ 3.154]
    Establish/Maintain Documentation Preventive
    Include in scope change controls in the audit assertion. CC ID 06976
    [{SOC 2 Examination} Automated application controls may be tested only once or a few times if effective IT general controls are present. In such situations, the service auditor considers whether changes to the control made after the testing, but prior to the end of the examination period, would change his or her conclusion regarding the suitability of design or operating effectiveness of the control and performs additional testing as deemed necessary. ¶ 3.139
    {be effective}{access control}{test of control} Generally, IT processing is inherently consistent; therefore, the service auditor may be able to limit the testing to one or a few instances of the control operation. An automated control usually functions consistently unless the program, including the tables, files, or other permanent data used by the program, is changed. Once the service auditor determines that an automated control is functioning as intended, which could be determined at the time the control is initially implemented or at some other date, the service auditor should perform tests to determine that the control continues to function effectively. Such tests ordinarily would include determining that changes to the program are not made without being subject to the appropriate program change controls, that the authorized version of the program is used for processing transactions, and that other relevant IT general controls are effective. In instances where the automated control is configurable, the service auditor should perform procedures to evaluate the configuration. Such procedures may include obtaining an understanding of the configuration process, performing procedures to test the completeness and accuracy of the configuration parameters, and evaluating the controls over access to alter the configuration. If the control is tested in an environment other than the production environment, the service auditor may need to assess the risk that the functionality of the control in the production environment differs from that in the non-production environment and perform procedures to determine that the environment being tested matches that of the production environment. ¶ 3.138
    {significant change} When performing a type 2 examination, description criterion DC9 indicates that a description should disclose relevant details of changes to the service organization's system during that period. If the service auditor believes changes to the system would be considered significant by report users, the service auditor should determine whether the description includes such information. In addition, the service auditor should consider whether superseded controls are relevant to the achievement of one or more service commitments or system requirements based on the applicable trust services criteria. If so, the service auditor should, if possible, test the superseded controls before the change. If the service organization has used the inclusive method, the service auditor should consider changes to controls at both the service organization and the subservice organization. Paragraph 4.72 presents an example of a separate paragraph that would be added to the service auditor's report when information about such changes is omitted from the description of the service organization's system. ¶ 3.108]
    Establish/Maintain Documentation Preventive
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989
    [During the SOC 2® examination, service organization management is responsible for the following: Disclosing to the service auditor the following: All instances in which controls have not operated as described ¶ 2.26 Bullet 9 Sub-Bullet 4
    {be material}{evaluate}{suitability of design}Qualitative factors the service auditor considers include the following: Effect of a control deficiency on third parties. A deficiency in controls may relate to the relationship between the service organization and its user entities or business partners. A deficiency in controls at the service organization that could also result in a deficiency in controls at a user entity or business partner is more likely to be considered material. ¶ 3.163 Bullet 11
    {description of the service organization's system} If the service auditor becomes aware that any identified deviations have resulted from fraud, the service auditor should assess the risk that the description does not present the system that was designed and implemented in accordance with the description criteria, the controls are not suitably designed, and, in a type 2 examination, the controls are not operating effectively. In addition, paragraph .33 of AT-C section 205 states that the service auditor should respond appropriately to fraud or suspected fraud and noncompliance or suspected noncompliance with laws or regulations affecting the subject matter that are identified during the engagement. Paragraph .A29 of AT-C section 205 indicates that in these circumstances (unless prohibited by law, regulation, or ethics standards), it may be appropriate for the service auditor to, for example, do the following: ¶ 3.158
    {be attributable}In many SOC 2® examinations, the service auditor also requests additional representations about whether service organization management has disclosed any of the following of which it is aware: Instances of noncompliance with laws and regulations or uncorrected misstatements attributable to the service organization ¶ 3.203(a)
    As a responsible party, subservice organization management is also responsible for complying with the following based on AT-C section 205: Disclosing to the service auditor the following: Knowledge of any actual, suspected, or alleged intentional acts that could adversely affect the description of the service organization's system, the suitability of design of controls, 7 or, in a type 2 examination, the operating effectiveness of controls (Paragraph 2.104 discusses a situation in which service organization management designs the controls at the subservice organization.) ¶ 2.101 Bullet 6 Sub-Bullet 2
    During the SOC 2® examination, service organization management is responsible for the following: Disclosing to the service auditor the following: Incidents of noncompliance with laws and regulations, fraud, or uncorrected misstatements that are clearly not trivial and that may affect one or more user entities and whether such incidents have been communicated appropriately to affected user entities ¶ 2.26 Bullet 9 Sub-Bullet 1
    {written representation}The representations in the SOC 2® examination should do the following: State that management has disclosed to the service auditor its knowledge of any actual, suspected, or alleged fraud or noncompliance with laws or regulations affecting the subject matters; ¶ 3.201(g)(ii)
    In many SOC 2® examinations, the service auditor also requests additional representations about whether service organization management has disclosed any of the following of which it is aware: Knowledge of any actual, suspected, or alleged fraud that could adversely affect the description of the service organization's system or the achievement of the service organization's service commitments or system requirements ¶ 3.203(b)
    {be appropriate} When incidents of fraud or suspected fraud are identified during the examination, the service auditor is expected to respond appropriately. For example, unless prohibited by law, regulation, or ethics standards, appropriate responses may include the following: ¶ 3.191
    As a responsible party, subservice organization management is also responsible for complying with the following based on AT-C section 205: Disclosing to the service auditor the following: All instances in which controls have not operated as described ¶ 2.101 Bullet 6 Sub-Bullet 4
    {be appropriate}As a responsible party, subservice organization management is also responsible for complying with the following based on AT-C section 205: Disclosing to the service auditor the following: Incidents of noncompliance with laws and regulations, fraud, or uncorrected misstatements that are clearly not trivial and that may affect one or more user entities, and whether such incidents have been communicated appropriately to affected user entities ¶ 2.101 Bullet 6 Sub-Bullet 1]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967
    [If the inclusive method is used, matters to be agreed on or coordinated by the service organization and the subservice organization include the following: Acknowledgment from subservice organization management that it will provide the service auditor with a written assertion and representation letter (Both service organization management and subservice organization management are responsible for providing the service auditor with a written assertion and representation letter.) ¶ 2.98 Bullet 2
    During the SOC 2® examination, service organization management is responsible for the following: Providing a written assertion that accompanies the description of the service organization's system, both of which will be provided to report users ¶ 2.26 Bullet 2
    {description of the service organization's system}{audit evidence}The service auditor may perform a variety of procedures to obtain evidence about whether the description presents the system that was designed and implemented in accordance with the description criteria, including a combination of the following: Discussing with management and other service organization personnel the content of management's assertion and the description ¶ 3.59 Bullet 1
    {description of the service organization's system}{SOC 2 engagement} Management's assertion is included in the SOC 2® report along with the description and the service auditor's report. Because of the important role that the assertion plays in the engagement, it may be useful for the service auditor to provide management with an example of a written assertion prior to engagement acceptance. However, service organization management is responsible for drafting its written assertion and may word the assertion in accordance with its practices, as long as it addresses management's conclusions about each of the subject matters discussed in paragraph 1.04 and is not materially inconsistent with the subject matter or the service auditor's report. Illustrative examples of management assertions are presented in appendix D-1, "Illustrative Management Assertion and Service Auditor's Report for a Type 2 Examination (Carved-Out Controls of a Subservice Organization and Complementary Subservice Organization and Complementary User Entity Controls);" appendix D-2, "Illustrative Service Organization and Subservice Organization Management Assertions and Service Auditor's Report for a Type 2 Examination (Subservice Organization Presented Using the Inclusive Method and Complementary User Entity Controls);" and appendix D-3, "Illustrative Service Auditor's Report for a Type 2 Examination in Which the Service Auditor Disclaims an Opinion Because of a Scope Limitation." ¶ 2.67
    In a SOC 3® examination, the responsibilities of the service auditor are substantially the same as those in a SOC 2® examination and include the following: Reaching an understanding with management regarding the provision of a written assertion ¶ 2.172 Bullet 3
    The service auditor should obtain and read the description of the service organization's system and perform procedures to determine whether the description is presented in accordance with the description criteria. Determining whether the description of the service organization's system is presented in accordance with the description criteria involves comparing the service auditor's understanding of the service provided to user entities to the system through which the service is provided based on the trust services category or categories included within the scope of the examination. ¶ 3.20
    {description of the service organization's system} As discussed in chapter 2, service organization management provides the service auditor with a written assertion about whether the description presents the system that was designed and implemented in accordance with the description criteria and whether the controls within the program were effective. Management's written assertion is generally expected to align with the service auditor's opinion by reflecting the same modifications. ¶ 3.226
    {description of the service organization's system} As discussed in chapter 2, service organization management provides the service auditor with a written assertion about whether the description presents the system that was designed and implemented in accordance with the description criteria and whether the controls within the program were effective. Management's written assertion is generally expected to align with the service auditor's opinion by reflecting the same modifications. ¶ 3.226
    A SOC 2® engagement that includes additional subject matters and additional criteria such as those described in the preceding table is predicated on service organization management providing the service auditor with the following: An assertion by management regarding the additional subject matter or criteria ¶ 1.51 Bullet 4
    {be responsible}{description of the service organization's system} In addition to providing the service auditor with a written assertion and representation letter at the end of the examination, subservice organization management is also responsible for preparing a description of the subservice organization's system, including the completeness, accuracy, and method of presentation of the description. Service organization management is responsible for evaluating the description of the subservice organization's system, as well as its own. ¶ 2.100
    {description of the service organization's system} Paragraph .10 of AT-C section 205 requires the service auditor to request a written assertion from the responsible party that addresses all the subject matters in the SOC 2® examination. Specifically, the assertion addresses whether (a) the description presents the system designed and implemented in accordance with the description criteria, (b) the controls were suitably designed to provide reasonable assurance that the service organization's service commitments and system requirements were achieved, and (c) in a type 2 examination, the controls operated effectively to provide reasonable assurance that the service organization's service commitments and system requirements were achieved. ¶ 2.66
    {management assertion}{SOC 3 engagement} As discussed in the preceding paragraph, as part of its assertion, management describes the boundaries of the system and the principal service commitments and system requirements. The boundaries of a system addressed by the examination need to be clearly understood, defined, and communicated to report users. Report users need that information to enable them to understand the scope of the service auditor's examination. They also need information about the service organization's principal service commitments and system requirements to enable them to understand how the effectiveness of controls was evaluated based on the applicable trust services criteria. ¶ 4.112
    {management assertion}{SOC 3 engagement} As discussed in the preceding paragraph, as part of its assertion, management describes the boundaries of the system and the principal service commitments and system requirements. The boundaries of a system addressed by the examination need to be clearly understood, defined, and communicated to report users. Report users need that information to enable them to understand the scope of the service auditor's examination. They also need information about the service organization's principal service commitments and system requirements to enable them to understand how the effectiveness of controls was evaluated based on the applicable trust services criteria. ¶ 4.112
    {management assertion}{SOC 3 engagement} As discussed in the preceding paragraph, as part of its assertion, management describes the boundaries of the system and the principal service commitments and system requirements. The boundaries of a system addressed by the examination need to be clearly understood, defined, and communicated to report users. Report users need that information to enable them to understand the scope of the service auditor's examination. They also need information about the service organization's principal service commitments and system requirements to enable them to understand how the effectiveness of controls was evaluated based on the applicable trust services criteria. ¶ 4.112]
    Establish/Maintain Documentation Preventive
    Include the scope for the desired level of assurance in the audit program. CC ID 12793
    [{SOC 2 engagement}Paragraph .08 of AT-C section 205 states that the agreed-upon terms of the engagement should include the following: The objective and scope of the engagement ¶ 2.71(a)
    {design effectiveness}{operating effectiveness}{control at the service organization}Obtaining an understanding of the service organization's system, including related controls, assists the service auditor in the following: Understanding which controls are necessary to provide reasonable assurance that the service organization's service commitments and system requirements are achieved based on the applicable trust services criteria, whether the controls were suitably designed to achieve them, and, in a type 2 report, whether controls were operating effectively throughout the specified period to achieve them ¶ 2.113 Bullet 3
    {inclusive method}Management's responsibilities during acceptance and planning of a SOC 3® examination include the following: Identifying subservice organizations and determining whether to present them under the inclusive or carve-out method and, if using the carve-out method, identifying CSOCs, as discussed beginning in paragraph 2.12 and throughout this chapter ¶ 2.168 Bullet 5
    {audit opinion}{SOC 2 Report}In some situations, the service auditor may be requested to also include in the report a description of the service auditor's tests of controls or procedures performed to evaluate the existing or additional subject matter against the existing or additional criteria and the detailed results of those tests. In that case, paragraph .A85 of AT-C section 205 provides the following factors for the service auditor to consider before agreeing to include such information in the report: Whether such a description is likely to overshadow the service auditor's overall opinion, which may cause report users to misunderstand the opinion ¶ 1.53 Bullet 1]
    Communicate Preventive
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149
    [{audit procedure}Other overall responses a service auditor may select to address the assessed risks of material misstatement include the following: Making changes to the nature, timing, or extent of procedures (for example, selecting different types of procedures, or changing the timing of those procedures, to obtain evidence about the suitability of design of controls and, in a type 2 examination, the operating effectiveness of controls) ¶ 3.03 Bullet 5]
    Establish/Maintain Documentation Preventive
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Establish/Maintain Documentation Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795
    [{SOC 2® examination}Defining the scope of the examination, which includes the following: Selecting the trust services category or categories to be included within the scope of the examination ¶ 2.04 Bullet 1 Sub-Bullet 4
    {SOC 2 engagement}Paragraph .08 of AT-C section 205 states that the agreed-upon terms of the engagement should include the following: Identification of the criteria for the measurement, evaluation, or disclosure of the subject matter ¶ 2.71(f)
    A SOC 2® engagement that includes additional subject matters and additional criteria such as those described in the preceding table is predicated on service organization management providing the service auditor with the following: A description of the criteria identified by management used to measure and present the subject matter ¶ 1.51 Bullet 2]
    Audits and Risk Management Preventive
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794
    [{risk assessment procedure}{design effectiveness}{operating effectiveness}{at the same time}{audit evidence}{description of the service organization's system} One or more of the procedures discussed in the preceding paragraph may be accomplished through the performance of a walk-through. In addition, the service auditor may perform such procedures concurrently with procedures to obtain evidence about whether the description is presented in accordance with the description criteria and whether the controls within the program were suitably designed and operated effectively to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. ¶ 2.116
    In some cases, the subservice organization's services and controls have a pervasive effect on the service organization's system. In these circumstances, management and the service auditor would consider whether the use of the carve-out method may result in a description of the service organization's system that is so limited that it is unlikely to be useful to the intended users of the report. When making this determination, consideration of the following factors may be helpful: ¶ 2.16
    When assessing information used in the execution of controls, the service auditor should consider the following factors: The level of assurance being sought from the control ¶ 3.126 Bullet 1
    Based on paragraph .14 of AT-C section 205, the service auditor's understanding should be sufficient to do the following: Provide a basis for designing and performing procedures to respond to the assessed risks and to obtain reasonable assurance to support the service auditor's opinion ¶ 2.111(b)
    {audit process}{audit evidence}{measurement method}{SOC 2 engagement}In establishing the overall engagement strategy, the service auditor ordinarily would do the following: Plan the engagement process, including possible sources of evidence and choices among alternative measurement or evaluation methods. ¶ 2.92(e)
    {description of the service organization's system}{audit procedure} Once the service auditor has assessed the risks, the service auditor should consider the controls the service organization has designed, implemented, and operated to mitigate those risks. As required by paragraph .18 of AT-C section 205, the service auditor should consider the assessed risk of material misstatement as the basis for designing and performing further procedures whose nature, timing, and extent (a) are responsive to assessed risks of material misstatement and (b) allow the service auditor to obtain reasonable assurance about whether the description is presented in accordance with the description criteria, whether the controls were suitably designed, and, in a type 2 examination, whether the controls operated effectively to provide reasonable assurance that the service organization's service commitments and system requirements were achieved. ¶ 2.125
    {SOC 2 Report}{SOC 2 Engagement}In some situations, the service auditor may be requested to also include in the report a description of the service auditor's tests of controls or procedures performed to evaluate the existing or additional subject matter against the existing or additional criteria and the detailed results of those tests. In that case, paragraph .A85 of AT-C section 205 provides the following factors for the service auditor to consider before agreeing to include such information in the report: Whether the service auditor's procedures relate directly to the subject matter of the engagement ¶ 1.53 Bullet 4
    When evaluating the application by the internal audit function of a systematic and disciplined approach, including quality control, the service auditor may consider the function's approach to planning, performing, supervising, reviewing, and documenting its activities. Relevant factors to consider may include, among others, (a) the existence, adequacy, and use of documented internal audit procedures or guidance covering such areas as risk assessments, work programs, documentation, and reporting or (b) whether the internal audit function has appropriate quality control policies and procedures. ¶ 2.142
    When evaluating the application by the internal audit function of a systematic and disciplined approach, including quality control, the service auditor may consider the function's approach to planning, performing, supervising, reviewing, and documenting its activities. Relevant factors to consider may include, among others, (a) the existence, adequacy, and use of documented internal audit procedures or guidance covering such areas as risk assessments, work programs, documentation, and reporting or (b) whether the internal audit function has appropriate quality control policies and procedures. ¶ 2.142
    {description of the service organization's system} Although the description should be presented in accordance with the description criteria, paragraph .60 of AT-C section 205 does not require the service auditor to determine whether the description discloses every matter related to the service organization's system. That is because the description is intended to meet the common informational needs of the broad range of SOC 2® report users; accordingly, the description is unlikely to contain disclosures considered useful by every report user. For example, a description may omit certain information related to aspects of the service organization's system when those aspects are unlikely to be significant (in other words, they are immaterial) to report users' decisions. ¶ 3.66
    An internal audit function performs assurance and consulting activities designed to evaluate and improve the effectiveness of the service organization's governance, risk management, and internal control processes. Activities similar to those performed by an internal audit function may be conducted by functions with other titles within a service organization. Some or all of the activities of an internal audit function may also be outsourced to a third-party service provider. For example, a service organization may engage a service provider to perform (a) penetration testing, (b) responsibilities of the internal audit function that the function itself does not have the competency or qualifications to perform (for example, performing the IT internal audit function), or (c) a one-time special assessment at the request of the board of directors. Neither the title of the function nor whether it is performed by the service organization or a third-party service provider is a sole determinant of whether the service auditor can use the work of internal auditors. Rather, it is the nature of the activities, the extent to which the internal audit function's organizational status and relevant policies and procedures support the objectivity of the internal auditors, the competence of internal auditors, and the systematic and disciplined approach of the function that are relevant. References in this guide to the work of the internal audit function include relevant activities of other functions or third-party providers that have these characteristics. ¶ 2.132
