Back

Determine the accurateness of the audit assertion's in scope system description.


CONTROL ID
06979
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Audit in scope audit items and compliance documents., CC ID: 06730

This Control has the following implementation support Control(s):
  • Determine if the in scope system has been implemented as described in the audit assertion., CC ID: 06983
  • Investigate the nature and causes of misstatements in the audit assertion's in scope system description., CC ID: 16557
  • Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary., CC ID: 13977
  • Edit the audit assertion for accuracy., CC ID: 07030


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Regulated users must be able to show the system description of the legacy system. (¶ 16.6 Bullet 2, Good Practices For Computerized systems In Regulated GXP Environments)
  • The inspectors should select the gxp critical computerized systems, consider the validation evidence for those systems and then the routine operational controls to maintain a valid system that is accurate and reliable, and look for inconsistency or muddled standards. (¶ 23.6, Good Practices For Computerized systems In Regulated GXP Environments)
  • The service auditor should determine if the description meets the description criteria located in paragraphs 1.34 and 1.35, when evaluating the fairness of the presentation of the system description. (¶ 1.13, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The type 1 report must include a written assertion about whether the system description fairly presents the system that was designed and implemented as of named date. (¶ 1.17.b.ii(1), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The system description must include the system boundaries or system aspects, in order to meet the criteria for being fairly presented. (¶ 1.34.a.iii, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The system description must include the applicable trust services criteria and controls designed to meet the criteria for each principle being reported on including the complementary user entity controls, in order to meet the criteria for being fairly presented. (¶ 1.34.a.vii(1), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The system description must include the applicable trust services criteria and controls designed to meet the criteria for each principle being reported on including the controls at the subservice organization if the inclusive method is used, in order to meet the criteria for being fairly presented. (¶ 1.34.a.vii(2), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The system description must include, when the carve out method is used, each applicable trust services criteria being met by controls at the subservice organization or alone or in combination with the organization and the controls expected to be implemented to meet the criteria, in order to meet the… (¶ 1.34.a.viii(2), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The system description must contain, for type 2 reports, details of any system changes during the period the description covers, in order to meet the criteria for being fairly presented. (¶ 1.34.a.xi, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The system description, when addressing privacy controls and using the carve-out method, must contain the parts of the personal information life cycle that the subservice organization has responsibility for, in order to meet the criteria for being fairly presented. (¶ 1.35.c.i, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should consider the scope of the system, the functions, how the subservice organizations are used, how the information is presented, the relevance of the trust services principles, and the time period of the report when determining whether to accept or continue an engagement. (¶ 2.09, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should read the system description and determine if it is fairly presented. (¶ 3.01, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor may read Service Level Agreements and contracts to determine if the system description is fairly presented. (¶ 3.02 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor may obtain an understanding of the laws and regulations that are relevant to the services being provided to evaluate if the system description is fairly presented. (¶ 3.02 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor may observe the procedures being performed by personnel to evaluate if the system description is fairly presented. (¶ 3.02 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor may read policy manuals, procedure manuals, and other system documentation to evaluate if the system description is fairly presented. (¶ 3.02 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor may obtain a list of the user entities and determine how the provided services are likely to affect the user entities to evaluate if the system description is fairly presented. (¶ 3.02 Bullet 6, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor may discuss with management about the content of the assertion and the system description to evaluate if the system description is fairly presented. (¶ 3.02 Bullet 7, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor may read reports from the internal audit function to evaluate if the system description is fairly presented. (¶ 3.02 Bullet 8, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The system description is not fairly presented if it implies or states that elements that do not exist actually exist, implies or states that controls are being performed when they are actually not being performed, and if it intentionally or inadvertently distorts or omits relevant system informatio… (¶ 3.06, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should determine if the system description includes all major parts of the system that are in the scope of the engagement, when evaluating if the system description materially omits information that is relevant to users. (¶ 3.08, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should determine if the system description clearly delineates the boundaries of the system that are included in the scope. (¶ 3.09, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should ask questions and read documents to evaluate whether the complementary user entity controls are adequately described in the system description. (¶ 3.22, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • Assessing whether the description of the service organization's system presents the system that has been designed and implemented in accordance with the description criteria (¶ 2.113 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • the description of the service organization's system that was implemented and operated is not presented in accordance with the description criteria. (¶ 2.120 Bullet 1 Sub-Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • inadvertently or intentionally omits or distorts material information about any of the description criteria that might affect the decisions