Include agreement to the audit scope and audit terms in the audit program.
CONTROL ID 06965
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain an audit program., CC ID: 00684
This Control has the following implementation support Control(s):
Establish and maintain a bespoke audit scope for each audit being performed., CC ID: 13077
Include audit subject matter in the audit program., CC ID: 07103
Provide a representation letter in support of the audit assertion., CC ID: 07158
Establish and maintain audit assertions, as necessary., CC ID: 14871
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties., CC ID: 06967
Include the scope for the desired level of assurance in the audit program., CC ID: 12793
Include conditions that might require modification of the audit program in the audit terms., CC ID: 07149
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms., CC ID: 06988
Include the criteria for determining the desired level of assurance in the audit program., CC ID: 12795
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program., CC ID: 12794
Include the expectations for the audit report in the audit terms., CC ID: 07148
Establish and maintain a practitionerâs report on managementâs assertions, as necessary., CC ID: 13888
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The FI should ensure that the scope of IT audit is comprehensive and includes all critical IT operations. (§ 14.1.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
scope, type, extent, timings and milestones of the assessment (30.b.iv., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
Coming to an agreement with the system owner on : (30.b., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
Requirements for auditing IT systems are determined. (5.2.6 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
The organization should establish and implement criteria and processes for an assessment prior to the delegation of functions. (CORE - 6, URAC Health Utilization Management Standards, Version 6)
The audit criteria, scope, frequency, and methods shall be defined. (§ 4.2.11 ¶ 2, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
Security audit activity should be managed by agreeing to requirements for special processing routines or tests (e.g., performing vulnerability assessments and penetration tests) with the owner(s) of target environments. (SI.01.01.04a, The Standard of Good Practice for Information Security)
An approach to performing a security audit of the target environment should be agreed, taking into account the compliance-based approach, which typically examines the controls in place (e.g., by determining if controls are being applied by testing their effectiveness). (SI.01.02.04a, The Standard of Good Practice for Information Security)
An approach to performing a security audit of the target environment should be agreed, taking into account the threat-based approach, which typically uses tests that mimic or closely match threats that attempt to exploit vulnerabilities (e.g., control weaknesses) or bypass security controls (e.g., b… (SI.01.02.04b, The Standard of Good Practice for Information Security)
The security audit plan should be approved and signed off by the owner of the target environment and by the audit manager. (SI.01.02.07a, The Standard of Good Practice for Information Security)
Security audit activity should be managed by agreeing to requirements for special processing routines or tests (e.g., performing vulnerability assessments and penetration tests) with the owner(s) of target environments. (SI.01.01.04a, The Standard of Good Practice for Information Security, 2013)
An approach to performing a security audit of the target environment should be agreed, taking into account the compliance-based approach, which typically examines the controls in place (e.g., by determining if controls are being applied by testing their effectiveness). (SI.01.02.04a, The Standard of Good Practice for Information Security, 2013)
An approach to performing a security audit of the target environment should be agreed, taking into account the threat-based approach, which typically uses tests that mimic or closely match threats that attempt to exploit vulnerabilities (e.g., control weaknesses) or bypass security controls (e.g., b… (SI.01.02.04b, The Standard of Good Practice for Information Security, 2013)
The security audit plan should be approved and signed off by the owner of the target environment and by the audit manager. (SI.01.02.07a, The Standard of Good Practice for Information Security, 2013)
Audit plans, activities, and operational action items focusing on data duplication, access, and data boundary limitations shall be designed to minimize the risk of business process disruption. Audit activities must be planned and agreed upon in advance by stakeholders. (AAC-01, Cloud Controls Matrix, v3.0)
define the audit criteria and scope for each audit; (§ 9.2.2 ¶ 3 a), ISO 14001:2015 - Environmental management systems â Requirements with guidance for use, Third Edition)
the establishment of audit objectives, scope(s) and criteria of the audits, determining audit methods and selecting the audit team; (§ 5.4.1 ¶ 1(d) Bullet 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
The audit scope should be consistent with the audit programme and audit objectives. It includes such factors as locations, functions, activities and processes to be audited, as well as the time period covered by the audit. (§ 5.5.2 ¶ 3, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
confirm the agreement with the auditee regarding the extent of the disclosure and the treatment of confidential information; (§ 6.2.2 ¶ 1(f), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