    {be different}{be ineffective} In performing his or her procedures, the service auditor may become aware of a system incident that has affected a system of the service organization that is not the system under examination. For example, the service organization may experience a breach in an IT system that is not a component of the system under examination. In such situations, the service auditor needs to understand the nature and cause of the breach because it may have occurred as a result of ineffective controls shared between the service organization's systems. If that is the case, the service auditor should reconsider the assessment of the risk of material misstatement. In addition, if the system incident is related to a security breach, the service auditor should consider whether the inherent risks of the environment connected to the system are significantly different than what was originally assessed, or whether controls within the system may have been compromised due to an advanced persistent threat that has not been detected. As a result of the reassessment of risk, the service auditor may determine that additional procedures need to be performed or that management needs to identify additional controls that are suitably designed and operating effectively in order to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. ¶ 3.159]
    Establish/Maintain Documentation Preventive
    Include the expectations for the audit report in the audit terms. CC ID 07148
    [{SOC 2 engagement}Paragraph .08 of AT-C section 205 states that the agreed-upon terms of the engagement should include the following: The objective and scope of the engagement ¶ 2.71(a)
    {description of the service organization's system}{design effectiveness}The service auditor's understanding of the service organization's system and related controls should be sufficient to enable the service auditor to do the following: Provide a basis for designing and performing further procedures that are responsive to the assessed risks and for obtaining reasonable assurance to support the service auditor's opinion on the description, the suitability of design of controls, and, in a type 2 examination, the operating effectiveness of controls. ¶ 2.120 Bullet 2
    {subsequent event}{description of the service organization's system}{report user} After obtaining information about an event, the service auditor determines whether the facts existed at the date of the report and, if so, whether persons who would attach importance to these facts are currently using, or likely to use, the SOC 2® report (which includes the description, management's assertion, and the service auditor's report). The service auditor may do this through discussions with management and other appropriate parties and through the performance of additional procedures that the service auditor considers necessary to determine whether the description, assertion, and service auditor's report need revision or whether the previously issued report continues to be appropriate. ¶ 3.217
    The service auditor's consideration of materiality is a matter of professional judgment and is affected by the service auditor's perception of the common information needs of the broad range of report users as a group. In this context, it is reasonable for the service auditor to assume that report users possess a certain level of knowledge as described in paragraph 1.08. ¶ 2.107
    {description of the service organization's system} Although the description should be presented in accordance with the description criteria, paragraph .60 of AT-C section 205 does not require the service auditor to determine whether the description discloses every matter related to the service organization's system. That is because the description is intended to meet the common informational needs of the broad rangespan> of SOC 2® report users; accordingly, the description is unlikely to contain disclosures considered useful by every report user. For example, a description may omit certain information related to aspects of the service organization's system when those aspects are unlikely to be significant (in other words, they are immaterial) to report users' decisions. ¶ 3.66
    {qualified opinion}{SOC 2 examination}{SOC 2 Engagement} The service auditor may also consider whether management has realistic expectations about the examination or whether the service organization may experience significant negative consequences if the service auditor's opinion is qualified because of a lack of appropriate controls and related documentation. In such situations, the service auditor may choose to decline the engagement. ¶ 2.34
    {description criteria} Instead, the disclosures are intended to enable report users to understand the nature of the risks faced by the service organization and the impact of the realization of those risks. ¶ 3.18 ¶ 1
    {description of the service organization's system} As previously discussed, applying the description criteria requires judgment. One of those judgments involves the informational needs of report users. For most SOC 2® reports, there is a broad range of specified parties. Therefore, the description is intended to meet the common informational needs of the specified parties and does not ordinarily include information about every aspect of the system that may be considered important to each individual report user. However, an understanding of the perspectives and information needs of the broad range of intended SOC 2® report users is necessary to determine whether the description is presented in accordance with the description criteria and is sufficient to meet their needs. As discussed in chapter 1, "Introduction and Background," users of a SOC 2® report are expected to have sufficient knowledge and understanding of the service organization, the services it provides, and the system used to provide them, among other matters. As a result, the service auditor assumes that the report users have such knowledge and understanding. ¶ 3.72]
    Establish/Maintain Documentation Preventive
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Establish/Maintain Documentation Preventive
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Establish/Maintain Documentation Corrective
    Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 Communicate Preventive
    Include materiality levels in the audit terms. CC ID 01238
    [{qualitative materiality}{audit procedure}{be appropriate} When establishing the overall strategy for and planning the examination, paragraph .16 of AT-C section 205 requires the service auditor to consider both qualitative and quantitative materiality factors. Due to the vast number of controls within even a small system, the service auditor needs to consider materiality to determine the nature, timing, and extent of procedures necessary to obtain sufficient appropriate evidence to support the service auditor's opinion in the SOC 2® examination. Adoption of an appropriate materiality allows the service auditor to prioritize testing efforts and supports an effective and efficient engagement. ¶ 2.104
    {be different} If the service auditor becomes aware, during the conduct of the examination, of information that would have caused the service auditor to have initially determined a different materiality, paragraph .17 of AT-C section 205 requires the service auditor to reconsider materiality. Chapter 3 of this guide discusses materiality considerations during the performance of the SOC 2® examination in further detail. ¶ 2.109
    {design effectiveness}{qualitative materiality}{quantitative materiality} When considering materiality regarding the suitability of design and operating effectiveness of controls, the service auditor should consider both qualitative and quantitative factors, as discussed beginning in paragraph 3.161. ¶ 3.08
    {be different} Paragraph .17 of AT-C section 205 indicates the service auditor should reconsider materiality if the service auditor becomes aware of information during the examination that would have caused him or her to have initially determined a different materiality. ¶ 3.165
    {be material}{evaluate}{suitability of design}Qualitative factors the service auditor considers include the following: Effect of a control deficiency on third parties. A deficiency in controls may relate to the relationship between the service organization and its user entities or business partners. A deficiency in controls at the service organization that could also result in a deficiency in controls at a user entity or business partner is more likely to be considered material. ¶ 3.163 Bullet 11
    {examination engagement}During engagement acceptance and planning, the service auditor is responsible for the following: Establishing an overall strategy for the examination that sets the scope, timing, and direction of the engagement and guides the development of the engagement plan, including the consideration of materiality and the identification of the risks of material misstatement (see paragraph 2.92) ¶ 2.30 Bullet 4
    The service auditor should consider both qualitative and quantitative factors when evaluating the suitability of design of controls. Qualitative factors the service auditor considers include the following: ¶ 3.163
    {be ineffective} Assessment of the risks of material misstatement is affected by many factors, including materiality considerations (see paragraph 3.05) and the service auditor's understanding of the effectiveness of the control environment or other components of internal control related to the service provided to user entities and business partners. Aspects of the control environment or other components of internal control may enhance or mitigate the effectiveness of specific system controls. Conversely, ineffective aspects of the control environment or other components of the service organization's internal control may cause the service auditor to design and perform further procedures whose nature, timing, and extent are based on, and responsive to, the higher assessed risks related to the ineffective aspects of the control environment or other components of internal control. ¶ 3.01
    {audit opinion}{be material}{description of the service organization's system} After performing the procedures and considering the guidance in paragraphs 3.79–3.105, the service auditor should accumulate instances in which controls were not suitably designed or were not properly implemented, which are considered deficiencies in the SOC 2® examination. As part of the evaluation, the service auditor should assess whether the controls have the ability, as designed, to provide reasonable assurance that the service organization achieved its service commitments and system requirements based on the applicable trust services criteria. The service auditor should also consider the potential effect of other factors that may affect the opinion on the suitability of the design of controls, such as misstatements in the description or deficiencies in the operating effectiveness of controls. Generally, if controls are not suitably designed and implemented to provide reasonable assurance that one or more service commitments or system requirements were achieved based on the applicable trust services criteria, such deficiencies are considered material. Materiality considerations when evaluating the suitability of design of controls are discussed beginning in paragraph 3.161. ¶ 3.104
    {SOC 2 engagement}{be different} Paragraph .17 of AT-C section 205 indicates that the service auditor should reconsider materiality if the service auditor becomes aware of information during the engagement that would have caused the service auditor to have initially determined a different materiality. ¶ 3.78
    {be material}{evaluate}{suitability of design}Qualitative factors the service auditor considers include the following: Intentional acts. A deficiency or deviation may be the result of an intentional or an unintentional act. An intentional act, particularly one perpetrated by service organization management or senior management, is likely to be considered more material than an unintentional act. ¶ 3.163 Bullet 10
    {audit procedure} In a SOC 2® examination, the service auditor needs to consider materiality during risk assessment and when determining the nature, timing, and extent of procedures to perform during the SOC 2® examination. Adoption of an appropriate materiality for each of the subject matters in the SOC 2® examination allows the service auditor to prioritize testing efforts and supports an effective and efficient engagement. ¶ 3.06
    The service auditor's consideration of materiality is a matter of professional judgment and is affected by the service auditor's perception of the common information needs of the broad range of report users as a group. In this context, it is reasonable for the service auditor to assume that report users possess a certain level of knowledge as described in paragraph 1.08. ¶ 2.107
    {qualitative materiality}{quantitative materiality} Paragraph .A15 of AT-C section 205 indicates that the service auditor should consider the concept of materiality in the context of qualitative factors (as discussed in the next paragraph) and quantitative factors (for example, when service organization management elects to disclose the percentage of time that its internet-based systems were available during the period). ¶ 3.74
    The concept of materiality is not applied when reporting the results of tests of controls for which deviations have been identified because the service auditor does not have the ability to determine whether a deviation will have significance to an individual report user, beyond whether it prevents a control from operating effectively. Consequently, the service auditor's description of tests of controls and results includes all deviations. If the service auditor has not identified any deviations, the service auditor may document those results with a phrase such as "No exceptions noted" or "No deviations noted." Appendix D-4, "Illustrative Type 2 Report (Including Management's Assertion, Service Auditor's Report, and the Description of the System," contains an example of a description of tests of controls in which no deviations have been identified. ¶ 4.16
    {audit procedure}{audit evidence} Some relevant factors in determining whether to use the work of the internal audit function to obtain evidence about the operating effectiveness of controls include the pervasiveness of the control, the potential for management override of the control, and the degree of judgment and subjectivity required to evaluate the effectiveness of the control. As the significance of these factors increases, so does the need for the service auditor, rather than the internal audit function, to perform the procedures, and conversely, as these factors decrease in significance, the need for the service auditor to perform the tests decreases. ¶ 2.147
    {test of control} The extent of the service auditor's testing refers to the size of the sample tested or the number of observations of a control activity. The extent of testing is based on the service auditor's professional judgment after considering the tolerable rate of deviation, the expected rate of deviation, the frequency with which the control operates, the relevance and reliability of the evidence that can be obtained to support the conclusion that the controls are operating effectively, the length of the testing period, the significance of the control to the achievement of the service organization's service commitments and system requirements based on the applicable trust services criteria, and the extent to which audit evidence is obtained from tests of other controls that support the achievement of those service commitments and system requirements based on the applicable trust services criteria. ¶ 3.134
    {audit evidence} Some relevant factors in determining whether to use the work of the internal audit function to obtain evidence about the operating effectiveness of controls include the pervasiveness of the control, the potential for management override of the control, and the degree of judgment and subjectivity required to evaluate the effectiveness of the control. As the significance of these factors increases, so does the need for the service auditor, rather than the internal audit function, to perform the procedures, and conversely, as these factors decrease in significance, the need for the service auditor to perform the tests decreases. ¶ 3.169
    {be material}{description of the service organization's system} As discussed in chapter 2, the service auditor has a responsibility to consider known or suspected incidents of fraud and noncompliance with laws or regulations. Such incidents may include, for example, the intentional bypassing of controls and the intentional misstatement of one or more aspects of the description. As discussed in paragraph 3.163, when a deficiency or deviation is the result of an intentional act, it is likely to be considered more material than a deficiency or deviation caused by an unintentional act, particularly if the intentional act was perpetrated by a member of senior management. The service auditor determines the effect of such incidents on the description; the suitability of design of controls; in a type 2 examination, the operating effectiveness of controls; and the service auditor's report. Additionally, the service auditor communicates such information to appropriate parties. ¶ 3.190
    {be material}{evaluate}{suitability of design}Qualitative factors the service auditor considers include the following: Interactions with third parties. Materiality considerations are based on factors such as the likelihood and magnitude of risks arising from interactions with user entities, business partners, subservice organizations, vendors, or others (referred to collectively as third parties) with access to the service organization's system, the degree to which those risks are relevant to the system, and the extent to which the service organization monitors controls performed by those third parties. In some cases, those third parties operate controls that are necessary, in combination with controls at the service organization, to provide reasonable assurance that one or more of the service organization's service commitments and system requirements are achieved based on the applicable trust services criteria. The more necessary those controls are to the service organization's achievement of its service commitments and system requirements based on the applicable trust services criteria, the more material such interactions with third parties are likely to be. ¶ 3.163 Bullet 5
    {description of the service organization's system} When considering materiality regarding the description, the service auditor considers whether misstatements or omissions in the description, individually or in the aggregate, could reasonably be expected to influence decisions of specified parties to the SOC 2® report. For example, in a SOC 2® examination on controls relevant to privacy, the service auditor may determine that the description fails to disclose a principal service commitment involving compliance with the European Union's General Data Protection Regulation, to which the service organization is subject. If the service auditor determines that such information could reasonably be expected to influence the decisions of SOC 2® report users, the service auditor may conclude that the omission of such information from the description results in a material misstatement. In that case, the service auditor would request that management amend the description by including the relevant information. ¶ 3.73
    {evaluate}{suitability of design}Qualitative factors the service auditor considers include the following: Relevance to compliance with laws and regulations. If the service organization is subject to requirements specified by laws or regulations related to security and the other trust services categories included within the scope of the SOC 2® examination, identified deficiencies and deviations related to compliance are likely to be significant because they may have additional consequences to the organization. Requirements established by laws and regulations may therefore need to be included in the consideration of materiality and the related engagement strategy. For laws and regulations that have a direct effect (for example, laws protecting sensitive personal information), the service organization may establish service commitments and system requirements about compliance with such laws. Other laws and regulations may be less directly linked to security and the other trust services categories; however, they may still be relevant to the examination (for example, regulations over the physical storage ofbiohazard materials, when the materials are stored in a warehouse with access secured by an electronic badging system). ¶ 3.163 Bullet 4]
    Establish/Maintain Documentation Preventive
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239
    [{system component} The service auditor would also obtain an understanding of any significant changes to the service organization's system that occurred during the extended or modified period, including significant changes to the services provided to user entities and significant changes to any of the components of the system used to provide such services. Paragraphs 3.62 and 3.108, respectively, discuss the service auditor's responsibilities for obtaining an understanding of and performing procedures that address significant changes in the service organization's system. ¶ 2.82
    {system component} The service auditor would also obtain an understanding of any significant changes to the service organization's system that occurred during the extended or modified period, including significant changes to the services provided to user entities and significant changes to any of the components of the system used to provide such services. Paragraphs 3.62 and 3.108, respectively, discuss the service auditor's responsibilities for obtaining an understanding of and performing procedures that address significant changes in the service organization's system. ¶ 2.82
    {system component} The service auditor would also obtain an understanding of any significant changes to the service organization's system that occurred during the extended or modified period, including significant changes to the services provided to user entities and significant changes to any of the components of the system used to provide such services. Paragraphs 3.62 and 3.108, respectively, discuss the service auditor's responsibilities for obtaining an understanding of and performing procedures that address significant changes in the service organization's system. ¶ 2.82
    {description of the service organization's system} Description criterion DC9 requires the description to disclose the relevant details of significant changes to the service organization's system during the period that are relevant to the service organization's service commitments and system requirements. Relevant changes are those that are likely to be relevant to the system being examined (for example, the service organization's migration to a cloud infrastructure). In that case, disclosure of the changes is likely to be important to report users. ¶ 3.55
    {description of the service organization's system}{be appropriate} Significant changes to be disclosed consist of those that are likely to be relevant to the broad range of report users. Disclosure of such changes is expected to include an appropriate level of detail, such as the date the changes occurred and how the system differed before and after the changes. Examples of significant changes to a system include the following: ¶ 3.56
    {description of the service organization's system}{be appropriate} Significant changes to be disclosed consist of those that are likely to be relevant to the broad range of report users. Disclosure of such changes is expected to include an appropriate level of detail, such as the date the changes occurred and how the system differed before and after the changes. Examples of significant changes to a system include the following: ¶ 3.56
    {be significant}{description of the service organization's system}{audit opinion} When performing the SOC 2® examination, the service auditor should also obtain an understanding of changes in the service organization's system implemented during the period covered by the examination. If the service auditor believes that the changes would be considered significant by the broad range of report users, the service auditor should determine whether those changes have been included in the description. The narrative discussing the change would be expected to contain an appropriate level of detail, including the date the change occurred and how the affected aspects of the system differed before and after the change. If such changes have not been included in the description, the service auditor may ask management to amend the description to include that information. If service organization management refuses to include this information in the description, the service auditor should consider the effect on his or her opinion on the description. ¶ 3.62
    {be significant}{description of the service organization's system}{audit opinion} When performing the SOC 2® examination, the service auditor should also obtain an understanding of changes in the service organization's system implemented during the period covered by the examination. If the service auditor believes that the changes would be considered significant by the broad range of report users, the service auditor should determine whether those changes have been included in the description. The narrative discussing the change would be expected to contain an appropriate level of detail, including the date the change occurred and how the affected aspects of the system differed before and after the change. If such changes have not been included in the description, the service auditor may ask management to amend the description to include that information. If service organization management refuses to include this information in the description, the service auditor should consider the effect on his or her opinion on the description. ¶ 3.62
    {be significant} If a significant change occurs during the gap period, service organization management may decide that such changes are likely to be considered significant to report users. In that case, management may include a description of such changes in the section of the type 2 report titled, "Other Information Provided by the Service Organization." An example of such a change is a conversion to a new computer system or application during the gap period that results in (a) new or additional controls that are considered significant to report users and (b) controls over the conversion process that were not tested by the service auditor. ¶ 3.58