of report users (for example, the failure to include in the description significant aspects of processing performed at another location included within the scop… (¶ 3.67 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • designing procedures to evaluate whether the description is presented in accordance with the description criteria. (¶ 2.117 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Activities of the internal audit function that may be relevant to the SOC 2® examination include those that provide information or evidence about whether the description is presented in accordance with the description criteria or whether controls were suitably designed and, in a type 2 examination,… (¶ 2.133, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The description of the services provided by a subservice organization should be prepared at a level of detail that could reasonably be expected to meet the common informational needs of the broad range of report users. The following is an example of a description of a service organization that uses … (¶ 3.49, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Are the service commitments presented in sufficient detail for report users to understand the relationship between the controls implemented by the service organization and the service commitments and system requirements? For example, a service organization may implement certain system components at … (¶ 3.26(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When the SOC 2® report is designed for a broad range of users, does the description summarize the principal service commitments that are common to such report users? For example, assume a service organization makes a general system availability commitment to all user entities but makes additional s… (¶ 3.26(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Preparing a description of the service organization's system, including the completeness, accuracy, and method of presentation of the description (¶ 2.26 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Prepare the description of the service organization's system, including the determination of the service organization's service commitments and system requirements (¶ 2.110(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The description is presented in accordance with the description criteria if the CUECs are complete, accurately described, and relevant to the service organization's achievement of its service commitments and system requirements based on the applicable trust services criteria. When making this evalua… (¶ 3.41, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Discussing with management and other service organization personnel the content of management's assertion and the description (¶ 3.59 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Based on paragraph .60 of AT-C section 205, the service auditor should evaluate whether the description is misleading within the context of the engagement based on the evidence obtained. Paragraph .A73 of AT-C section 205 states that, when making this evaluation, the service auditor may consider whe… (¶ 3.64, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • contains statements that cannot be objectively evaluated. For example, describing a service organization as being the "world's best" or "most respected in the industry" is subjective and, therefore, could be misleading to report users. (¶ 3.67 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • contains or implies certain facts that are not true (for example, that certain IT components exist when they do not or that certain processes and controls have been implemented when they are not being performed). (¶ 3.67 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor should obtain and read the description of the service organization's system and perform procedures to determine whether the description is presented in accordance with the description criteria. Determining whether the description of the service organization's system is presented … (¶ 3.20, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the service auditor believes the event is of such a nature and significance that its disclosure is necessary to prevent report users from being misled, the service auditor should determine whether information about the event is adequately disclosed in the description or in management's assertion.… (¶ 3.219, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Alignment between the processes and controls stated in the description and the underlying system controls implemented by the service organization. If the description includes a particular control, it is likely that report users will presume that the control is material for the purposes of the SOC 2Â… (¶ 3.163 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When performing the SOC 2® examination, the service auditor should also obtain an understanding of changes in the service organization's system implemented during the period covered by the examination. If the service auditor believes that the changes would be considered significant by the broad ran… (¶ 3.62, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When performing a type 2 examination, description criterion DC9 indicates that a description should disclose relevant details of changes to the service organization's system during that period. If the service auditor believes changes to the system would be considered significant by report users, the… (¶ 3.108, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In addition to providing the service auditor with a written assertion and representation letter at the end of the examination, subservice organization management is also responsible for preparing a description of the subservice organization's system, including the completeness, accuracy, and method … (¶ 2.100, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Service organization management is responsible for achieving its service commitments and system requirements. It is also responsible for stating in the description the service organization's principal service commitments and system requirements with sufficient clarity to enable report users to under… (¶ 1.49, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Preparing a description of the service organization's system, including the completeness, accuracy, and method of presentation of the description (¶ 2.32 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Based on the requirements in paragraph .47 of AT-C section 205, the service auditor service auditor should consider the additional evidence obtained for the extended or modified period when forming an opinion about the description, suitability of the design of controls, or in a type 2 examination, o… (¶ 2.87, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In addition to providing the service auditor with a written assertion and representation letter at the end of the examination, subservice organization management is also responsible for preparing a description of the subservice organization's system, including the completeness, accuracy, and