agree on the attendance of observers and the need for guides or interpreters for the audit team; (§ 6.2.2 ¶ 1(i), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previou… (§ 9.2 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
The audit programme, including any schedule, shall be based on the results of risk assessments of the organizationâs activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requiremen… (§ 9.2 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes. (A.12.7.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
define the audit criteria and scope for each audit; (§ 9.2.2 ¶ 1(b), ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
Audit requirements and activities involving verification of operational systems should be carefully planned and agreed to minimize disruptions to business processes. (§ 12.7.1 Control, ISO/IEC 27002:2013(E), Information technology â Security techniques â Code of practice for information security controls, Second Edition)
Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management. (§ 8.34 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection â Information security controls, Third Edition)
The service auditor must have reasons for believing that the subject matter may be evaluated against criteria appropriate for the intended use, in order to accept or continue the engagement. (¶ 2.03.a.iii, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
The service auditor should normally accept or continue an engagement only if management accepts and acknowledges responsibility for preparing the system description and assertion. (¶ 2.13.a, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
The service auditor should normally accept or continue an engagement only if management accepts and acknowledges responsibility for providing a written assertion. (¶ 2.13.b, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
The service auditor should normally accept or continue an engagement only if management accepts and acknowledges responsibility for having a reasonable basis for the assertion. (¶ 2.13.c, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
Because of the additional complexities involved with the use of the inclusive method, both the service organization and the subservice organization ought to agree on the use of the inclusive approach before it is selected for the examination. In addition, to facilitate the process, service organizat… (¶ 2.98, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Obtain an understanding of whether the other practitioner understands, and will comply with, the ethical requirements that are relevant to the engagement and, in particular, is independent. (The discussion beginning in paragraph 2.36 also applies to the other practitioner.) (¶ 2.156(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
If management refuses to provide a written assertion, paragraph .82 of AT-C section 205 requires the service auditor to withdraw from the engagement when withdrawal is possible under applicable laws and regulations. Consequently, it is important to obtain management's agreement to provide the writte… (¶ 2.68, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Paragraph .07 of AT-C section 205 requires the service auditor to agree on, and document in a written communication such as an engagement letter, the terms of the engagement with the engaging party. A written agreement reduces the risk that either the service auditor or service organization manageme… (¶ 2.70, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Agreeing on the terms of the engagement with service organization management, including establishing an understanding about the responsibilities of management and the service auditor (see paragraph 2.71) (¶ 2.30 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Acknowledgment from subservice organization management that it will provide the service auditor with a written assertion and representation letter (Both service organization management and subservice organization management are responsible for providing the service auditor with a written assertion a… (¶ 2.98 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
AT-C section 205 does not include requirements for the service auditor to perform procedures to determine whether management has a reasonable basis for its assertion. However, because of the relationship between (a) the evaluation of the suitability of design of controls and, in a type 2 examination… (¶ 2.51, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Agreeing on the terms of the engagement (¶ 2.172 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Chapter 2 discusses the service auditor's responsibilities when a service auditor's specialist will be used in the SOC 2® examination. Those responsibilities include (a) evaluating the specialist's competence, capabilities, and objectivity; (b) obtaining an understanding of the specialist's field o… (¶ 3.178, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Although it is not the objective of a service auditor's engagement, a service auditor may develop recommendations to improve a service organization's controls. The service auditor and service organization management agree on whether and how such recommendations will be communicated. Typically, the s… (¶ 4.94, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
When establishing the terms of the engagement, the service auditor's understanding with the engaging party may include the fact that the use of the SOC 2® report will be restricted to the parties identified in the report. In addition, the service auditor should consider informing the engaging party… (¶ 4.93, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