    {significant change} When performing a type 2 examination, description criterion DC9 indicates that a description should disclose relevant details of changes to the service organization's system during that period. If the service auditor believes changes to the system would be considered significant by report users, the service auditor should determine whether the description includes such information. In addition, the service auditor should consider whether superseded controls are relevant to the achievement of one or more service commitments or system requirements based on the applicable trust services criteria. If so, the service auditor should, if possible, test the superseded controls before the change. If the service organization has used the inclusive method, the service auditor should consider changes to controls at both the service organization and the subservice organization. Paragraph 4.72 presents an example of a separate paragraph that would be added to the service auditor's report when information about such changes is omitted from the description of the service organization's system. ¶ 3.108]
    Establish/Maintain Documentation Preventive
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240
    [{audit procedure}{be appropriate}{be effective}{be efficient} When planning the SOC 2® examination, the engagement partner and other key members of the engagement team develop an overall strategy for the scope, timing, and conduct of the engagement and an engagement plan, consisting of a detailed approach for the nature, timing, and extent of procedures to be performed. Adequate planning helps the service auditor devote appropriate attention to important areas of the engagement, identify potential problems on a timely basis, and properly organize and manage the engagement to make sure it is performed in an effective and efficient manner. Adequate planning also assists the service auditor in properly assigning work to engagement team members and facilitates the direction, supervision, and review of their work. Furthermore, if the work of internal auditors, other service auditors, or specialists is used in the engagement, proper planning helps the service auditor coordinate their work. ¶ 2.91
    {Planning to Use the Work of a Service Auditor's Specialist}The nature, timing, and extent of the service auditor's procedures to evaluate the matters discussed in this section vary depending on the circumstances of the engagement. When determining the nature, timing, and extent of those procedures, paragraph .38 of AT-C section 205 states that the service auditor should consider the following: The risks of material misstatement in the matter to which the service auditor's specialist's work relates ¶ 2.165(c)
    {SOC 2 engagement} Paragraph .45 of AT-C section 205 also requires the service auditor to accumulate description misstatements or deficiencies identified during the engagement, other than those that are clearly trivial. In addition, the service auditor should accumulate deviations that have not been determined to rise to the level of a deficiency and consider whether, in the aggregate, they result in a deficiency. ¶ 3.188
    {report user}When evaluating the results of procedures, the service auditor investigates the nature and cause of any identified description misstatements and deficiencies or deviations in the effectiveness of controls and determines the following: Whether the identified description misstatements result in either the failure to meet one or more of the description criteria or in a presentation that could be misunderstood by users if the service auditor's opinion were not modified to reflect the identified description misstatements ¶ 3.185 Bullet 1
    {examination engagement}During engagement acceptance and planning, the service auditor is responsible for the following: Establishing an overall strategy for the examination that sets the scope, timing, and direction of the engagement and guides the development of the engagement plan, including the consideration of materiality and the identification of the risks of material misstatement (see paragraph 2.92) ¶ 2.30 Bullet 4
    {audit procedure}The service auditor's professional judgment regarding what constitutes appropriate sufficient evidence is influenced by factors such as the following: The results of procedures performed, including whether such procedures identified specific description misstatements and deficiencies ¶ 4.09 Bullet 4
    {SOC 2 engagement} Paragraph .45 of AT-C section 205 requires the service auditor to accumulate description misstatements or deficiencies identified during the engagement, other than those that are clearly trivial. In addition, the service auditor should accumulate deviations that have not been determined to rise to the level of a deficiency and consider whether, in the aggregate, they result in a deficiency. ¶ 3.70
    {SOC 2 examination} The service auditor accumulates misstatements and deficiencies related to each of the subject matters of the examination—the description, the suitability of design of controls, and, in a type 2 examination, the operating effectiveness of controls—to determine whether the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. Misstatements or deficiencies related to a specific subject matter in the service auditor's opinion (for example, the description of the service organization's system) may affect the other subject matters in the opinion (the suitability of the design or operating effectiveness of controls). For example, a description misstatement resulting from the inclusion of controls that have not been implemented may also affect the suitability of the design of controls and the operating effectiveness of the controls because the service organization has not implemented those controls. Chapter 4, "Forming the Opinion and Preparing the Service Auditor's Report," discusses the effect that the service auditor's opinion modification on one subject matter may have on the other subject matters. ¶ 3.11
    {be different}{be ineffective} In performing his or her procedures, the service auditor may become aware of a system incident that has affected a system of the service organization that is not the system under examination. For example, the service organization may experience a breach in an IT system that is not a component of the system under examination. In such situations, the service auditor needs to understand the nature and cause of the breach because it may have occurred as a result of ineffective controls shared between the service organization's systems. If that is the case, the service auditor should reconsider the assessment of the risk of material misstatement. In addition, if the system incident is related to a security breach, the service auditor should consider whether the inherent risks of the environment connected to the system are significantly different than what was originally assessed, or whether controls within the system may have been compromised due to an advanced persistent threat that has not been detected. As a result of the reassessment of risk, the service auditor may determine that additional procedures need to be performed or that management needs to identify additional controls that are suitably designed and operating effectively in order to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. ¶ 3.159]
    Establish/Maintain Documentation Preventive
    Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 Business Processes Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952
    [{not continue} If the service auditor believes that management does not have a reasonable basis for its assertion, or that sufficient appropriate evidence to support the basis is unlikely to be available, the service auditor should not accept or continue the engagement. ¶ 2.56
    {SOC 2 engagement} If there have been significant changes in the service organization's system, it may not be appropriate for the service auditor to perform an engagement for an extended or modified period. For example, if a service organization converted from one application processing system to another during the new period and made significant modifications to the controls, the service auditor may decide that communicating information about changes in controls may present challenges for the broad range of report users of the SOC 2® report. Therefore, the service auditor may decide that an engagement covering an extended or modified period would not be appropriate in this situation. ¶ 2.85
    {audit criteria}{test result}{not accept}{SOC 2 examination} The service auditor may also consider whether the intended users of the report are likely to understand the nature of the examination, the criteria used, and the tests performed and results there of (for example, acceptable deviation rates or inherent limitations on the effectiveness of controls). If intended users are unlikely to understand that information, a greater potential exists for them to misunderstand the report; in that case, the service auditor may decide not to accept the examination. ¶ 2.48
    {be appropriate} Chapter 1, "Introduction and Background," of this guide discusses quality in the SOC 2® examination. Maintaining appropriate quality in the engagement involves having the work performed by engagement team members with the appropriate competence and capabilities. For that reason, as discussed in paragraph 2.33, the service auditor should not accept the SOC 2® examination unless he or she has determined that the individuals who would perform the engagement have the appropriate competence and capabilities to perform it. ¶ 2.39
    When the subject matter of the engagement relates to only one part of a broader subject matter and, as a result, paragraph .A41 of AT-C section 105 indicates that the examination may not meet the information needs of intended users, the service auditor may question accepting an engagement. For example, assume a service organization functions primarily as an intermediary between user entities and a subservice organization and performs few or no functions related to the services it provides them. If the service organization's controls do not materially contribute to the achievement of the subservice organization's service commitments and system requirements, a report on that service organization's controls that carves out the subservice organization is unlikely to meet the information needs of intended users and would, consequently, not be an appropriate subject matter. ¶ 2.47
    {audit term}{audit opinion}{design effectiveness}{description of the service organization's system} However, if the service auditor and the engaging party are unable to agree to a change of the terms of the SOC 2® examination, the service auditor and management may agree to continue the engagement in accordance with the original terms or mutually agree to terminate the engagement. If management does not accept either of these alternatives, the service auditor should take appropriate action, which could include disclaiming an opinion on the description and the suitability of design of controls and, in a type 2 examination, the operating effectiveness of controls, or withdrawing from the engagement. ¶ 2.78
    {qualified opinion}{SOC 2 examination}{SOC 2 Engagement} The service auditor may also consider whether management has realistic expectations about the examination or whether the service organization may experience significant negative consequences if the service auditor's opinion is qualified because of a lack of appropriate controls and related documentation. In such situations, the service auditor may choose to decline the engagement. ¶ 2.34
    {be relevant} Although not required by the attestation standards, the service auditor would ordinarily expect the engaging party to sign the engagement letter. The engaging party's refusal to sign the engagement letter would be a relevant factor in the service auditor's consideration of the integrity of the client and the service auditor's decision about whether to accept or continue the engagement. If service organization management is the engaging party and refuses to sign the engagement letter, the service auditor should decline to accept or perform the SOC 2® examination, unless that is not allowed by applicable law or regulation. ¶ 2.74]
    Audits and Risk Management Detective
    Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912
    [{be relevant} Although not required by the attestation standards, the service auditor would ordinarily expect the engaging party to sign the engagement letter. The engaging party's refusal to sign the engagement letter would be a relevant factor in the service auditor's consideration of the integrity of the client and the service auditor's decision about whether to accept or continue the engagement. If service organization management is the engaging party and refuses to sign the engagement letter, the service auditor should decline to accept or perform the SOC 2® examination, unless that is not allowed by applicable law or regulation. ¶ 2.74]
    Business Processes Preventive
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Behavior Preventive
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951
    [{audit term}{audit opinion}{design effectiveness}{description of the service organization's system} However, if the service auditor and the engaging party are unable to agree to a change of the terms of the SOC 2® examination, the service auditor and management may agree to continue the engagement in accordance with the original terms or mutually agree to terminate the engagement. If management does not accept either of these alternatives, the service auditor should take appropriate action, which could include disclaiming an opinion on the description and the suitability of design of controls and, in a type 2 examination, the operating effectiveness of controls, or withdrawing from the engagement. ¶ 2.78
    {description of the service organization's system}{SOC 2 engagement} If the service auditor believes that the service commitments and system requirements identified by management and stated in the description are not appropriate for the SOC 2® examination, the service auditor should discuss the matter with management. If management is unwilling to revise the description to include the service commitments and system requirements that the service auditor believes would result in a SOC 2® report that is likely to meet the common needs of the broad range of users, the service auditor may decide (a) to refuse to accept the engagement or (b) to restrict the use of the report to those users who are able to understand the risks not addressed by the service organization's service commitments and system requirements. Chapter 3 discusses considering the disclosures that service organization management makes about its service commitments and system requirements as part of the evaluation of whether the description presents the system that was designed and implemented in accordance with the description criteria. It also discusses the situation when, after accepting the engagement, the service auditor obtains evidence that causes him or her to believe that the service organization's service commitments and system requirements are not appropriate for the examination. ¶ 2.65]
    Audits and Risk Management Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933
    [A service auditor should accept or continue an engagement to examine and report on controls at a service organization only if the preconditions for an attestation engagement identified in paragraphs .24–.25 of AT-C section 105 are met: ¶ 2.43
    {examination engagement}The quality control requirements for competence and ethical behavior are reiterated in paragraph .27 of AT-C section 105, which states that the service auditor should accept or continue a SOC 2® examination only when the service auditor has determined that the engagement to be performed meets all the preconditions for an attestation engagement. (See paragraph 2.44.) ¶ 2.32(c)
    {audit term}{audit opinion}{design effectiveness}{description of the service organization's system} However, if the service auditor and the engaging party are unable to agree to a change of the terms of the SOC 2® examination, the service auditor and management may agree to continue the engagement in accordance with the original terms or mutually agree to terminate the engagement. If management does not accept either of these alternatives, the service auditor should take appropriate action, which could include disclaiming an opinion on the description and the suitability of design of controls and, in a type 2 examination, the operating effectiveness of controls, or withdrawing from the engagement. ¶ 2.78
    {examination engagement}During engagement acceptance and planning, the service auditor is responsible for the following: Determining whether to accept or continue an engagement for a particular client. In making this determination, the service auditor needs to consider whether the preconditions for accepting an examination as discussed in paragraphs .24–.25 of AT-C section 105 have been met (see paragraph 2.44) ¶ 2.30 Bullet 1
    {examination engagement}During engagement acceptance and planning, the service auditor is responsible for the following: Determining whether to accept or continue an engagement for a particular client. In making this determination, the service auditor needs to consider whether the preconditions for accepting an examination as discussed in paragraphs .24–.25 of AT-C section 105 have been met (see paragraph 2.44) ¶ 2.30 Bullet 1
    {does not have} Quality control policies and procedures to comply with the quality control requirements often include consideration of the integrity and reputation of service organization management and significant shareholders or principal owners to determine whether the firm's reputation is likely to suffer by association. Generally, the service auditor will accept or continue a client relationship only after he or she has considered the integrity of service organization management, significant shareholders, or principal owners and has no information that would lead the service auditor to believe that the client lacks integrity. Absent such information, a service auditor generally would conclude that it is unlikely that association with the client would expose the service auditor to undue risk of damage to his or her professional reputation or financial loss. ¶ 2.33
    In a SOC 3® examination, the responsibilities of the service auditor are substantially the same as those in a SOC 2® examination and include the following: Determining whether to accept or continue the engagement ¶ 2.172 Bullet 1
    {ethical requirement} Prior to accepting a SOC 2® examination, AT-C section 105, Concepts Common to All Attestation Engagements, requires the service auditor to determine that certain preconditions are met. Among other things, those preconditions require the service auditor to determine whether the engagement team meets the ethical and competency requirements set forth in the professional standards and whether the engagement meets the relevant requirements of the attestation standards. Prior to engagement acceptance, a service auditor is also required to establish an understanding with management about its responsibilities and those of the service auditor in the SOC 2® examination. ¶ 2.01]
    Business Processes Preventive
    Audit in scope audit items and compliance documents. CC ID 06730
    [{description of the service organization's system}{SOC 2 Examination} Although service organization management may describe the system controls in the description, it also might refer to a table of controls presented in a separate section of the SOC 2® report. If the description refers to a table of controls, the table is considered part of the description; therefore, it is addressed by the service auditor's examination. Often, the service auditor describes the tests of controls performed and the results thereof in the same table. Guidance on the types of information to be included in the description of tests of controls and the results thereof is discussed beginning in paragraph 4.15. ¶ 3.31
    {SOC 2 engagement}{audit opinion} Ordinarily, if management refuses to provide a written assertion, the service auditor is required to withdraw from the engagement. However, if the service auditor is required by law or regulation to accept or continue an engagement to report on controls at a service organization and management refuses to provide a written assertion, the service auditor may conduct the engagement and, ultimately, should disclaim an opinion. ¶ 4.66
    {suitably designed control}{evaluation} If the inclusive method is used to present the services and controls performed by a subservice organization, the service auditor also performs these procedures with respect to the controls at the subservice organization. ¶ 3.81 ¶ 1
    The Committee of Sponsoring Organizations of the Treadway Commission defines internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance." For a service organization's system, these objectives are the achievement of service commitments made to user entities and other system requirements that service organization management establishes for the functioning of the system. Consequently, when the trust services criteria are used to evaluate the suitability of design of controls and, in a type 2 examination, the operating effectiveness of controls to provide reasonable assurance that the service organization's system objectives were achieved, the controls are evaluated against their ability to achieve the service organization's service commitments and system requirements. Therefore, the service auditor obtains the service organization's service commitments and system requirements and assesses their appropriateness. ¶ 2.58
    A service organization may engage the service auditor to examine and report on subject matters in addition to the description of the service organization's system in accordance with the description criteria and the suitability of design and operating effectiveness of controls based on the applicable trust services criteria. In that case, the service auditor would also examine and report on whether the additional subject matter is presented in accordance with the additional suitable criteria used to evaluate it. Table 1-3 provides examples of additional subject matters and additional criteria that may be used to evaluate them. ¶ 1.50
    {audit evidence}{responsible individual} In the type 2 examination, the service auditor tests the operating effectiveness of the controls stated in the description based on the applicable trust services criteria. The service auditor performs procedures (known as tests of controls) to obtain evidence about the operating effectiveness of controls. Evidence from tests of controls usually relates to how the controls were applied, the consistency with which they were applied, and by whom or in what manner they were applied. When a service organization uses the inclusive method to present the services and controls of a subservice organization, the service auditor also applies tests of controls to the controls at the subservice organization. ¶ 3.107
    {applicable requirement} Generally, such other information is presented in a separate section of the report entitled, "Other Information Provided by the Service Organization." Information in this section is not covered by the service auditor's report; however, the service auditor is required to perform the procedures outlined in paragraph 4.100 on the other information. ¶ 4.97
    {audit report} Any material deficiencies identified in the portion of the original period that is included in the extended or modified period would be included in the report on the extended or modified period, even if they were corrected during the extended or modified period. The service auditor considers the status of any deviations, deficiencies, or other matters noted in the portion of the original period that is also included in the extended or modified period, plus any exceptions, deficiencies, or other matters noted during the new period. For example, assume the original report covered the period January 1, 20X1, to June 30, 20X1, and included a deficiency in operating effectiveness. Also assume that the deficiency was corrected on August 15, 20X1. For a report covering an examination period of January 1 through September 30, the deficiency in operating effectiveness would be reported for the period from January 1 through August 15, 20X1. No reference to the original report would be made in the extended or modified report. ¶ 2.88]
    Audits and Risk Management Preventive
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001
    [{SOC 2 examination}{audit procedure}{audit evidence}However, the documentation should be sufficient to determine the following: The results of the procedures performed and the evidence obtained ¶ 3.222(b)]
    Actionable Reports or Measurements Preventive
    Document any after the fact changes to the engagement file. CC ID 07002
    [{include}{documentation}{SOC 2® examination}{SOC 2 Report}If, after the date of the report, the service auditor becomes aware of facts that may have caused the service auditor to revise the report had they been known at the time of the report, the circumstances encountered; ¶ 3.223 Bullet 2 Sub-Bullet 1
    {be significant} If a significant change occurs during the gap period, service organization management may decide that such changes are likely to be considered significant to report users. In that case, management may include a description of such changes in the section of the type 2 report titled, "Other Information Provided by the Service Organization." An example of such a change is a conversion to a new computer system or application during the gap period that results in (a) new or additional controls that are considered significant to report users and (b) controls over the conversion process that were not tested by the service auditor. ¶ 3.58
    {include}{documentation}{SOC 2® examination}{SOC 2 Report}{person responsible}If, after the date of the report, the service auditor becomes aware of facts that may have caused the service auditor to revise the report had they been known at the time of the report, when and by whom the resulting changes to the documentation were made and reviewed ¶ 3.223 Bullet 2 Sub-Bullet 3]
    Establish/Maintain Documentation Preventive
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179
    [When planning a SOC 2® examination, a service auditor may decide that engaging or assigning a specialist with specific skills and knowledge is necessary to execute the planned examination. If a service auditor's specialist will be used in the SOC 2® examination, paragraph .36 of AT-C section 205 requires the service auditor to do the following: Agree with the specialist regarding the need for the service auditor's specialist to observe confidentiality requirements. ¶ 2.160(c)(iv)]
    Establish/Maintain Documentation Preventive
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180
    [{third party}{ethical requirement} Because potential conflicts with the service auditor's ethical and legal confidentiality obligations may be complex, the service auditor may decide to consult with legal counsel before discussing noncompliance with parties outside the service organization. ¶ 3.196]
    Establish/Maintain Documentation Preventive
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Records Management Preventive
    Conduct onsite inspections, as necessary. CC ID 16199 Testing Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and Risk Management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and Risk Management Detective
    Audit policies, standards, and procedures. CC ID 12927 Audits and Risk Management Preventive