method … (¶ 2.104, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Assessing whether the description of the service organization's system presents the system that has been designed and implemented in accordance with the description criteria (¶ 2.109 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • the CSOCs identified by service organization management are identified as controls in the subservice organization's SOC 2 report (¶ 2.124 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • there are any CUECs identified in the subservice organization's SOC 2 report that are the responsibility of the service organization or user entities and that should be included in the controls identified by the service organization or CUECs to be addressed by user entities. (¶ 2.124 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor's procedures for evaluating whether the description is in accordance with the description criteria begin with obtaining and reading the description of the service organization's system and evaluating whether it presents the system that was designed and implemented based on the se… (¶ 3.20, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When management has included disclosures about a process or control framework in the description, the service auditor may need to broaden the understanding of the system to include an understanding of (1) the requirements of the process or control framework and (2) how the controls implemented by ma… (¶ 2.183, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As it relates to CUECs, the description is presented in accordance with the description criteria if the CUECs are complete, accurately described, and necessary as discussed in paragraph 3.53. When making this evaluation, the service auditor may review system documentation and contracts with user ent… (¶ 3.54, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When the description includes significant user entity responsibilities, the service auditor would need to evaluate those disclosures as part of the evaluation about whether the description is presented in accordance with the description criteria. (¶ 3.58, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The wording used to make the required disclosures. For example, the wording chosen does not omit or distort the disclosures presented. (¶ 3.86 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The extent to which identified deficiencies in the suitability of design or the operating effectiveness of controls contradict the disclosures about controls included in the description. (¶ 3.86 Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In accordance with paragraph .61 of AT-C section 205, the service auditor should evaluate whether the description is misleading within the context of the engagement based on the evidence obtained. Paragraph .A79 of AT-C section 205 states that, when making this evaluation, the service auditor may co… (¶ 3.218, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In accordance with paragraph .49 of AT-C section 205, if the service auditor believes the event is of such a nature and significance that its disclosure is necessary to prevent report users from being misled, the service auditor should determine whether information about the event is adequately disc… (¶ 3.249, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Comparison of the requirements of the process or control framework with management's description of the processes and controls (¶ 3.263 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Alignment between the processes and controls stated in the description and the underlying system controls implemented by the service organization. If the description includes a particular control, it is likely that report users will assume the control is material for the purposes of the SOC 2 examin… (¶ 3.190 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As discussed in chapter 1, "Introduction and Background," the service auditor may express an unmodified opinion on the description only if evidence obtained supports a conclusion that the description is free from material misstatement. When considering the materiality of identified description misst… (¶ 4.02, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor should read management's system description and evaluate whether the parts of the description that are included in the scope are presented fairly. (¶ .19, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The practitioner should evaluate whether the written description of the subject matter or assertion adequately refers to or describes the criteria. (AT-C Section 205.58, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The practitioner should evaluate, based on the evidence obtained, whether the presentation of the subject matter or assertion is misleading within the context of the engagement. (AT-C Section 205.60, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The practitioner should evaluate whether the written description of the subject matter or assertion adequately refers to or describes the criteria. (AT-C Section 210.41, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The practitioner should evaluate, based on the review evidence obtained, whether the presentation of the subject matter or assertion is misleading within the context of the engagement. (AT-C Section 210.43, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • the forecast presents the expected financial position, results of operations, and cash flows for the forecast period and that the forecast reflects the responsible party's judgment, based on present circumstances, of the expected conditions and its expected course of action; (AT-C Section 305.28 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • computations made to translate the assumptions into prospective amounts are mathematically accurate, (AT-C Section 305.26 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • preparing its description of the service organization's system, (AT-C Section 320.14 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • whether management's description of the service organization's system does not omit or distort information relevant to the service organization's system, while acknowledging that management's description of the service organization's system is prepared to meet the common needs of a broad range of us… (AT-C Section 320.15 c., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The service auditor's consideration of materiality should include the fair presentation of management's description of the service organization's system, the suitability of the design of controls to achieve the related control objectives stated in the description and, in the case of a type 2 report,… (AT-C Section 320.19, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • the source of the historical financial information on which the pro forma financial information is based has been appropriately identified. (AT-C Section 310.13 i.ii., SSAE No. 18, Attestation Standards: Clarification and Recodification)