By communicating with the service auditor's specialist about these matters early in the engagement, the service auditor will be in a better position to plan the scope and timing of the specialist's work on the engagement. In addition, he or she will be better able to plan the nature, timing, and ext… (¶ 2.161, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Quality control policies and procedures to comply with the quality control requirements often include consideration of the integrity and reputation of service organization management and significant shareholders or principal owners to determine whether the firm's reputation is likely to suffer by as… (¶ 2.33, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
The planned content and format of the inclusive description (¶ 2.98 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
According to paragraph .A37 of AT-C section 105, subject matter is appropriate if it is identifiable, capable of consistent measurement or evaluation based on the criteria, and can be subjected to procedures for obtaining sufficient appropriate evidence to support an opinion. In a SOC 2® examinatio… (¶ 2.45, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
the nature, scope, and objectives of the specialist's work; (¶ 2.160(c)(i), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
has reached a common understanding with the engaging party of the terms of the engagement, including the service auditor's reporting responsibilities. (Chapter 4 discusses reporting in a SOC 2® examination.) (¶ 2.32(d), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Obtain an understanding of the services provided by the service organization, the system used to provide them, and the service organization's service commitments and system requirements that define the engagement. (¶ 2.92(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Although not required by the attestation standards, the service auditor would ordinarily expect the engaging party to sign the engagement letter. The engaging party's refusal to sign the engagement letter would be a relevant factor in the service auditor's consideration of the integrity of the clien… (¶ 2.74, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Reaching an understanding with management regarding their willingness and ability to provide a written assertion at the conclusion of the examination (see paragraph 2.67) (¶ 2.30 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
In accordance with paragraph .29 of AT-C section 105, the service auditor should accept a SOC 2 examination only when the service auditor has reached a common understanding with service organization management about the terms of the engagement. Paragraph .08 of AT-C section 205 indicates that these … (¶ 2.03, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
If the service organization's controls alone provide reasonable assurance that its service commitments and system requirements are achieved, or if the service organization's monitoring of the vendor's services and controls is sufficient to provide reasonable assurance that its service commitments an… (¶ 2.09, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Reaching an understanding with management regarding management's willingness and ability to provide a written assertion at the conclusion of the examination (see paragraph 2.72) (¶ 2.36 Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
has reached a common understanding with the engaging party of the terms of the engagement, including the service auditor's reporting responsibilities. (Chapter 4 discusses reporting in a SOC 2 examination.) (¶ 2.38 d., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Agreeing on the terms of the engagement with service organization management, including establishing an understanding about the responsibilities of management and the service auditor (see paragraph 2.76) (¶ 2.36 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Paragraph .A39 of AT-C section 105 states that subject matter is appropriate if it is (a) identifiable and capable of consistent measurement or evaluation against the criteria and (b) can be subjected to procedures for obtaining sufficient appropriate evidence to support an opinion. In a SOC 2 exami… (¶ 2.53, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
AT-C section 205 does not include specific requirements for the service auditor to perform procedures to determine whether management has a reasonable basis for its assertion. Because of the relationship between (a) the evaluation of the suitability of design of controls and, in a type 2 examination… (¶ 2.59, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
If service organization management (responsible party) refuses to provide a written assertion, paragraph .84 of AT-C section 205 states the service auditor should withdraw from the engagement when withdrawal is possible under applicable laws and regulations. Consequently, it is important to obtain m… (¶ 2.74, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Paragraph .07 of AT-C section 205 states that the service auditor should agree on, and document in a written communication such as an engagement letter, the terms of the engagement with the engaging party. A written agreement, such as an engagement letter, reduces the risk that either the service au… (¶ 2.76, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Because of the additional complexities involved with the use of the inclusive method, both the service organization and the subservice organization ought to agree on the use of the inclusive approach before it is selected for the examination. In addition, to facilitate the process, service organizat… (¶ 2.102, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Acknowledgment from subservice organization management that it will provide the service auditor with a written assertion and representation letter (Both service organization management and subservice organization management are responsible for providing the service auditor with a written assertion a… (¶ 2.102 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