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Investigate Detective
    Audit information systems, as necessary. CC ID 13010 Investigate Detective
    Audit the potential costs of compromise to information systems. CC ID 13012 Investigate Detective
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979
    [{control at the service organization}Obtaining an understanding of the service organization's system, including related controls, assists the service auditor in the following: Assessing whether the description of the service organization's system presents the system that has been designed and implemented in accordance with the description criteria ¶ 2.113 Bullet 2
    The service auditor's understanding of the service organization's system and related controls should be sufficient to enable the service auditor to do the following: Identify and assess the risks that the description of the service organization's system that was implemented and operated is not presented in accordance with the description criteria. ¶ 2.120 Bullet 1 Sub-Bullet 1
    The service auditor's understanding of the service organization's system and related controls should be sufficient to enable the service auditor to do the following: Identify and assess the risks that the description of the service organization's system that was implemented and operated is not presented in accordance with the description criteria. ¶ 2.120 Bullet 1 Sub-Bullet 1
    {description of the service organization's system}As part of the service auditor's evaluation of whether the description is misleading within the context of the engagement, the service auditor may consider whether the description inadvertently or intentionally omits or distorts material information about any of the description criteria that might affect the decisions of report users (for example, the failure to include in the description significant aspects of processing performed at another location included within the scope of the examination). ¶ 3.67 Bullet 3
    {description of the service organization's system}An understanding of the service organization's process for preparing the description may assist the service auditor in designing procedures to evaluate whether the description is presented in accordance with the description criteria. ¶ 2.117 Bullet 3
    {description of the service organization's system}{design effectiveness}{operating effectiveness} Activities of the internal audit function that may be relevant to the SOC 2® examination include those that provide information or evidence about whether the description is presented in accordance with the description criteria or whether controls were suitably designed and, in a type 2 examination, operating effectively. ¶ 2.133
    The description of the services provided by a subservice organization should be prepared at a level of detail that could reasonably be expected to meet the common informational needs of the broad range of report users. The following is an example of a description of a service organization that uses a subservice organization to provide its computer processing infrastructure: ¶ 3.49
    {be sufficient}{description of the service organization's system}When deciding whether the disclosures stated in the description are appropriate, the service auditor may consider matters such as the following: Are the service commitments presented in sufficient detail for report users to understand the relationship between the controls implemented by the service organization and the service commitments and system requirements? For example, a service organization may implement certain system components at a second data center to mirror transaction data on a real-time basis to meet a commitment to provide failover processing in the event of a disruption of services. ¶ 3.26(a)
    {description of the service organization's system}When deciding whether the disclosures stated in the description are appropriate, the service auditor may consider matters such as the following: When the SOC 2® report is designed for a broad range of users, does the description summarize the principal service commitments that are common to such report users? For example, assume a service organization makes a general system availability commitment to all user entities but makes additional service level agreements to others. In such situations, the description may be presented in accordance with the description criteria if it addresses the commitments made to all user entities but is silent on the commitments made to specific user entities. ¶ 3.26(b)
    During the SOC 2® examination, service organization management is responsible for the following: Preparing a description of the service organization's system, including the completeness, accuracy, and method of presentation of the description ¶ 2.26 Bullet 1
    {control at the service organization} The service auditor should obtain an understanding of the service organization's system, including controls within the system. That understanding should include the service organization's processes and procedures used to do the following: Prepare the description of the service organization's system, including the determination of the service organization's service commitments and system requirements ¶ 2.110(a)
    {be accurate}{be relevant}{description of the service organization's system} The description is presented in accordance with the description criteria if the CUECs are complete, accurately described, and relevant to the service organization's achievement of its service commitments and system requirements based on the applicable trust services criteria. When making this evaluation, the service auditor may review system documentation and contracts with user entities, make inquiries of service organization personnel, and perform other such procedures as he or she considers necessary. ¶ 3.41
    {description of the service organization's system}{audit evidence}The service auditor may perform a variety of procedures to obtain evidence about whether the description presents the system that was designed and implemented in accordance with the description criteria, including a combination of the following: Discussing with management and other service organization personnel the content of management's assertion and the description ¶ 3.59 Bullet 1
    {description of the service organization's system} Based on paragraph .60 of AT-C section 205, the service auditor should evaluate whether the description is misleading within the context of the engagement based on the evidence obtained. Paragraph .A73 of AT-C section 205 states that, when making this evaluation, the service auditor may consider whether additional disclosures are necessary to supplement the description. Additional disclosures may include, for example, ¶ 3.64
    {description of the service organization's system}As part of the service auditor's evaluation of whether the description is misleading within the context of the engagement, the service auditor may consider whether the description contains statements that cannot be objectively evaluated. For example, describing a service organization as being the "world's best" or "most respected in the industry" is subjective and, therefore, could be misleading to report users. ¶ 3.67 Bullet 1
    {description of the service organization's system}As part of the service auditor's evaluation of whether the description is misleading within the context of the engagement, the service auditor may consider whether the description contains or implies certain facts that are not true (for example, that certain IT components exist when they do not or that certain processes and controls have been implemented when they are not being performed). ¶ 3.67 Bullet 2
    The service auditor should obtain and read the description of the service organization's system and perform procedures to determine whether the description is presented in accordance with the description criteria. Determining whether the description of the service organization's system is presented in accordance with the description criteria involves comparing the service auditor's understanding of the service provided to user entities to the system through which the service is provided based on the trust services category or categories included within the scope of the examination. ¶ 3.20
    The service auditor should obtain and read the description of the service organization's system and perform procedures to determine whether the description is presented in accordance with the description criteria. Determining whether the description of the service organization's system is presented in accordance with the description criteria involves comparing the service auditor's understanding of the service provided to user entities to the system through which the service is provided based on the trust services category or categories included within the scope of the examination. ¶ 3.20
    {description of the service organization's system}{subsequent event}{be adequate}{be inadequate} If the service auditor believes the event is of such a nature and significance that its disclosure is necessary to prevent report users from being misled, the service auditor should determine whether information about the event is adequately disclosed in the description or in management's assertion. For example, assume that, after the period covered by the examination but prior to the date ofthe service auditor's report, service organization management learns of a system incident involving the loss of customers' personal information. After investigation, management determines that the incident stemmed from an otherwise unknown vulnerability in its system; furthermore, that vulnerability existed during the examination period. In this example, the service auditor ordinarily would conclude that the matter should be disclosed in the description and assertion. If it is not, the service auditor's course of action depends on the service auditor's legal and ethical rights and obligations. Therefore, the service auditor may consider seeking legal advice before deciding on a course of action. Appropriate actions may include ¶ 3.219
    {description of the service organization's system}{evaluate}{suitability of design}Qualitative factors the service auditor considers include the following: Alignment between the processes and controls stated in the description and the underlying system controls implemented by the service organization. If the description includes a particular control, it is likely that report users will presume that the control is material for the purposes of the SOC 2® examination. Similarly, report users are likely to expect that such controls, individually or in combination with other controls, support the processes and controls stated in the description; for this reason, they would ordinarily expect the service auditor to test and evaluate those controls as part of the evaluation of suitability of design and operating effectiveness. ¶ 3.163 Bullet 2
    {be significant}{description of the service organization's system}{audit opinion} When performing the SOC 2® examination, the service auditor should also obtain an understanding of changes in the service organization's system implemented during the period covered by the examination. If the service auditor believes that the changes would be considered significant by the broad range of report users, the service auditor should determine whether those changes have been included in the description. The narrative discussing the change would be expected to contain an appropriate level of detail, including the date the change occurred and how the affected aspects of the system differed before and after the change. If such changes have not been included in the description, the service auditor may ask management to amend the description to include that information. If service organization management refuses to include this information in the description, the service auditor should consider the effect on his or her opinion on the description. ¶ 3.62
    {significant change} When performing a type 2 examination, description criterion DC9 indicates that a description should disclose relevant details of changes to the service organization's system during that period. If the service auditor believes changes to the system would be considered significant by report users, the service auditor should determine whether the description includes such information. In addition, the service auditor should consider whether superseded controls are relevant to the achievement of one or more service commitments or system requirements based on the applicable trust services criteria. If so, the service auditor should, if possible, test the superseded controls before the change. If the service organization has used the inclusive method, the service auditor should consider changes to controls at both the service organization and the subservice organization. Paragraph 4.72 presents an example of a separate paragraph that would be added to the service auditor's report when information about such changes is omitted from the description of the service organization's system. ¶ 3.108
    {be responsible}{description of the service organization's system} In addition to providing the service auditor with a written assertion and representation letter at the end of the examination, subservice organization management is also responsible for preparing a description of the subservice organization's system, including the completeness, accuracy, and method of presentation of the description. Service organization management is responsible for evaluating the description of the subservice organization's system, as well as its own. ¶ 2.100
    {description of the service organization's system}{principal system requirement}{SOC 2 engagement} Service organization management is responsible for achieving its service commitments and system requirements. It is also responsible for stating in the description the service organization's principal service commitments and system requirements with sufficient clarity to enable report users to understand how the system operates and how management and the service auditor evaluated the suitability of the design of controls and, in a type 2 examination, the operating effectiveness of controls. Because of the importance of the service commitments and system requirements to the SOC 2® examination, the principal service commitments and system requirements disclosed by management should be appropriate for the engagement. Chapter 2 , "Accepting and Planning a SOC 2® Examination," discusses the service auditor's responsibility for assessing whether the principal service commitments and system requirements disclosed by service organization management in the description are appropriate. ¶ 1.49]
    Testing Detective
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983
    [{description of the service organization's system} Service organization management is responsible for having a reasonable basis for its assertion about the description and the effectiveness of controls stated therein. Furthermore, because management's assertion generally addresses the suitability of design of controls and, in a type 2 examination, the operating effectiveness of controls over a period of time, management's basis for its assertion covers the same time frame. The procedures during a type 1 or type 2 examination are not considered a basis for management's assertion because the service auditor is not part of the service organization's internal control. ¶ 2.50
    {system boundary}{audit criteria}{be capable}{audit opinion} According to paragraph .A37 of AT-C section 105, subject matter is appropriate if it is identifiable, capable of consistent measurement or evaluation based on the criteria, and can be subjected to procedures for obtaining sufficient appropriate evidence to support an opinion. In a SOC 2® examination, the service auditor should consider whether the system used to provide the services is identifiable. For instance, the boundaries of a system addressed by a SOC 2® examination may not be as clear as the boundaries of a financial reporting system addressed by a SOC 1® examination; therefore, before accepting a SOC 2® examination, the service auditor and management should agree on the system being reported on and its boundaries. In doing so, management and the service auditor consider the relationship between the boundaries of each of the components of the system used to provide the services, as discussed in paragraph 1.21. ¶ 2.45
    The service auditor should obtain and read the description of the service organization's system and perform procedures to determine whether the description is presented in accordance with the description criteria. Determining whether the description of the service organization's system is presented in accordance with the description criteria involves comparing the service auditor's understanding of the service provided to user entities to the system through which the service is provided based on the trust services category or categories included within the scope of the examination. ¶ 3.20]
    Testing Detective
    Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 Audits and Risk Management Detective
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977
    [{description of the service organization's system} If the service auditor becomes aware that any identified deviations have resulted from fraud, the service auditor should assess the risk that the description does not present the system that was designed and implemented in accordance with the description criteria, the controls are not suitably designed, and, in a type 2 examination, the controls are not operating effectively. In addition, paragraph .33 of AT-C section 205 states that the service auditor should respond appropriately to fraud or suspected fraud and noncompliance or suspected noncompliance with laws or regulations affecting the subject matter that are identified during the engagement. Paragraph .A29 of AT-C section 205 indicates that in these circumstances (unless prohibited by law, regulation, or ethics standards), it may be appropriate for the service auditor to, for example, do the following: ¶ 3.158
    When evaluating the results of procedures, the service auditor investigates the nature and cause of any identified description misstatements and deficiencies or deviations in the effectiveness of controls and determines the following: Whether report users could be misled if the service auditor's opinion were not modified to reflect the identified deficiencies ¶ 3.185 Bullet 7
    {be material}{description of the service organization's system} As discussed in chapter 2, the service auditor has a responsibility to consider known or suspected incidents of fraud and noncompliance with laws or regulations. Such incidents may include, for example, the intentional bypassing of controls and the intentional misstatement of one or more aspects of the description. As discussed in paragraph 3.163, when a deficiency or deviation is the result of an intentional act, it is likely to be considered more material than a deficiency or deviation caused by an unintentional act, particularly if the intentional act was perpetrated by a member of senior management. The service auditor determines the effect of such incidents on the description; the suitability of design of controls; in a type 2 examination, the operating effectiveness of controls; and the service auditor's report. Additionally, the service auditor communicates such information to appropriate parties. ¶ 3.190]
    Process or Activity Detective
    Edit the audit assertion for accuracy. CC ID 07030
    [{not be suitable}{description of the service organization's system} If the service auditor determines that certain controls identified in the description have not been implemented, the service auditor may ask service organization management to delete those controls from the description. If management does not modify the description to remove the controls from the description, the service auditor should consider the effect of the misstatement on his or her conclusion about the description. Paragraph 4.70 presents a separate paragraph that would be added to the service auditor's report when the description includes controls that have not been implemented. In addition, when evaluating the suitability of the design and, in a type 2 examination, the operating effectiveness of the controls, the service auditor should consider whether the failure to implement those controls results in controls not being suitably designed. (Paragraph 3.156 discusses a situation in which controls do not operate during the period of the examination.) ¶ 3.23
    {Complementary User Entity Controls}{management assertion} In addition, service organization management would modify its assertion to reflect the modifications to the service auditor's report discussed in the preceding paragraph. Illustrative language is shown in boldface in the management assertion presented in appendix D-4, "Illustrative Type 2 Report (Including Management's Assertion, Service Auditor's Report, and the Description of the System)." ¶ 4.38
    {examination engagement}The responsibilities of management of the service organization toward the end of the engagement include the following: Modifying management's written assertion, if appropriate (see discussion beginning at paragraph 3.226) ¶ 2.29 Bullet 2
    {description of the service organization's system} As discussed in chapter 2, service organization management provides the service auditor with a written assertion about whether the description presents the system that was designed and implemented in accordance with the description criteria and whether the controls within the program were effective. Management's written assertion is generally expected to align with the service auditor's opinion by reflecting the same modifications. ¶ 3.226
    {description of the service organization's system}{audit evidence}{audit procedure}{risk assessment} Paragraph .34 of AT-C section 205 states that the service auditor's assessment of the risks of material misstatement may change during the course of the examination as additional evidence is obtained. If the service auditor obtains evidence from performing further procedures, or if new information is obtained (for example, the identification of a security breach that could affect the system under examination as discussed in paragraph 3.159), either of which is inconsistent with the evidence on which the service auditor originally based the assessment, the service auditor should revise the assessment and modify the planned procedures accordingly. Such further procedures may include asking service organization management to modify the description, as necessary. ¶ 3.181
    {be significant}{description of the service organization's system}{audit opinion} When performing the SOC 2® examination, the service auditor should also obtain an understanding of changes in the service organization's system implemented during the period covered by the examination. If the service auditor believes that the changes would be considered significant by the broad range of report users, the service auditor should determine whether those changes have been included in the description. The narrative discussing the change would be expected to contain an appropriate level of detail, including the date the change occurred and how the affected aspects of the system differed before and after the change. If such changes have not been included in the description, the service auditor may ask management to amend the description to include that information. If service organization management refuses to include this information in the description, the service auditor should consider the effect on his or her opinion on the description. ¶ 3.62
    {audit opinion}{description of the service organization's system} If the service auditor believes that the description is misstated or otherwise misleading, the service auditor ordinarily would ask service organization management to amend the description by including the omitted information or by revising the misstated information. If service organization management refuses to amend the description, the service auditor should consider the effect on his or her opinion about the description. ¶ 3.68
    {management assertion}{Controls Did Not Operate During the Period Covered by the Report}In these circumstances, service organization management and the service auditor would do the following: Service organization management would modify its assertion to identify which key processes did not operate during the period and indicate that they did not operate because the circumstances that warranted the operation of those processes and associated controls did not occur during the period. ¶ 4.86 Bullet 2
    {description of the service organization's system}{SOC 2 engagement}{audit opinion}{SOC 2 Report} Chapter 3 presents several situations in which the service auditor determines that the description is not presented in accordance with the description criteria, in all material respects. In practice, if the service auditor makes such a determination, the service auditor works with service organization management to make the necessary changes to the description for it to be presented in accordance with the description criteria. If management refuses to amend the description, the service auditor may decide to withdraw from the engagement. If the service auditor decides to continue with the engagement, the service auditor should modify the opinion paragraph of the report. ¶ 4.68
    {not be covered}{SOC 2 Report} Paragraph .57 of AT-C section 205 indicates that if a material misstatement of fact or a material inconsistency exists (as described in paragraph 3.09), the service auditor should discuss the matter with service organization management. The service auditor would ordinarily request that management correct or delete the other information. ¶ 4.101
    {description of the service organization's system} When considering materiality regarding the description, the service auditor considers whether misstatements or omissions in the description, individually or in the aggregate, could reasonably be expected to influence decisions of specified parties to the SOC 2® report. For example, in a SOC 2® examination on controls relevant to privacy, the service auditor may determine that the description fails to disclose a principal service commitment involving compliance with the European Union's General Data Protection Regulation, to which the service organization is subject. If the service auditor determines that such information could reasonably be expected to influence the decisions of SOC 2® report users, the service auditor may conclude that the omission of such information from the description results in a material misstatement. In that case, the service auditor would request that management amend the description by including the relevant information. ¶ 3.73]
    Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980
    [Paragraph 2.45 indicates that, as one of the preconditions of the SOC 2® examination, the service auditor should determine whether the subject matters are appropriate for the engagement. According to paragraph .A36 of AT-C section 105, one element of the appropriateness of the subject matters is the existence of a reasonable basis for measuring or evaluating the subject matters. ¶ 2.49