The planned content and format of the inclusive description (¶ 2.102 Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
In accordance with paragraph .14 of AT-C section 205, the service auditor should obtain an understanding of the description, suitability of design of controls, and in a type 2 examination, operating effectiveness of controls and other engagement circumstances sufficient to (¶ 2.108, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Obtain an understanding of whether the other practitioner understands, and will comply with, the ethical requirements that are relevant to the engagement and, in particular, is independent. (The discussion beginning in paragraph 2.41 also applies to the other practitioner.) (¶ 2.172 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
the nature, scope, and objectives of the specialist's work; (¶ 2.176 c.i., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Agreeing on the terms of the engagement (¶ 2.195 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Chapter 2 discusses the service auditor's responsibilities when a service auditor's specialist will be used in the SOC 2 examination. Those responsibilities include (a) evaluating the specialist's competence, capabilities, and objectivity; (b) obtaining an understanding of the specialist's field of … (¶ 3.209, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Although it is not the objective of a service auditor's engagement, a service auditor may develop recommendations to improve a service organization's controls. The service auditor and service organization management agree on whether and how such recommendations will be communicated. Typically, the s… (¶ 4.100, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
When establishing the terms of the engagement, the service auditor's understanding with the engaging party may include the fact that the use of the SOC 2 report will be restricted to the parties identified in the report. In addition, it is good practice for the service auditor to inform the engaging… (¶ 4.99, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
The service auditor should continue or accept an audit on controls only if management agrees to the audit terms by acknowledging and accepting responsibility for having a reasonable assertion basis. (¶ .09.c.ii, SSAE No. 16 Reporting on Controls at a Service Organization)
The service auditor should continue or accept an audit on controls only if management agrees on the audit terms by accepting and acknowledging responsibility for preparing the system description and assertion, including completeness, accuracy, and presentation method. (¶ .09.c.i, SSAE No. 16 Reporting on Controls at a Service Organization)
The objective and scope of the engagement (AT-C Section 205.08 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
The practitioner should agree upon the terms of the engagement with the engaging party. The agreed-upon terms of the engagement should be specified in sufficient detail in an engagement letter or other suitable form of written agreement. (AT-C Section 205.07, SSAE No. 18, Attestation Standards: Clarification and Recodification)
the nature, scope, and objectives of that practitioner's specialist's work; (AT-C Section 205.36 c.i., SSAE No. 18, Attestation Standards: Clarification and Recodification)
The practitioner should agree upon the terms of the engagement with the engaging party. The agreed- upon terms of the engagement should be specified in sufficient detail in an engagement letter or other suitable form of written agreement. (AT-C Section 210.08, SSAE No. 18, Attestation Standards: Clarification and Recodification)
The engagement partner should be satisfied that appropriate procedures regarding the acceptance and continuance of client relationships and attestation engagements have been followed and should determine that conclusions reached in this regard are appropriate. (AT-C Section 105.23, SSAE No. 18, Attestation Standards: Clarification and Recodification)
has no reason to believe that relevant ethical requirements, including independence, will not be satisfied; (AT-C Section 105.27 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
has reached a common understanding with the engaging party of the terms of the engagement, including the practitioner's reporting responsibilities. (AT-C Section 105.27 d., SSAE No. 18, Attestation Standards: Clarification and Recodification)
obtain an understanding of whether the other practitioner understands and will comply with the ethical requirements that are relevant to the engagement and, in particular, is independent. (AT-C Section 105.31 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
The objective and scope of the engagement (AT-C Section 210.09 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
When the practitioner expects to use the work of a practitioner's specialist or internal auditors, the practitioner should apply the requirements in section 205, Examination Engagements, and the related application guidance, as appropriate, for a review engagement. (AT-C Section 210.27, SSAE No. 18, Attestation Standards: Clarification and Recodification)
The specified parties agree on the procedures performed, or to be performed, by the practitioner. (AT-C Section 215.10 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
The practitioner determines that the procedures can be performed and reported on in accordance with this section. (AT-C Section 215.10 c., SSAE No. 18, Attestation Standards: Clarification and Recodification)