    During the SOC 2® examination, service organization management is responsible for the following: Having a reasonable basis for its assertion ¶ 2.26 Bullet 5
    {control at the service organization}The service auditor should obtain an understanding of the service organization's system, including controls within the system. That understanding should include the service organization's processes and procedures used to do the following: Assess the suitability of the design of the controls ¶ 2.110(c)
    {not be suitable}{description of the service organization's system} If the service auditor determines that certain controls identified in the description have not been implemented, the service auditor may ask service organization management to delete those controls from the description. If management does not modify the description to remove the controls from the description, the service auditor should consider the effect of the misstatement on his or her conclusion about the description. Paragraph 4.70 presents a separate paragraph that would be added to the service auditor's report when the description includes controls that have not been implemented. In addition, when evaluating the suitability of the design and, in a type 2 examination, the operating effectiveness of the controls, the service auditor should consider whether the failure to implement those controls results in controls not being suitably designed. (Paragraph 3.156 discusses a situation in which controls do not operate during the period of the examination.) ¶ 3.23
    {description of the service organization's system}{design effectiveness}{operating effectiveness} Activities of the internal audit function that may be relevant to the SOC 2® examination include those that provide information or evidence about whether the description is presented in accordance with the description criteria or whether controls were suitably designed and, in a type 2 examination, operating effectively. ¶ 2.133
    {description of the service organization's system} If the service organization uses the carve-out method for the services and controls of a subservice organization, the service auditor also evaluates whether the types of controls stated in the description and expected to be implemented at the subservice organization are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization's service commitments and system requirements are achieved based on the applicable trust services criteria (that is, whether the controls are CSOCs). If there are CSOCs, the service auditor should determine whether the CSOCs and the service organization's controls are suitably designed to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria, if such controls were operating effectively. For example, if the service organization is responsible for developing, testing, and approving program changes but has outsourced the actual implementation of the changes to a carved-out subservice organization, controls at the subservice organization are necessary to achieve the service organization's service commitments and system requirements based on trust services criterion CC8.1, The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. ¶ 3.152
    {description of the service organization's system} If the service organization uses the carve-out method for the services and controls of a subservice organization, the service auditor also evaluates whether the types of controls stated in the description and expected to be implemented at the subservice organization are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization's service commitments and system requirements are achieved based on the applicable trust services criteria (that is, whether the controls are CSOCs). If there are CSOCs, the service auditor should determine whether the CSOCs and the service organization's controls are suitably designed to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria, if such controls were operating effectively. For example, if the service organization is responsible for developing, testing, and approving program changes but has outsourced the actual implementation of the changes to a carved-out subservice organization, controls at the subservice organization are necessary to achieve the service organization's service commitments and system requirements based on trust services criterion CC8.1, The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. ¶ 3.152
    During the examination, the service auditor performs procedures to evaluate whether controls over vendors and business partners are suitably designed and, in a type 2 examination, operated effectively. ¶ 3.151
    {audit evidence}When designing and performing tests of controls, the service auditor should do the following: Determine whether the controls to be tested depend on other controls and, if so, whether it is necessary to obtain evidence supporting the operating effectiveness of those other controls. ¶ 3.115(b)
    {control design}{description of the service organization's system}{audit procedure} When assessing the risks of material misstatement, paragraph .15 of AT-C section 205 states that the service auditor should obtain an understanding of internal control, which, in the case of a SOC 2® examination, focuses on obtaining an understanding of controls over the preparation of the description, evaluating their design, and determining whether they have been implemented by making inquiries of the personnel responsible for the description and by performing other procedures. In addition, the service auditor should consider the controls, including monitoring activities that the service organization has designed and implemented, that provide reasonable assurance that the service organization's service commitments and system requirements are achieved. ¶ 2.121
    Because CSOCs are necessary, in combination with controls at the service organization, to provide reasonable assurance that one or more of the service organization's service commitments or system requirements are achieved based on the applicable trust services criteria, the service auditor also considers CSOCs when evaluating the suitability of design of controls, as discussed beginning at paragraph 3.152. ¶ 3.54
    {audit opinion}{description of the service organization's system}{were not operating effectively} If management includes in the description disclosures about identified system incidents as defined in description criterion DC4, the service auditor is likely to conclude that those incidents resulted from controls that were not suitably designed or operating effectively. In such instances, the service auditor would modify the opinion on suitability of design or operating effectiveness, or both. ¶ 3.35
    {design effectiveness}{operating effectiveness}{control at the service organization}Obtaining an understanding of the service organization's system, including related controls, assists the service auditor in the following: Understanding which controls are necessary to provide reasonable assurance that the service organization's service commitments and system requirements are achieved based on the applicable trust services criteria, whether the controls were suitably designed to achieve them, and, in a type 2 report, whether controls were operating effectively throughout the specified period to achieve them ¶ 2.113 Bullet 3
    {audit opinion}{audit evidence} Most of the service auditor's procedures in forming an opinion on the description and the suitability of controls and, in a type 2 examination, the operating effectiveness of controls consist of obtaining and evaluating evidence. Procedures to obtain evidence include inspection, observation, reperformance, and analytical procedures, often in some combination, in addition to inquiry. Chapter 3 provides additional guidance on performing examination procedures in the SOC 2® examination. ¶ 2.126
    As a responsible party, subservice organization management is also responsible for complying with the following based on AT-C section 205: Having a reasonable basis for its assertion ¶ 2.101 Bullet 2
    {be accurate}{be relevant}{description of the service organization's system} The description is presented in accordance with the description criteria if the CUECs are complete, accurately described, and relevant to the service organization's achievement of its service commitments and system requirements based on the applicable trust services criteria. When making this evaluation, the service auditor may review system documentation and contracts with user entities, make inquiries of service organization personnel, and perform other such procedures as he or she considers necessary. ¶ 3.41
    Reading contracts with user entities and business partners (such as performance or service level agreements), marketing materials distributed to user entities and business partners or posted on the service organization's website, and other available documentation to evaluate whether the controls the service organization has implemented are suitably designed to achieve the service organization's service commitments to those user entities (for example, reading service level agreements may help the service auditor understand the specific processing commitments made, including commitments related to the timeliness of processing, expected rates of error, or individuals who have access to confidential information) ¶ 3.59 Bullet 5 Sub-Bullet 2
    In contrast, a deficiency in the operation of a control exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively. A service organization may be able to correct a deficiency in the operation of a control, for example, by designating a more qualified individual to perform the control. However, if the design of the control is deficient, the control will not be effective regardless of who performs it. For that reason, the service auditor often would not test the operating effectiveness of a control that has a deficiency in design. Instead, the service auditor generally would consider the design of other controls that address the same risks. ¶ 3.102
    In some situations, two or more controls are suitably designed only when operating in conjunction with each other. In these situations, the service auditor evaluates the suitability of design and operating effectiveness of the controls together in order to reach a conclusion. ¶ 3.103
    {audit opinion}{be material}{description of the service organization's system} After performing the procedures and considering the guidance in paragraphs 3.79–3.105, the service auditor should accumulate instances in which controls were not suitably designed or were not properly implemented, which are considered deficiencies in the SOC 2® examination. As part of the evaluation, the service auditor should assess whether the controls have the ability, as designed, to provide reasonable assurance that the service organization achieved its service commitments and system requirements based on the applicable trust services criteria. The service auditor should also consider the potential effect of other factors that may affect the opinion on the suitability of the design of controls, such as misstatements in the description or deficiencies in the operating effectiveness of controls. Generally, if controls are not suitably designed and implemented to provide reasonable assurance that one or more service commitments or system requirements were achieved based on the applicable trust services criteria, such deficiencies are considered material. Materiality considerations when evaluating the suitability of design of controls are discussed beginning in paragraph 3.161. ¶ 3.104
    Controls are suitably designed if they have the potential to meet the applicable trust services criteria, thereby enabling the service organization's controls to provide reasonable assurance that the service organization's service commitments and system requirements were achieved. Suitably designed controls operate as designed by persons who have the necessary authority and competence to perform the controls. Controls that operate effectively provide reasonable assurance of achieving the service organization's service commitments and system requirements based on the applicable trust services criteria. ¶ 3.106
    {description of the service organization's system} Evaluating the suitability of the design of controls involves assessing whether the controls stated in the description are suitably designed to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. When making this evaluation, the service auditor does the following: ¶ 3.81
    {description of the service organization's system}{evaluate}{suitability of design}Qualitative factors the service auditor considers include the following: Alignment between the processes and controls stated in the description and the underlying system controls implemented by the service organization. If the description includes a particular control, it is likely that report users will presume that the control is material for the purposes of the SOC 2® examination. Similarly, report users are likely to expect that such controls, individually or in combination with other controls, support the processes and controls stated in the description; for this reason, they would ordinarily expect the service auditor to test and evaluate those controls as part of the evaluation of suitability of design and operating effectiveness. ¶ 3.163 Bullet 2
    Suitably designed controls, if complied with satisfactorily, provide reasonable assurance of achieving the service organization's service commitments and system requirements based on the applicable trust services criteria. Suitably designed controls operate as designed by persons who have the necessary authority and competence to perform the controls. Paragraph .15 of AT-C section 205 states that the service auditor's understanding of the controls within a system includes an evaluation of the design of controls and whether the controls have been implemented. ¶ 3.79
    AT-C section 205 does not address the need for additional language in certain situations unique to a SOC 2® examination that may affect report users' understanding of the subject matter and the examination. One of those situations occurs when service organization management assumes, during the design of the service organization's system controls, that user entities would apply certain controls. Such controls, known as CUECs, must be suitably designed and operating effectively. ¶ 4.36
    Another situation that affects the subject matter of the SOC 2® examination occurs when a service organization uses a subservice organization and service organization management assumes, in the design of the service organization's system, that the subservice organization would apply certain controls. Such controls, known as CSOCs, must be suitably designed and operating effectively. ¶ 4.39
    {audit evidence}When written representations are directly related to matters that are material to the subject matter, the service auditor should evaluate their reasonableness and consistency with other evidence obtained, including other representations (oral or written) made by service organization management, and ¶ 3.205(a)
    {pay attention} When a separate SOC 2® report exists for a subservice organization, obtaining and reading the SOC 2® report and paying particular attention to the CUECs identified by the subservice organization in the report helps the service auditor evaluate whether controls at the service organization are suitably designed. It also assists the service auditor in evaluating the CSOCs identified by service organization management and evaluating whether there are any CUECs identified in the subservice organization's SOC 2® report that are the responsibility of the service organization's user entities and that should be included in the service organization's description of its CUECs. ¶ 2.114
    {pay attention} When a separate SOC 2® report exists for a subservice organization, obtaining and reading the SOC 2® report and paying particular attention to the CUECs identified by the subservice organization in the report helps the service auditor evaluate whether controls at the service organization are suitably designed. It also assists the service auditor in evaluating the CSOCs identified by service organization management and evaluating whether there are any CUECs identified in the subservice organization's SOC 2® report that are the responsibility of the service organization's user entities and that should be included in the service organization's description of its CUECs. ¶ 2.114
    {description of the service organization's system} During a walk-through, the service auditor may inquire about instances during the period in which controls did not operate as described or designed. In addition, the service auditor may inquire about variations in the process for different types of events or transactions. For example, the service organization's processing may take different forms, depending on how information is collected from user entities and business partners. Assume, for example, that the service organization receives transactions by mail, phone, fax, voice response unit, or via the internet. The service organization may design different controls related to the way the information is collected. An appropriately performed walk-through provides an opportunity to verify the service auditor's understanding of the flow of transactions and the design of the controls. If properly performed, walk-throughs may provide evidence about whether controls included in the description, individually or in combination with other controls, were suitably designed and implemented and, in a type 2 examination, operated effectively. ¶ 3.61
    {audit evidence} If the service organization uses the carve-out method for a subservice organization, the service auditor also evaluates whether the types of controls expected to be implemented at the subservice organization would, if operating effectively in combination with the controls at the service organization, provide reasonable assurance that the service organization's service commitments and system requirements were achieved. The service auditor also considers whether evidence exists that the service organization has communicated to the subservice organization the service organization's requirements with respect to the types of controls that are expected to be implemented and whether there is any evidence that deficiencies exist in either the suitability of the design or, in a type 2 examination, the operating effectiveness of controls at the subservice organization. Examples of procedures that may be performed to obtain such evidence include the following: ¶ 3.99
    A service organization's system of internal control is evaluated by using the trust services criteria to determine whether the service organization's controls provide reasonable assurance that its business objectives and sub-objectives are achieved. When a service organization provides services to user entities, its objectives and sub-objectives relate primarily to (a) the achievement of the service commitments made to user entities related to the system used to provide the services and the system requirements necessary to achieve those commitments, (b) compliance with laws and regulations regarding the provision of the services by the system, and (c) the achievement of the other objectives the service organization has for the system. These are referred to as the service organization's service commitments and system requirements. ¶ 1.44]
    Testing Detective
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978
    [Factors that may be considered when determining whether the identified deviations may have a pervasive effect on other controls include the following: The extent to which deficiencies in certain key controls have a pervasive effect on other controls. For example, a service auditor is unlikely to issue an unmodified opinion on controls of a service organization that does not have effective controls over the detection of system events relevant to security. ¶ 3.187 Bullet 3
    {description of the service organization's system} If the service auditor becomes aware that any identified deviations have resulted from fraud, the service auditor should assess the risk that the description does not present the system that was designed and implemented in accordance with the description criteria, the controls are not suitably designed, and, in a type 2 examination, the controls are not operating effectively. In addition, paragraph .33 of AT-C section 205 states that the service auditor should respond appropriately to fraud or suspected fraud and noncompliance or suspected noncompliance with laws or regulations affecting the subject matter that are identified during the engagement. Paragraph .A29 of AT-C section 205 indicates that in these circumstances (unless prohibited by law, regulation, or ethics standards), it may be appropriate for the service auditor to, for example, do the following: ¶ 3.158
    {description of the service organization's system} If the service auditor becomes aware that any identified deviations have resulted from fraud, the service auditor should assess the risk that the description does not present the system that was designed and implemented in accordance with the description criteria, the controls are not suitably designed, and, in a type 2 examination, the controls are not operating effectively. In addition, paragraph .33 of AT-C section 205 states that the service auditor should respond appropriately to fraud or suspected fraud and noncompliance or suspected noncompliance with laws or regulations affecting the subject matter that are identified during the engagement. Paragraph .A29 of AT-C section 205 indicates that in these circumstances (unless prohibited by law, regulation, or ethics standards), it may be appropriate for the service auditor to, for example, do the following: ¶ 3.158
    When evaluating the results of procedures, the service auditor investigates the nature and cause of any identified description misstatements and deficiencies or deviations in the effectiveness of controls and determines the following: The magnitude of the effect of such deficiencies on the achievement of the service organization's service commitments and system requirements based on the applicable trust services criteria ¶ 3.185 Bullet 6
    {SOC 2 engagement}{audit opinion}{further evidence}{description of the service organization's system} The service auditor also evaluates the effect of such uncorrected description misstatements or deficiencies on the engagement and on the opinion. The service auditor may conclude that additional appropriate evidence is required to form a conclusion about the description, suitability of design of controls, or control effectiveness. In that case, the service auditor should design and perform additional procedures to obtain sufficient appropriate evidence. ¶ 4.11
    The service auditor's professional judgment regarding what constitutes appropriate sufficient evidence is influenced by factors such as the following: The significance of a potential description misstatement or deficiency and the likelihood that it will have a material effect, individually or aggregated with other potential description misstatements and deficiencies, on the presentation of the description of the service organization's system, on the suitability of design of controls, or on the effectiveness of controls ¶ 4.09 Bullet 1
    {audit opinion}{be material}{description of the service organization's system} After performing the procedures and considering the guidance in paragraphs 3.79–3.105, the service auditor should accumulate instances in which controls were not suitably designed or were not properly implemented, which are considered deficiencies in the SOC 2® examination. As part of the evaluation, the service auditor should assess whether the controls have the ability, as designed, to provide reasonable assurance that the service organization achieved its service commitments and system requirements based on the applicable trust services criteria. The service auditor should also consider the potential effect of other factors that may affect the opinion on the suitability of the design of controls, such as misstatements in the description or deficiencies in the operating effectiveness of controls. Generally, if controls are not suitably designed and implemented to provide reasonable assurance that one or more service commitments or system requirements were achieved based on the applicable trust services criteria, such deficiencies are considered material. Materiality considerations when evaluating the suitability of design of controls are discussed beginning in paragraph 3.161. ¶ 3.104
    Identified risks that may affect the achievement of the service organization's service commitments and system requirements also encompass fraud, such as management override of identified controls at the service organization, misappropriation of assets by service organization personnel, creation by service organization personnel of false or misleading documents or records, and inappropriate physical and logical access controls to information and the underlying infrastructure through social engineering attacks or similar measures. The service auditor should consider the risks of both fraud and errors when evaluating the suitability of the design of controls. ¶ 3.85
    {audit opinion}{description of the service organization's system}{be appropriate} The service auditor also considers the potential effect on the description of deficiencies or deviations in the suitability of the design or operating effectiveness of controls. If the service auditor determines that the effects of identified description misstatements, individually or in the aggregate, are material with respect to the description, based on consideration of materiality as discussed beginning in paragraph 3.72, the service auditor should modify the opinion on the description. When modifying the opinion, the service auditor's understanding of the nature and cause of the description misstatements and deficiencies enables the service auditor to determine how to appropriately modify the opinion. Chapter 4 discusses modifications of the service auditor's report. ¶ 3.71
    {be material}{description of the service organization's system} As discussed in chapter 2, the service auditor has a responsibility to consider known or suspected incidents of fraud and noncompliance with laws or regulations. Such incidents may include, for example, the intentional bypassing of controls and the intentional misstatement of one or more aspects of the description. As discussed in paragraph 3.163, when a deficiency or deviation is the result of an intentional act, it is likely to be considered more material than a deficiency or deviation caused by an unintentional act, particularly if the intentional act was perpetrated by a member of senior management. The service auditor determines the effect of such incidents on the description; the suitability of design of controls; in a type 2 examination, the operating effectiveness of controls; and the service auditor's report. Additionally, the service auditor communicates such information to appropriate parties. ¶ 3.190]
    Process or Activity Detective