The practitioner should agree upon the terms of the engagement with the engaging party. The agreed-upon terms of the engagement should be specified in sufficient detail in an engagement letter or other suitable form of written agreement. (AT-C Section 215.12, SSAE No. 18, Attestation Standards: Clarification and Recodification)
When circumstances impose restrictions on the performance of the agreed-upon procedures, the practitioner should attempt to obtain agreement from the specified parties for modification of the agreed-upon procedures. When such agreement cannot be obtained (for example, when the agreed-upon procedures… (AT-C Section 215.37, SSAE No. 18, Attestation Standards: Clarification and Recodification)
Agreement on procedures by enumerating (or referring to) the procedures (AT-C Section 215.14 g., SSAE No. 18, Attestation Standards: Clarification and Recodification)
If the practitioner agrees to add a nonparticipant party, the practitioner should obtain affirmative acknowledgment, normally in writing, from the nonparticipant party agreeing to the procedures performed and of its taking responsibility for the sufficiency of the procedures. (AT-C Section 215.38, SSAE No. 18, Attestation Standards: Clarification and Recodification)
The service auditor's preliminary knowledge of the engagement circumstances indicates that the scope of the engagement and management's description of the service organization's system will not be so limited that they are unlikely to be useful to user entities and their auditors. (AT-C Section 320.10 a, SSAE No. 18, Attestation Standards: Clarification and Recodification)
Preparing its description of the service organization's system and its assertion, including the completeness, accuracy, and method of presentation of the description and assertion (AT-C Section 320.10 b.i., SSAE No. 18, Attestation Standards: Clarification and Recodification)
Having a reasonable basis for its assertion (AT-C Section 320.10 b.ii., SSAE No. 18, Attestation Standards: Clarification and Recodification)
Providing a written assertion that accompanies management's description of the service organization's system, both of which will be provided to user entities (AT-C Section 320.10 b.vi., SSAE No. 18, Attestation Standards: Clarification and Recodification)
Identification of the subject matter or assertion, the responsible party, and the criteria to be used (AT-C Section 215.14 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
That the accountant understands the annual audited financial report and his opinion thereon will be filed in compliance with this regulation and that the commissioner will be relying on this information in the monitoring and regulation of the financial position of insurers; (Section 12. ¶ 1.C., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
Determine the appropriate scope and objectives for the examination. (App A Objective 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
Determine the appropriate scope and objectives for the examination. (App A Objective 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Determine the appropriate scope and objectives for the examination. (App A Objective 1, FFIEC Information Technology Examination Handbook - Management, November 2015)
Determine the scope and objectives of the examination of the IT audit function and coordinate with examiners reviewing other programs. (TIER I OBJECTIVES AND PROCEDURES Objective 1, FFIEC IT Examination Handbook - Audit, April 2012)
The work shall be adequately planned and assistants, if any, shall be properly supervised. (AT 101.42, Public Company Accounting Oversight Board Attestation Standards, Section 101)
Planning an attest engagement involves developing an overall strategy for the expected conduct and scope of the engagement. (AT 101.44, Public Company Accounting Oversight Board Attestation Standards, Section 101)
The practitioner should establish an understanding with the client regarding the services to be performed for each engagement. (AT 101.46, Public Company Accounting Oversight Board Attestation Standards, Section 101)
As part of the planning process, the practitioner should consider the nature, extent, and timing of the work to be performed to accomplish the objectives of the attest engagement. (AT 101.47, Public Company Accounting Oversight Board Attestation Standards, Section 101)
If the responsible party or the client refuses to furnish all written representations that the practitioner deems necessary, the practitioner should consider the effects of such a refusal on his or her ability to issue a conclusion about the subject matter. (AT 101.62, Public Company Accounting Oversight Board Attestation Standards, Section 101)
Restrictions on the scope of an engagement, whether imposed by the client or by such other circumstances as the timing of the work or the inability to obtain sufficient evidence, may require the practitioner to qualify the assurance provided, to disclaim any assurance, or to withdraw from the engage… (AT 101.73, Public Company Accounting Oversight Board Attestation Standards, Section 101)
The practitioner's decision to provide a qualified opinion, to disclaim an opinion, or to withdraw because of a scope limitation in an examination engagement depends on an assessment of the effect of the omitted procedure(s) on his or her ability to express assurance. (AT 101.74, Public Company Accounting Oversight Board Attestation Standards, Section 101)
In a review engagement, when the practitioner is unable to perform the inquiry and analytical or other procedures he or she considers necessary to achieve the limited assurance contemplated by a review, or when the client is the responsible party and does not provide the practitioner with a written … (AT 101.75, Public Company Accounting Oversight Board Attestation Standards, Section 101)