    Document test plans for auditing in scope controls. CC ID 06985
    [{qualitative materiality}{audit procedure}{be appropriate} When establishing the overall strategy for and planning the examination, paragraph .16 of AT-C section 205 requires the service auditor to consider both qualitative and quantitative materiality factors. Due to the vast number of controls within even a small system, the service auditor needs to consider materiality to determine the nature, timing, and extent of procedures necessary to obtain sufficient appropriate evidence to support the service auditor's opinion in the SOC 2® examination. Adoption of an appropriate materiality allows the service auditor to prioritize testing efforts and supports an effective and efficient engagement. ¶ 2.104
    If the inclusive method is used, matters to be agreed on or coordinated by the service organization and the subservice organization include the following: For a type 2 examination, the timing of the tests of controls ¶ 2.98 Bullet 5
    The following are factors that are relevant to the service auditor's determination of the timing of tests of controls: The significance of the control being tested ¶ 3.131 Bullet 3
    {audit procedure}Other overall responses a service auditor may select to address the assessed risks of material misstatement include the following: Incorporating additional elements of unpredictability in the selection of procedures to be performed ¶ 3.03 Bullet 4
    The following are factors that are relevant to the service auditor's determination of the timing of tests of controls: The period of time during which the information will be available. For example, ¶ 3.131 Bullet 1
    {audit evidence}The following are factors that are relevant to the service auditor's determination of the timing of tests of controls: Whether the control leaves evidence of its operation and, if not, whether the control should be tested through observation ¶ 3.131 Bullet 2
    {be the same}{audit evidence}{audit item}{be consistent}{be appropriate} The service auditor's test of the precision of each review control may include evaluating the same aspects of the control to determine that the control operated the same way each time it was tested. The service auditor may need to determine whether the evidence gathered through the tests performed demonstrates that the review control consistently identifies appropriate items for follow-up and that matters identified for investigation are resolved in a timely manner. Without documented instances of the review control identifying appropriate items for follow-up, the service auditor may not have sufficient appropriate evidence that the review control operated as designed. ¶ 3.127 ¶ 1
    {audit sampling} For tests of controls using sampling, the service auditor determines the tolerable rate of deviation and uses that rate to determine the number of items to be selected for a particular sample. ¶ 3.145]
    Testing Detective
    Determine the implementation status of the audit assertion's in scope controls. CC ID 06981
    [{control design}{description of the service organization's system}{audit procedure} When assessing the risks of material misstatement, paragraph .15 of AT-C section 205 states that the service auditor should obtain an understanding of internal control, which, in the case of a SOC 2® examination, focuses on obtaining an understanding of controls over the preparation of the description, evaluating their design, and determining whether they have been implemented by making inquiries of the personnel responsible for the description and by performing other procedures. In addition, the service auditor should consider the controls, including monitoring activities that the service organization has designed and implemented, that provide reasonable assurance that the service organization's service commitments and system requirements are achieved. ¶ 2.121
    {audit evidence} Determining whether the description of a service organization's system is presented in accordance with the description criteria involves, among other things, evaluating whether each control stated in the description has been implemented. Controls have been implemented when they have been placed in operation rather than existing only in the description. The service auditor's procedures to determine whether the controls stated in the description have been implemented may be similar to, and performed in conjunction with, procedures to obtain an understanding of the system as discussed in chapter 2, "Accepting and Planning a SOC 2® Report." In addition, the procedures described beginning in paragraph 3.59 may be performed to obtain evidence about whether the controls stated in the description have been implemented. ¶ 3.22
    {suitably designed control}When making this evaluation, the service auditor does the following: Determines that the controls have been implemented ¶ 3.81 Bullet 3
    Suitably designed controls, if complied with satisfactorily, provide reasonable assurance of achieving the service organization's service commitments and system requirements based on the applicable trust services criteria. Suitably designed controls operate as designed by persons who have the necessary authority and competence to perform the controls. Paragraph .15 of AT-C section 205 states that the service auditor's understanding of the controls within a system includes an evaluation of the design of controls and whether the controls have been implemented. ¶ 3.79
    {audit evidence} Performing walk-throughs provides evidence about whether the controls within the system have been implemented. Performing a walk-through involves making inquiries of service organization management and other personnel and requesting that they describe and demonstrate their actions in performing a procedure. Walk-through procedures include following a transaction, event, or activity from origination until final disposition through the service organization's system using the same documents used by service organization personnel. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and flowcharts, questionnaires, or decision tables to facilitate understanding the design of the controls. Such procedures enable the service auditor to gain a sufficient understanding of the controls to determine whether they have been implemented as stated in the description of the service organization's system. ¶ 3.60
    {audit evidence}{responsible individual} In the type 2 examination, the service auditor tests the operating effectiveness of the controls stated in the description based on the applicable trust services criteria. The service auditor performs procedures (known as tests of controls) to obtain evidence about the operating effectiveness of controls. Evidence from tests of controls usually relates to how the controls were applied, the consistency with which they were applied, and by whom or in what manner they were applied. When a service organization uses the inclusive method to present the services and controls of a subservice organization, the service auditor also applies tests of controls to the controls at the subservice organization. ¶ 3.107]
    Testing Detective
    Determine the effectiveness of in scope controls. CC ID 06984
    [{control at the service organization} The service auditor should obtain an understanding of the service organization's system, including controls within the system. That understanding should include the service organization's processes and procedures used to do the following: In a type 2 examination, assess the operating effectiveness of controls ¶ 2.110(d)
    {SOC 2 examination}{be sufficient} The service auditor should test the operating effectiveness of the controls throughout the period covered by the examination and determine whether the control has occurred a sufficient number of times to be assessed as operating effectively. The following are examples of how this guidance may be applied by the service auditor: ¶ 3.135
    {description of the service organization's system}{design effectiveness}{operating effectiveness} Activities of the internal audit function that may be relevant to the SOC 2® examination include those that provide information or evidence about whether the description is presented in accordance with the description criteria or whether controls were suitably designed and, in a type 2 examination, operating effectively. ¶ 2.133
    During the examination, the service auditor performs procedures to evaluate whether controls over vendors and business partners are suitably designed and, in a type 2 examination, operated effectively. ¶ 3.151
    {control design}{description of the service organization's system}{audit procedure} When assessing the risks of material misstatement, paragraph .15 of AT-C section 205 states that the service auditor should obtain an understanding of internal control, which, in the case of a SOC 2® examination, focuses on obtaining an understanding of controls over the preparation of the description, evaluating their design, and determining whether they have been implemented by making inquiries of the personnel responsible for the description and by performing other procedures. In addition, the service auditor should consider the controls, including monitoring activities that the service organization has designed and implemented, that provide reasonable assurance that the service organization's service commitments and system requirements are achieved. ¶ 2.121
    {description of the service organization's system} The service auditor should understand the root cause of any identified deficiencies in entity-level controls and the impact they may have on the operating effectiveness of the related controls stated in the description. Ways in which a service auditor may respond to ineffective entity-level controls in a SOC 2® examination include the following: ¶ 2.130
    {be effective}{access control}{test of control} Generally, IT processing is inherently consistent; therefore, the service auditor may be able to limit the testing to one or a few instances of the control operation. An automated control usually functions consistently unless the program, including the tables, files, or other permanent data used by the program, is changed. Once the service auditor determines that an automated control is functioning as intended, which could be determined at the time the control is initially implemented or at some other date, the service auditor should perform tests to determine that the control continues to function effectively. Such tests ordinarily would include determining that changes to the program are not made without being subject to the appropriate program change controls, that the authorized version of the program is used for processing transactions, and that other relevant IT general controls are effective. In instances where the automated control is configurable, the service auditor should perform procedures to evaluate the configuration. Such procedures may include obtaining an understanding of the configuration process, performing procedures to test the completeness and accuracy of the configuration parameters, and evaluating the controls over access to alter the configuration. If the control is tested in an environment other than the production environment, the service auditor may need to assess the risk that the functionality of the control in the production environment differs from that in the non-production environment and perform procedures to determine that the environment being tested matches that of the production environment. ¶ 3.138
    {design effectiveness}{operating effectiveness}{control at the service organization}Obtaining an understanding of the service organization's system, including related controls, assists the service auditor in the following: Understanding which controls are necessary to provide reasonable assurance that the service organization's service commitments and system requirements are achieved based on the applicable trust services criteria, whether the controls were suitably designed to achieve them, and, in a type 2 report, whether controls were operating effectively throughout the specified period to achieve them ¶ 2.113 Bullet 3
    A service organization may have more than one control that addresses a risk that would prevent the service organization from achieving one or more of its service commitments and system requirements. In such situations, if a deficiency exists in the suitability of design of one control, another control may be suitably designed. In that case, the service auditor should perform procedures to test the operating effectiveness of the suitably designed control, identify the control that was tested in the description of tests of controls and results, and determine the effect of the results of those procedures on the service auditor's report. ¶ 3.114
    When performing the type 2 examination, the service auditor should test the operating effectiveness of controls that service organization management stated in the description of the service organization's system. By including those controls in the description, service organization management has identified them as part of the system of internal control that provides reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. ¶ 3.112
    The service auditor's understanding of the service organization's system and related controls should be sufficient to enable the service auditor to do the following: Identify and assess the risks that in a type 2 examination, the controls did not operate effectively throughout the specified period to provide reasonable assurance that the service organization's service commitments and system requirements would be achieved. ¶ 2.120 Bullet 1 Sub-Bullet 3
    {audit procedure}{audit evidence}{description of the service organization's system} In contrast, deficiencies in entity-level controls often have a pervasive effect on other controls. If the service auditor determines that certain entity-level controls did not operate effectively, the service auditor may be able to adjust the nature, timing, and extent of procedures performed to obtain evidence about whether the controls stated in the description were effective. In some situations, however, deficiencies in the operation of entity-level controls may lead the service auditor to conclude that controls did not operate effectively. For example, consider a service organization that has been unable to retain knowledgeable employees. In that situation, the service auditor may decide to increase the extent of testing of controls that prevent and detect system incidents (for example, inspection of security configurations and event management scan logs) to obtain sufficient appropriate evidence about whether the controls stated in the description operated effectively. ¶ 2.129
    {be ineffective} Assessment of the risks of material misstatement is affected by many factors, including materiality considerations (see paragraph 3.05) and the service auditor's understanding of the effectiveness of the control environment or other components of internal control related to the service provided to user entities and business partners. Aspects of the control environment or other components of internal control may enhance or mitigate the effectiveness of specific system controls. Conversely, ineffective aspects of the control environment or other components of the service organization's internal control may cause the service auditor to design and perform further procedures whose nature, timing, and extent are based on, and responsive to, the higher assessed risks related to the ineffective aspects of the control environment or other components of internal control. ¶ 3.01
    {audit evidence}{be available}{audit opinion} There may be instances in which evidence that would have demonstrated the operating effectiveness of a control may be lost, misplaced, or inadvertently deleted by the service organization. In such instances, the service auditor evaluates the type of evidence available and whether the operating effectiveness of the control can be tested through other procedures, such as observation, that would provide sufficient appropriate evidence throughout the period. However, depending on the control activity and its significance, tests such as observation may not alone provide sufficient appropriate evidence. If such tests do not provide sufficient evidence, the service auditor should consider whether other controls are operating effectively. If one or more of the criteria are not met, the service auditor should modify the opinion. When modifying the opinion, the service auditor should consider whether the deficiency results from a failure of the control to operate effectively or from the inadvertent destruction of evidence (for example, the destruction of the computer hard disk on which the evidence was stored). ¶ 3.119
    When evaluating the results of procedures, the service auditor investigates the nature and cause of any identified description misstatements and deficiencies or deviations in the effectiveness of controls and determines the following: Whether a previously tested control (or combination of controls) provides sufficient appropriate evidence about whether controls operated effectively or ¶ 3.185 Bullet 5 Sub-Bullet 1
    In some situations, two or more controls are suitably designed only when operating in conjunction with each other. In these situations, the service auditor evaluates the suitability of design and operating effectiveness of the controls together in order to reach a conclusion. ¶ 3.103
    Controls are suitably designed if they have the potential to meet the applicable trust services criteria, thereby enabling the service organization's controls to provide reasonable assurance that the service organization's service commitments and system requirements were achieved. Suitably designed controls operate as designed by persons who have the necessary authority and competence to perform the controls. Controls that operate effectively provide reasonable assurance of achieving the service organization's service commitments and system requirements based on the applicable trust services criteria. ¶ 3.106
    {stipulated time frame} The type of control being tested may affect the nature, timing, and extent of the testing performed by the service auditor. For example, for some controls, operating effectiveness is evidenced by documentation. In such circumstances, the service auditor may inspect the documentation. Other controls may not leave evidence of their operation that can be tested at a later date, and accordingly, the service auditor may need to test the operating effectiveness of such controls at various times throughout the specified period. ¶ 3.118
    {SOC 2 report}{description of the service organization's system} If the service auditor has identified design deficiencies, the service auditor generally would not test the operating effectiveness of those controls. However, in certain circumstances, report users may expect management to identify the control in the description and may expect the service auditor to perform tests of the control. In such situations, the service auditor may choose to perform such testing and include the results of the testing in the report. ¶ 3.109
    AT-C section 205 does not address the need for additional language in certain situations unique to a SOC 2® examination that may affect report users' understanding of the subject matter and the examination. One of those situations occurs when service organization management assumes, during the design of the service organization's system controls, that user entities would apply certain controls. Such controls, known as CUECs, must be suitably designed and operating effectively. ¶ 4.36
    Another situation that affects the subject matter of the SOC 2® examination occurs when a service organization uses a subservice organization and service organization management assumes, in the design of the service organization's system, that the subservice organization would apply certain controls. Such controls, known as CSOCs, must be suitably designed and operating effectively. ¶ 4.39
    {audit evidence}{responsible individual} In the type 2 examination, the service auditor tests the operating effectiveness of the controls stated in the description based on the applicable trust services criteria. The service auditor performs procedures (known as tests of controls) to obtain evidence about the operating effectiveness of controls. Evidence from tests of controls usually relates to how the controls were applied, the consistency with which they were applied, and by whom or in what manner they were applied. When a service organization uses the inclusive method to present the services and controls of a subservice organization, the service auditor also applies tests of controls to the controls at the subservice organization. ¶ 3.107
    Often the service organization's system of internal control includes monitoring activities and system reports for management that permit management to continuously or periodically monitor the operating effectiveness of controls. Management may also make use of internal audit evaluations as part of its assessment of the effectiveness of controls. Finally, management may periodically perform specific procedures to assess the effectiveness of controls through controls self-assessment programs and functions that are responsible for testing the effectiveness of controls. In most cases, management will use a combination of the various assessment techniques. Most controls assessment techniques include documentation of their performance, permitting the service auditor to inspect the documentation as part of obtaining an understanding of the system. ¶ 2.119
    In addition to procedures to directly test the operating effectiveness of a control, the service auditor may also perform procedures to indirectly obtain evidence about whether the control functioned to prevent or detect errors and fraud. For example, when testing the operating effectiveness of vulnerability scanning controls, the service auditor may use his or her own vulnerability scanning tool to detect unidentified vulnerabilities to assess the operating effectiveness of those controls. By comparing the results of the independent vulnerability scan to the results of the service organization's vulnerability scanning control, the service auditor can evaluate the effectiveness of the control. As another example, the service auditor might obtain a listing of the system incidents identified throughout the period and compare the vulnerabilities exploited to the controls implemented to identify deficiencies in the design or operation of the related control activities. This testing can be used to identify deficiencies in specific controls designed to prevent or detect those incidents in a timely manner, permitting the service auditor to evaluate the effectiveness of the specific controls. ¶ 3.120]
    Testing Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157
    [{be different}{be ineffective} In performing his or her procedures, the service auditor may become aware of a system incident that has affected a system of the service organization that is not the system under examination. For example, the service organization may experience a breach in an IT system that is not a component of the system under examination. In such situations, the service auditor needs to understand the nature and cause of the breach because it may have occurred as a result of ineffective controls shared between the service organization's systems. If that is the case, the service auditor should reconsider the assessment of the risk of material misstatement. In addition, if the system incident is related to a security breach, the service auditor should consider whether the inherent risks of the environment connected to the system are significantly different than what was originally assessed, or whether controls within the system may have been compromised due to an advanced persistent threat that has not been detected. As a result of the reassessment of risk, the service auditor may determine that additional procedures need to be performed or that management needs to identify additional controls that are suitably designed and operating effectively in order to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. ¶ 3.159
    {evaluate}{suitability of design}Qualitative factors the service auditor considers include the following: Performance indicators related to event occurrence, detection, and remediation. The service organization's performance indicators about an event (such as the mean time from first occurrence to detection and the mean time from detection to remediation), may be indicative of challenges in the design or operating effectiveness of system controls; accordingly, such factors may affect materiality judgments. ¶ 3.163 Bullet 6
    In addition to procedures to directly test the operating effectiveness of a control, the service auditor may also perform procedures to indirectly obtain evidence about whether the control functioned to prevent or detect errors and fraud. For example, when testing the operating effectiveness of vulnerability scanning controls, the service auditor may use his or her own vulnerability scanning tool to detect unidentified vulnerabilities to assess the operating effectiveness of those controls. By comparing the results of the independent vulnerability scan to the results of the service organization's vulnerability scanning control, the service auditor can evaluate the effectiveness of the control. As another example, the service auditor might obtain a listing of the system incidents identified throughout the period and compare the vulnerabilities exploited to the controls implemented to identify deficiencies in the design or operation of the related control activities. This testing can be used to identify deficiencies in specific controls designed to prevent or detect those incidents in a timely manner, permitting the service auditor to evaluate the effectiveness of the specific controls. ¶ 3.120
    {audit evidence}The service auditor may perform a variety of procedures to obtain evidence about whether the description presents the system that was designed and implemented in accordance with the description criteria, including a combination of the following: Reading internal audit reports, third-party assessments, audit committee presentations, and other documentation related to the service organization's monitoring activities, system incidents, or investigative activities ¶ 3.59 Bullet 10]
    Audits and Risk Management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156
    [{original time period}{audit evidence}In making a determination about the nature and extent of the additional evidence needed for the extended or modified period, the service auditor may consider the following: The specific controls that were tested during the portion of the original report period included in the extended or modified period and the nature and extent of the evidence obtained for that period ¶ 2.84 Bullet 3
    If (a) the service auditor is unable to test the superseded control (for example, because the control does not leave evidence of its operation after a period of time or because the service auditor was engaged after the control was superseded) and (b) the control is relevant to the achievement of the service organization's service commitments and system requirements based on the applicable trust services criteria, the service auditor should disclose that fact in the description of tests and results and determine the effect on the service auditor's report. If the circumstances result in a scope limitation, the service auditor should modify the service auditor's opinion. (See the relevant paragraphs within paragraphs .68–.84 of AT-C section 205 for reporting requirements when the service auditor is unable to obtain sufficient appropriate evidence.) Paragraph 4.85 of this guide presents an example of a separate paragraph that would be added to the service auditor's report when a scope limitation related to the operating effectiveness of controls exists. ¶ 3.141
    {evaluate}{suitability of design}Qualitative factors the service auditor considers include the following: Threats related to prior periods. An identified threat or vulnerability in a prior period may affect the service auditor's conclusion about the suitability of design and operating effectiveness of controls for the current period. ¶ 3.163 Bullet 8
    {audit procedure}{SOC 2 engagement} Sufficient appropriate evidence is primarily obtained from procedures performed during the engagement. It may, however, also include information obtained from other sources, such as previous engagements (provided the service auditor has determined whether changes have occurred since the previous engagement that may affect its relevance to the current engagement) or a firm's quality control procedures for client acceptance and continuance. Rates of error in testing may be used in assessing the risks of material misstatement and determining the extent of testing. ¶ 4.05
    {description of the service organization's system}{audit procedure}{SOC 2 examination} When obtaining an understanding of the internal audit function's responsibilities and activities, the service auditor makes inquiries of internal audit personnel and reads information about the internal audit function stated in the description. Ordinarily, the service auditor also requests and reads any relevant internal audit reports related to the period covered by the examination. For example, reading the internal audit plan and reports issued by the internal audit function enables the service auditor to understand the nature of the internal audit function's responsibilities and how the internal audit function fits into the service organization's structure. Additionally, any findings in internal audit reports that relate to the presentation of the description or the suitability of design of controls or, in a type 2 examination, the operating effectiveness of controls should be taken into consideration as part of the risk assessment and in determining the nature, timing, and extent of the service auditor's planned procedures. ¶ 2.136
    The service auditor's risk assessment procedures to obtain an understanding of the service organization's system may include the following, usually in some combination: Reading relevant reports received from regulators ¶ 2.115 Bullet 5
    Often the service organization's system of internal control includes monitoring activities and system reports for management that permit management to continuously or periodically monitor the operating effectiveness of controls. Management may also make use of internal audit evaluations as part of its assessment of the effectiveness of controls. Finally, management may periodically perform specific procedures to assess the effectiveness of controls through controls self-assessment programs and functions that are responsible for testing the effectiveness of controls. In most cases, management will use a combination of the various assessment techniques. Most controls assessment techniques include documentation of their performance, permitting the service auditor to inspect the documentation as part of obtaining an understanding of the system. ¶ 2.119
    {audit evidence} Although a service organization can contract with a subservice organization to perform functions that form a portion of the service organization's system, it still retains obligations to user entities with regard to those functions. As a result, part of its system of internal control includes activities to manage the risks associated with vendors and business partners, including activities to manage the risks associated with the functions performed by the subservice organization. In evaluating the suitability of the design and operating effectiveness of controls, the service auditor considers the nature and extent of the service organization's monitoring controls when determining the nature, timing, and extent of testing to perform. For example, if the service organization has obtained a type 2 report from a subservice organization, the service auditor would review the report to determine whether management has adequately evaluated it by assessing (a) the relevance of the system description and CSOCs to the service organization's system and (b) any deviations requiring further evaluation and response by service organization management. If service organization management has been unable to obtain a type 2 report, the service auditor should consider whether management has directly tested the subservice organization's controls by obtaining evidence about the effectiveness of the subservice organization's controls. However, unless the service auditor is reperforming management's tests of the subservice organization's controls, the service auditor's performance of tests directly on the subservice organization's controls would not provide evidence about the suitability of the design and operating effectiveness of the service organization's controls. In any event, the service auditor should obtain sufficient appropriate evidence of the effectiveness of the CSOCs. In addition, the service auditor needs to consider whether the subservice organization's use of its own IT system and connections to the service organization's IT network represents new vulnerabilities that need to be assessed and addressed as part of the service organization's risk assessment. ¶ 3.154
    {audit evidence}The service auditor may perform a variety of procedures to obtain evidence about whether the description presents the system that was designed and implemented in accordance with the description criteria, including a combination of the following: Reading internal audit reports, third-party assessments, audit committee presentations, and other documentation related to the service organization's monitoring activities, system incidents, or investigative activities ¶ 3.59 Bullet 10]
    Audits and Risk Management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155
    [{control at the service organization} The service auditor should obtain an understanding of the service organization's system, including controls within the system. That understanding should include the service organization's processes and procedures used to do the following: Identify the controls designed to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria ¶ 2.110(b)
    As part of evaluating and testing the design of a review control, the service auditor may need to consider obtaining a sufficient understanding and documenting conclusions about the following matters: How the control is performed, including the specific steps involved in executing the review ¶ 3.127 Bullet 1
    {audit evidence}The service auditor may perform a variety of procedures to obtain evidence about whether the description presents the system that was designed and implemented in accordance with the description criteria, including a combination of the following: Observing controls or other activities performed by service organization personnel ¶ 3.59 Bullet 6
    {control design}{description of the service organization's system}{audit procedure} When assessing the risks of material misstatement, paragraph .15 of AT-C section 205 states that the service auditor should obtain an understanding of internal control, which, in the case of a SOC 2® examination, focuses on obtaining an understanding of controls over the preparation of the description, evaluating their design, and determining whether they have been implemented by making inquiries of the personnel responsible for the description and by performing other procedures. In addition, the service auditor should consider the controls, including monitoring activities that the service organization has designed and implemented, that provide reasonable assurance that the service organization's service commitments and system requirements are achieved. ¶ 2.121
    {audit evidence} Determining whether the description of a service organization's system is presented in accordance with the description criteria involves, among other things, evaluating whether each control stated in the description has been implemented. Controls have been implemented when they have been placed in operation rather than existing only in the description. The service auditor's procedures to determine whether the controls stated in the description have been implemented may be similar to, and performed in conjunction with, procedures to obtain an understanding of the system as discussed in chapter 2, "Accepting and Planning a SOC 2® Report." In addition, the procedures described beginning in paragraph 3.59 may be performed to obtain evidence about whether the controls stated in the description have been implemented. ¶ 3.22
    {audit evidence}The following are factors that are relevant to the service auditor's determination of the timing of tests of controls: Whether the control leaves evidence of its operation and, if not, whether the control should be tested through observation ¶ 3.131 Bullet 2
    {audit evidence}When designing and performing tests of controls, the service auditor should do the following: Make inquiries and perform other procedures such as inspection (for example, of documents, reports, or electronic files), observation (for example, of the application of the control), or reperformance, to obtain evidence about the following: ¶ 3.115(a)
    {printed record}The service auditor's risk assessment procedures to obtain an understanding of the service organization's system may include the following, usually in some combination: Observing operations and inspecting documents, reports, and printed and electronic records of transaction processing ¶ 2.115 Bullet 2
    {audit evidence} Performing walk-throughs provides evidence about whether the controls within the system have been implemented. Performing a walk-through involves making inquiries of service organization management and other personnel and requesting that they describe and demonstrate their actions in performing a procedure. Walk-through procedures include following a transaction, event, or activity from origination until final disposition through the service organization's system using the same documents used by service organization personnel. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and flowcharts, questionnaires, or decision tables to facilitate understanding the design of the controls. Such procedures enable the service auditor to gain a sufficient understanding of the controls to determine whether they have been implemented as stated in the description of the service organization's system. ¶ 3.60
    {audit evidence} Performing walk-throughs provides evidence about whether the controls within the system have been implemented. Performing a walk-through involves making inquiries of service organization management and other personnel and requesting that they describe and demonstrate their actions in performing a procedure. Walk-through procedures include following a transaction, event, or activity from origination until final disposition through the service organization's system using the same documents used by service organization personnel. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and flowcharts, questionnaires, or decision tables to facilitate understanding the design of the controls. Such procedures enable the service auditor to gain a sufficient understanding of the controls to determine whether they have been implemented as stated in the description of the service organization's system. ¶ 3.60]
    Audits and Risk Management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154
    [{control design}{description of the service organization's system}{audit procedure} When assessing the risks of material misstatement, paragraph .15 of AT-C section 205 states that the service auditor should obtain an understanding of internal control, which, in the case of a SOC 2® examination, focuses on obtaining an understanding of controls over the preparation of the description, evaluating their design, and determining whether they have been implemented by making inquiries of the personnel responsible for the description and by performing other procedures. In addition, the service auditor should consider the controls, including monitoring activities that the service organization has designed and implemented, that provide reasonable assurance that the service organization's service commitments and system requirements are achieved. ¶ 2.121
    As part of evaluating and testing the design of a review control, the service auditor may need to consider obtaining a sufficient understanding and documenting conclusions about the following matters: What the control owner considered when performing the review ¶ 3.127 Bullet 2
    {be accurate}{be relevant}{description of the service organization's system} The description is presented in accordance with the description criteria if the CUECs are complete, accurately described, and relevant to the service organization's achievement of its service commitments and system requirements based on the applicable trust services criteria. When making this evaluation, the service auditor may review system documentation and contracts with user entities, make inquiries of service organization personnel, and perform other such procedures as he or she considers necessary. ¶ 3.41
    {audit evidence}When designing and performing tests of controls, the service auditor should do the following: Make inquiries and perform other procedures such as inspection (for example, of documents, reports, or electronic files), observation (for example, of the application of the control), or reperformance, to obtain evidence about the following: ¶ 3.115(a)
    {audit evidence} Performing walk-throughs provides evidence about whether the controls within the system have been implemented. Performing a walk-through involves making inquiries of service organization management and other personnel and requesting that they describe and demonstrate their actions in performing a procedure. Walk-through procedures include following a transaction, event, or activity from origination until final disposition through the service organization's system using the same documents used by service organization personnel. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and flowcharts, questionnaires, or decision tables to facilitate understanding the design of the controls. Such procedures enable the service auditor to gain a sufficient understanding of the controls to determine whether they have been implemented as stated in the description of the service organization's system. ¶ 3.60
    {audit evidence} Performing walk-throughs provides evidence about whether the controls within the system have been implemented. Performing a walk-through involves making inquiries of service organization management and other personnel and requesting that they describe and demonstrate their actions in performing a procedure. Walk-through procedures include following a transaction, event, or activity from origination until final disposition through the service organization's system using the same documents used by service organization personnel. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and flowcharts, questionnaires, or decision tables to facilitate understanding the design of the controls. Such procedures enable the service auditor to gain a sufficient understanding of the controls to determine whether they have been implemented as stated in the description of the service organization's system. ¶ 3.60
    {audit evidence}{suitably designed control}To supplement such evidence and other information, the service auditor generally performs a combination of the following procedures: Inquiry of service organization personnel about the design and operation of applicable controls and the types of system events that have occurred or that may occur ¶ 3.96 Bullet 1
    {description of the service organization's system} During a walk-through, the service auditor may inquire about instances during the period in which controls did not operate as described or designed. In addition, the service auditor may inquire about variations in the process for different types of events or transactions. For example, the service organization's processing may take different forms, depending on how information is collected from user entities and business partners. Assume, for example, that the service organization receives transactions by mail, phone, fax, voice response unit, or via the internet. The service organization may design different controls related to the way the information is collected. An appropriately performed walk-through provides an opportunity to verify the service auditor's understanding of the flow of transactions and the design of the controls. If properly performed, walk-throughs may provide evidence about whether controls included in the description, individually or in combination with other controls, were suitably designed and implemented and, in a type 2 examination, operated effectively. ¶ 3.61]
    Audits and Risk Management Detective
    Review documentation to determine the effectiveness of in scope controls. CC ID 16522 Process or Activity Preventive
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144
    [Factors that may be considered when determining whether the identified deviations may have a pervasive effect on other controls include the following: The effect that entity-level controls have on the operation of other controls. Deviations in entity-level controls often have a pervasive effect on other controls. ¶ 3.187 Bullet 1
    {audit procedure}When evaluating the results of procedures, the service auditor investigates the nature and cause of any identified description misstatements and deficiencies or deviations in the effectiveness of controls and determines the following: If deviations are within the expected rate of deviation, whether the procedures that have been performed provide an appropriate basis for concluding that the control operated effectively throughout the specified period ¶ 3.185 Bullet 3
    {audit procedure}{SOC 2 engagement} Sufficient appropriate evidence is primarily obtained from procedures performed during the engagement. It may, however, also include information obtained from other sources, such as previous engagements (provided the service auditor has determined whether changes have occurred since the previous engagement that may affect its relevance to the current engagement) or a firm's quality control procedures for client acceptance and continuance. Rates of error in testing may be used in assessing the risks of material misstatement and determining the extent of testing. ¶ 4.05
    {audit evidence}{suitably designed control}To supplement such evidence and other information, the service auditor generally performs a combination of the following procedures: Inspection of documents produced by the service organization ¶ 3.96 Bullet 2
    {audit evidence}{suitably designed control}{control activity}To supplement such evidence and other information, the service auditor generally performs a combination of the following procedures: Performing additional walk-throughs of control-activity-related policies and procedures ¶ 3.96 Bullet 3
    Suitably designed controls, if complied with satisfactorily, provide reasonable assurance of achieving the service organization's service commitments and system requirements based on the applicable trust services criteria. Suitably designed controls operate as designed by persons who have the necessary authority and competence to perform the controls. Paragraph .15 of AT-C section 205 states that the service auditor's understanding of the controls within a system includes an evaluation of the design of controls and whether the controls have been implemented. ¶ 3.79
    {stipulated time frame} The type of control being tested may affect the nature, timing, and extent of the testing performed by the service auditor. For example, for some controls, operating effectiveness is evidenced by documentation. In such circumstances, the service auditor may inspect the documentation. Other controls may not leave evidence of their operation that can be tested at a later date, and accordingly, the service auditor may need to test the operating effectiveness of such controls at various times throughout the specified period. ¶ 3.118
    {printed record}The service auditor's risk assessment procedures to obtain an understanding of the service organization's system may include the following, usually in some combination: Observing operations and inspecting documents, reports, and printed and electronic records of transaction processing ¶ 2.115 Bullet 2
    {audit evidence} Performing walk-throughs provides evidence about whether the controls within the system have been implemented. Performing a walk-through involves making inquiries of service organization management and other personnel and requesting that they describe and demonstrate their actions in performing a procedure. Walk-through procedures include following a transaction, event, or activity from origination until final disposition through the service organization's system using the same documents used by service organization personnel. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and flowcharts, questionnaires, or decision tables to facilitate understanding the design of the controls. Such procedures enable the service auditor to gain a sufficient understanding of the controls to determine whether they have been implemented as stated in the description of the service organization's system. ¶ 3.60
    {audit evidence} Performing walk-throughs provides evidence about whether the controls within the system have been implemented. Performing a walk-through involves making inquiries of service organization management and other personnel and requesting that they describe and demonstrate their actions in performing a procedure. Walk-through procedures include following a transaction, event, or activity from origination until final disposition through the service organization's system using the same documents used by service organization personnel. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and flowcharts, questionnaires, or decision tables to facilitate understanding the design of the controls. Such procedures enable the service auditor to gain a sufficient understanding of the controls to determine whether they have been implemented as stated in the description of the service organization's system. ¶ 3.60
    Often the service organization's system of internal control includes monitoring activities and system reports for management that permit management to continuously or periodically monitor the operating effectiveness of controls. Management may also make use of internal audit evaluations as part of its assessment of the effectiveness of controls. Finally, management may periodically perform specific procedures to assess the effectiveness of controls through controls self-assessment programs and functions that are responsible for testing the effectiveness of controls. In most cases, management will use a combination of the various assessment techniques. Most controls assessment techniques include documentation of their performance, permitting the service auditor to inspect the documentation as part of obtaining an understanding of the system. ¶ 2.119
    When using evidence and other information to evaluate the suitability of the design of the controls within the system, the service auditor should consider the following information about the controls: The tasks within the control being performed and the precision and sensitivity of those tasks (for example, the results of reviews and related follow-up activities) ¶ 3.98 Bullet 3]
    Audits and Risk Management Detective
    Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 Audits and Risk Management Detective
    Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 Audits and Risk Management Detective
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990
    [{description of the service organization's system}{design effectiveness}{SOC 2 examination} When considering materiality, the service auditor typically considers whether misstatements in the description or deficiencies in the suitability of design of controls or, in a type 2 examination, the operating effectiveness of controls, could reasonably be expected to influence the relevant decisions made by the broad range of report users discussed in chapter 1. However, if the examination has been designed to meet the informational needs of a specific subset of such SOC 2® report users (and the report is restricted to those specific users), the service auditor considers the possible effect of such misstatements on the decisions that may be made by that specific subset of report users. ¶ 2.108
    {description of the service organization's system}{design effectiveness}{SOC 2 examination} When considering materiality, the service auditor typically considers whether misstatements in the description or deficiencies in the suitability of design of controls or, in a type 2 examination, the operating effectiveness of controls, could reasonably be expected to influence the relevant decisions made by the broad range of report users discussed in chapter 1. However, if the examination has been designed to meet the informational needs of a specific subset of such SOC 2® report users (and the report is restricted to those specific users), the service auditor considers the possible effect of such misstatements on the decisions that may be made by that specific subset of report users. ¶ 2.108
    {description of the service organization's system}An understanding of the service organization's process for preparing the description may assist the service auditor in determining the likelihood of such misstatements, and ¶ 2.117 Bullet 2
    When considering materiality regarding the description, the service auditor should consider whether description misstatements (including omissions), individually or in the aggregate, could reasonably be expected to influence relevant decisions of the broad range of report users. Paragraph 3.67 discusses materiality considerations when evaluating whether the description presents the system that designed and implemented in accordance with the description criteria. ¶ 3.07
    {not be suitable}{description of the service organization's system} If the service auditor determines that certain controls identified in the description have not been implemented, the service auditor may ask service organization management to delete those controls from the description. If management does not modify the description to remove the controls from the description, the service auditor should consider the effect of the misstatement on his or her conclusion about the description. Paragraph 4.70 presents a separate paragraph that would be added to the service auditor's report when the description includes controls that have not been implemented. In addition, when evaluating the suitability of the design and, in a type 2 examination, the operating effectiveness of the controls, the service auditor should consider whether the failure to implement those controls results in controls not being suitably designed. (Paragraph 3.156 discusses a situation in which controls do not operate during the period of the examination.) ¶ 3.23
    {quantitative analysis}{audit result}{audit procedure}{description of the service organization's system}{do not operate effectively} The service auditor evaluates the results of all procedures performed and conducts both a quantitative (for example, rates of deviations in testing a control using a sample-based testing strategy) and qualitative analysis of whether identified description misstatements and deficiencies in the suitability of design and, in a type 2 examination, deviations in the operating effectiveness of controls result in a description that is not presented in accordance with the description criteria or in controls that are not suitably designed or operating effectively. As an example, assume that, when investigating the follow-up and resolution of two identified system incidents, the service auditor determined that the resolution took longer than the management-prescribed resolution requirement to complete, but that difference was not material (for example, final resolution took two days longer than prescribed). In such an instance, the service auditor may conclude that the deficiencies were not material. However, if the service auditor's testing determined that entity personnel failed to follow up at all for the two instances, he or she might conclude that the controls were not effective in achieving one or more service commitments or system requirements based on the applicable trust services criteria. ¶ 3.184
    {report user}When evaluating the results of procedures, the service auditor investigates the nature and cause of any identified description misstatements and deficiencies or deviations in the effectiveness of controls and determines the following: Whether the identified description misstatements result in either the failure to meet one or more of the description criteria or in a presentation that could be misunderstood by users if the service auditor's opinion were not modified to reflect the identified description misstatements ¶ 3.185 Bullet 1
    {audit opinion}When forming an opinion, paragraph .59 of AT-C section 205, Examination Engagements, requires the service auditor to evaluate whether uncorrected misstatements are material, individually or in the aggregate. ¶ 4.04(b)
    {SOC 2 engagement}{audit opinion}{further evidence}{description of the service organization's system} The service auditor also evaluates the effect of such uncorrected description misstatements or deficiencies on the engagement and on the opinion. The service auditor may conclude that additional appropriate evidence is required to form a conclusion about the description, suitability of design of controls, or control effectiveness. In that case, the service auditor should design and perform additional procedures to obtain sufficient appropriate evidence. ¶ 4.11
    {not be covered}{SOC 2 Report}Paragraph .57 of AT-C section 205 indicates that if, prior to or after the release of the service auditor's report, the service auditor is willing to permit the inclusion of the service auditor's report in a document that contains the description of the service organization's system or management's assertion and other information, the service auditor should read the other information to identify the following: Material inconsistencies with the description of the service organization's system, management's assertion, or the service auditor's report ¶ 4.100(a)
    The service auditor's professional judgment regarding what constitutes appropriate sufficient evidence is influenced by factors such as the following: The significance of a potential description misstatement or deficiency and the likelihood that it will have a material effect, individually or aggregated with other potential description misstatements and deficiencies, on the presentation of the description of the service organization's system, on the suitability of design of controls, or on the effectiveness of controls ¶ 4.09 Bullet 1
    {audit procedure}The service auditor's professional judgment regarding what constitutes appropriate sufficient evidence is influenced by factors such as the following: The results of procedures performed, including whether such procedures identified specific description misstatements and deficiencies ¶ 4.09 Bullet 4
    {be material}{audit opinion}{description of the service organization's system}{operating effectiveness} When evaluating the results of tests of controls and the significance of deviations noted, the service auditor should accumulate instances in which controls did not operate effectively. Generally, if controls are not operating effectively to provide reasonable assurance that one or more service commitments or system requirements were achieved based on the applicable trust services criteria, the deficiency is considered material. The service auditor also considers the potential impact of other factors that may affect the opinion on the operating effective of controls, such as misstatements in the description or deficiencies noted in the suitability of the design of controls. ¶ 3.157
    {description of the service organization's system}{be inappropriate}{audit opinion} In such a situation, the service auditor should discuss the matter with service organization management. If service organization management is unwilling to revise the service commitments and system requirements to address the service auditor's concerns, the service auditor should consider the effect on his or her opinion. Because the service commitments and system requirements need to be appropriate to enable both service organization management and the service auditor to evaluate whether system controls are suitably designed and, in a type 2 examination, operating effectively, the lack of appropriate service commitments and system requirements is likely to have a pervasive effect on the SOC 2® examination. Accordingly, it is likely that the service auditor would express an adverse opinion on the description, the suitability of controls, and, in a type 2 examination, the operating effectiveness of controls. Expressing an adverse opinion in a SOC 2® examination is discussed beginning in paragraph 4.54. ¶ 3.29
    When determining the type of modified opinion to be issued, the service auditor evaluates whether identified (a) description misstatements (including omissions) or (b) deficiencies or deviations in the suitability of the design and operating effectiveness of the controls are material. Materiality considerations related to the description are discussed beginning in paragraph 3.72, and considerations related to the suitability of design and operating effectiveness of controls are discussed beginning in paragraph 3.161. ¶ 4.46
    When determining whether to modify the service auditor's report, the service auditor considers the individual and aggregate effect of identified misstatements in the description of the service organization's system and identified deficiencies or deviations in the suitability of the design and operating effectiveness of the controls throughout the specified period. Chapter 3 discusses materiality, including the quantitative and qualitative factors the service auditor considers, in further detail. ¶ 4.50
    {audit opinion}{be material}{description of the service organization's system} After performing the procedures and considering the guidance in paragraphs 3.79–3.105, the service auditor should accumulate instances in which controls were not suitably designed or were not properly implemented, which are considered deficiencies in the SOC 2® examination. As part of the evaluation, the service auditor should assess whether the controls have the ability, as designed, to provide reasonable assurance that the service organization achieved its service commitments and system requirements based on the applicable trust services criteria. The service auditor should also consider the potential effect of other factors that may affect the opinion on the suitability of the design of controls, such as misstatements in the description or deficiencies in the operating effectiveness of controls. Generally, if controls are not suitably designed and implemented to provide reasonable assurance that one or more service commitments or system requirements were achieved based on the applicable trust services criteria, such deficiencies are considered material. Materiality considerations when evaluating the suitability of design of controls are discussed beginning in paragraph 3.161. ¶ 3.104
    Identified risks that may affect the achievement of the service organization's service commitments and system requirements also encompass fraud, such as management override of identified controls at the service organization, misappropriation of assets by service organization personnel, creation by service organization personnel of false or misleading documents or records, and inappropriate physical and logical access controls to information and the underlying infrastructure through social engineering attacks or similar measures. The service auditor should consider the risks of both fraud and errors when evaluating the suitability of the design of controls. ¶ 3.85
    {description of the service organization's system}{audit opinion} When there is a scope limitation, the service auditor should determine the pervasiveness of the effects or possible effects on the description and on the suitability of design and operating effectiveness of controls. According to paragraph .70 of AT-C section 205, the service auditor should express a qualified opinion when the service auditor is unable to obtain sufficient appropriate evidence on which to base the opinion and the service auditor has concluded that the possible effects on the subject matter of undetected description misstatements or deficiencies, if any, could be material but not pervasive to the subject matter. (Disclaiming an opinion because of a scope limitation is discussed beginning in paragraph 4.61.) ¶ 4.58
    {not be covered}{SOC 2 Report}Paragraph .57 of AT-C section 205 indicates that if, prior to or after the release of the service auditor's report, the service auditor is willing to permit the inclusion of the service auditor's report in a document that contains the description of the service organization's system or management's assertion and other information, the service auditor should read the other information to identify the following: A material misstatement of fact in the other information, the description of the service organization's system, management's assertion, or the service auditor's report (Other information may bring to light a material misstatement of fact in the description, assertion, or in the service auditor's report that the service auditor did not identify when evaluating whether ¶ 4.100(b)
    {description of the service organization's system} When considering materiality regarding the description, the service auditor considers whether misstatements or omissions in the description, individually or in the aggregate, could reasonably be expected to influence decisions of specified parties to the SOC 2® report. For example, in a SOC 2® examination on controls relevant to privacy, the service auditor may determine that the description fails to disclose a principal service commitment involving compliance with the European Union's General Data Protection Regulation, to which the service organization is subject. If the service auditor determines that such information could reasonably be expected to influence the decisions of SOC 2® report users, the service auditor may conclude that the omission of such information from the description results in a material misstatement. In that case, the service auditor would request that management amend the description by including the relevant information. ¶ 3.73]
    Testing Detective
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996
    [When assessing information used in the execution of controls, the service auditor should consider the following factors: The precision with which the control is performed (for example, precision of review controls) ¶ 3.126 Bullet 5
    When assessing information used in the execution of controls, the service auditor should consider the following factors: The degree to which the control depends on other controls ¶ 3.126 Bullet 4
    {SOC 2 examination}{be sufficient} The service auditor should test the operating effectiveness of the controls throughout the period covered by the examination and determine whether the control has occurred a sufficient number of times to be assessed as operating effectively. The following are examples of how this guidance may be applied by the service auditor: ¶ 3.135
    {audit evidence}Make inquiries and perform other procedures such as inspection (for example, of documents, reports, or electronic files), observation (for example, of the application of the control), or reperformance, to obtain evidence about the following: The consistency with which the control was applied throughout the period ¶ 3.115(a)(ii)
    {responsible individual}{audit evidence}Make inquiries and perform other procedures such as inspection (for example, of documents, reports, or electronic files), observation (for example, of the application of the control), or reperformance, to obtain evidence about the following: By whom or by what means the control was applied (Is the control automated or manual? Has there been high turnover of the personnel in the position that performs the control, and is the control being performed by an inexperienced person?) ¶ 3.115(a)(iii)
    {audit evidence}When designing and performing tests of controls, the service auditor should do the following: Determine whether the controls to be tested depend on other controls and, if so, whether it is necessary to obtain evidence supporting the operating effectiveness of those other controls. ¶ 3.115(b)
    When designing and performing tests of controls, the service auditor should do the following: Determine an effective method for selecting the items to be tested to meet the objectives of the procedure. ¶ 3.115(c)
    Quantitative factors to be considered in a SOC 2® examination relate to matters such as the tolerable rate of deviation and the observed rate of deviation. (In this guide, the tolerable rate of deviation is the maximum rate of deviation in the operation of the control that the service auditor is willing to accept without modifying the opinion on any of the subject matters in the examination.) Quantitative factors are less likely to apply when evaluating the design of controls but would be considered when evaluating the operating effectiveness of the controls. Note, however, that the service auditor should carefully consider the effect of identified deviations, either individually or in combination with other identified deviations, on the controls' ability to mitigate assessed risks. ¶ 3.164
    {be effective}{access control}{test of control} Generally, IT processing is inherently consistent; therefore, the service auditor may be able to limit the testing to one or a few instances of the control operation. An automated control usually functions consistently unless the program, including the tables, files, or other permanent data used by the program, is changed. Once the service auditor determines that an automated control is functioning as intended, which could be determined at the time the control is initially implemented or at some other date, the service auditor should perform tests to determine that the control continues to function effectively. Such tests ordinarily would include determining that changes to the program are not made without being subject to the appropriate program change controls, that the authorized version of the program is used for processing transactions, and that other relevant IT general controls are effective. In instances where the automated control is configurable, the service auditor should perform procedures to evaluate the configuration. Such procedures may include obtaining an understanding of the configuration process, performing procedures to test the completeness and accuracy of the configuration parameters, and evaluating the controls over access to alter the configuration. If the control is tested in an environment other than the production environment, the service auditor may need to assess the risk that the functionality of the control in the production environment differs from that in the non-production environment and perform procedures to determine that the environment being tested matches that of the production environment. ¶ 3.138
    {description of the service organization's system} The service auditor may decide that it is necessary to perform additional tests for the portion of the extended or modified period not included in the original period, and the results of those tests, along with any additional information of which the service auditor becomes aware, would be considered in forming a conclusion about the description, the suitability of the design of controls or, in a type 2 examination, the operating effectiveness of controls for the extended or modified period. ¶ 2.83
    {audit evidence}{do not operate effectively} When more than one control is necessary to address a risk that would prevent the service organization from achieving one or more of its service commitments and system requirements, the service auditor considers whether a combination of controls is necessary, as discussed in paragraph 3.92. If a combination of controls is necessary, the service auditor considers evidence about whether all the controls are operating effectively; deficiencies are evaluated in the same way. The service auditor also considers the risk that one or more of the controls will not operate effectively. ¶ 3.113
    {test of control} The service auditor is responsible for determining the nature (how the controls are tested), timing (when the controls are tested and the frequency of the testing), and extent (the number of procedures performed or the size of the sample) of procedures necessary to obtain sufficient appropriate evidence about the operating effectiveness of controls throughout the period. ¶ 3.110
    The service auditor's selection of sample items should be reasonably expected to be representative of the population, resulting in a sample that is representative of the population covering the reporting period. Random selection of items represents one means of obtaining such samples. ¶ 3.146
    {SOC 2 engagement}{audit opinion}{further evidence}{description of the service organization's system} The service auditor also evaluates the effect of such uncorrected description misstatements or deficiencies on the engagement and on the opinion. The service auditor may conclude that additional appropriate evidence is required to form a conclusion about the description, suitability of design of controls, or control effectiveness. In that case, the service auditor should design and perform additional procedures to obtain sufficient appropriate evidence. ¶ 4.11
    {be material}{audit opinion}{description of the service organization's system}{operating effectiveness} When evaluating the results of tests of controls and the significance of deviations noted, the service auditor should accumulate instances in which controls did not operate effectively. Generally, if controls are not operating effectively to provide reasonable assurance that one or more service commitments or system requirements were achieved based on the applicable trust services criteria, the deficiency is considered material. The service auditor also considers the potential impact of other factors that may affect the opinion on the operating effective of controls, such as misstatements in the description or deficiencies noted in the suitability of the design of controls. ¶ 3.157
    {audit evidence}{be available}{audit opinion} There may be instances in which evidence that would have demonstrated the operating effectiveness of a control may be lost, misplaced, or inadvertently deleted by the service organization. In such instances, the service auditor evaluates the type of evidence available and whether the operating effectiveness of the control can be tested through other procedures, such as observation, that would provide sufficient appropriate evidence throughout the period. However, depending on the control activity and its significance, tests such as observation may not alone provide sufficient appropriate evidence. If such tests do not provide sufficient evidence, the service auditor should consider whether other controls are operating effectively. If one or more of the criteria are not met, the service auditor should modify the opinion. When modifying the opinion, the service auditor should consider whether the deficiency results from a failure of the control to operate effectively or from the inadvertent destruction of evidence (for example, the destruction of the computer hard disk on which the evidence was stored). ¶ 3.119
    {be the same}{audit evidence}{audit item}{be consistent}{be appropriate} The service auditor's test of the precision of each review control may include evaluating the same aspects of the control to determine that the control operated the same way each time it was tested. The service auditor may need to determine whether the evidence gathered through the tests performed demonstrates that the review control consistently identifies appropriate items for follow-up and that matters identified for investigation are resolved in a timely manner. Without documented instances of the review control identifying appropriate items for follow-up, the service auditor may not have sufficient appropriate evidence that the review control operated as designed. ¶ 3.127 ¶ 1
    {evaluate}{be adequate}{work}{internal audit function}Such procedures usually consist of one or more of the following: Independent testing of items tested by the internal audit function (reperformance) ¶ 3.168 Bullet 1
    {audit evidence} The service auditor evaluates the suitability of the design of controls by using evidence and other information gathered when ¶ 3.95
    {evaluate}{be adequate}{work}{internal audit function}{be independent}{audit conclusion}Such procedures usually consist of one or more of the following: Independent selection of items from the population tested by internal audit and the performance of tests of a similar nature to those performed by internal audit to independently evaluate internal audit's conclusion ¶ 3.168 Bullet 2
    {test of control} The extent of the service auditor's testing refers to the size of the sample tested or the number of observations of a control activity. The extent of testing is based on the service auditor's professional judgment after considering the tolerable rate of deviation, the expected rate of deviation, the frequency with which the control operates, the relevance and reliability of the evidence that can be obtained to support the conclusion that the controls are operating effectively, the length of the testing period, the significance of the control to the achievement of the service organization's service commitments and system requirements based on the applicable trust services criteria, and the extent to which audit evidence is obtained from tests of other controls that support the achievement of those service commitments and system requirements based on the applicable trust services criteria. ¶ 3.134
    {test of control} The extent of the service auditor's testing refers to the size of the sample tested or the number of observations of a control activity. The extent of testing is based on the service auditor's professional judgment after considering the tolerable rate of deviation, the expected rate of deviation, the frequency with which the control operates, the relevance and reliability of the evidence that can be obtained to support the conclusion that the controls are operating effectively, the length of the testing period, the significance of the control to the achievement of the service organization's service commitments and system requirements based on the applicable trust services criteria, and the extent to which audit evidence is obtained from tests of other controls that support the achievement of those service commitments and system requirements based on the applicable trust services criteria. ¶ 3.134
    {description of the service organization's system} During a walk-through, the service auditor may inquire about instances during the period in which controls did not operate as described or designed. In addition, the service auditor may inquire about variations in the process for different types of events or transactions. For example, the service organization's processing may take different forms, depending on how information is collected from user entities and business partners. Assume, for example, that the service organization receives transactions by mail, phone, fax, voice response unit, or via the internet. The service organization may design different controls related to the way the information is collected. An appropriately performed walk-through provides an opportunity to verify the service auditor's understanding of the flow of transactions and the design of the controls. If properly performed, walk-throughs may provide evidence about whether controls included in the description, individually or in combination with other controls, were suitably designed and implemented and, in a type 2 examination, operated effectively. ¶ 3.61]
    Establish/Maintain Documentation Preventive
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112
    [{SOC 2 Examination}{audit evidence} The service auditor may perform tests of controls at interim dates, at the end of the examination period, or after the examination period if the tests relate to controls that were in operation during the period but do not leave evidence until after the end of the period. Performing procedures at an interim date may assist the service auditor in identifying, at an early stage of the examination, any potential deficiencies in the design or the operating effectiveness of controls and, consequently, provides an opportunity for the service organization to resolve identified deficiencies prior to the end of the examination period, regardless of the service auditor's determination about whether they affect the service auditor's report. When the service auditor performs tests of the operating effectiveness of controls at an interim period, the service auditor should determine the extent of additional testing necessary for the remaining period. ¶ 3.132]
    Testing Preventive
    Implement procedures that collect sufficient audit evidence. CC ID 07153
    [{audit evidence} The service auditor may use evidence