Back

Determine if the audit assertion's in scope controls are reasonable.


CONTROL ID
06980
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Audit in scope audit items and compliance documents., CC ID: 06730

This Control has the following implementation support Control(s):
  • Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary., CC ID: 13978
  • Document test plans for auditing in scope controls., CC ID: 06985


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • are satisfied that the certifications are issued and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; (4.13.3 93(f), Final Report on EBA Guidelines on outsourcing arrangements)
  • Check if the security management efforts to obtain Information Security can be made clear based on confirmation from an auditor or on an ISO 27001 certificate on the basis of it-grundschutz. (7 Bullet 2, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Management of the service organization must have a reasonable basis for its written assertion. (¶ 2.01 Bullet 5, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service organization should evaluate the suitability of the control design at the subservice organization, when the inclusive method is used. (¶ 3.27 Bullet 5, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • Paragraph 2.45 indicates that, as one of the preconditions of the SOC 2® examination, the service auditor should determine whether the subject matters are appropriate for the engagement. According to paragraph .A36 of AT-C section 105, one element of the appropriateness of the subject matters is th… (¶ 2.49, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Having a reasonable basis for its assertion (¶ 2.26 Bullet 5, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Assess the suitability of the design of the controls (¶ 2.110(c), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the service auditor determines that certain controls identified in the description have not been implemented, the service auditor may ask service organization management to delete those controls from the description. If management does not modify the description to remove the controls from the de… (¶ 3.23, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Activities of the internal audit function that may be relevant to the SOC 2® examination include those that provide information or evidence about whether the description is presented in accordance with the description criteria or whether controls were suitably designed and, in a type 2 examination,… (¶ 2.133, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the service organization uses the carve-out method for the services and controls of a subservice organization, the service auditor also evaluates whether the types of controls stated in the description and expected to be implemented at the subservice organization are necessary, in combination wit… (¶ 3.152, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • During the examination, the service auditor performs procedures to evaluate whether controls over vendors and business partners are suitably designed and, in a type 2 examination, operated effectively. (¶ 3.151, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Determine whether the controls to be tested depend on other controls and, if so, whether it is necessary to obtain evidence supporting the operating effectiveness of those other controls. (¶ 3.115(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When assessing the risks of material misstatement, paragraph .15 of AT-C section 205 states that the service auditor should obtain an understanding of internal control, which, in the case of a SOC 2® examination, focuses on obtaining an understanding of controls over the preparation of the descript… (¶ 2.121, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Because CSOCs are necessary, in combination with controls at the service organization, to provide reasonable assurance that one or more of the service organization's service commitments or system requirements are achieved based on the applicable trust services criteria, the service auditor also cons… (¶ 3.54, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If management includes in the description disclosures about identified system incidents as defined in description criterion DC4, the service auditor is likely to conclude that those incidents resulted from controls that were not suitably designed or operating effectively. In such instances, the serv… (¶ 3.35, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Understanding which controls are necessary to provide reasonable assurance that the service organization's service commitments and system requirements are achieved based on the applicable trust services criteria, whether the controls were suitably designed to achieve them, and, in a type 2 report, w… (¶ 2.113 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Most of the service auditor's procedures in forming an opinion on the description and the suitability of controls and, in a type 2 examination, the operating effectiveness of controls consist of obtaining and evaluating evidence. Procedures to obtain evidence include inspection, observation, reperfo… (¶ 2.126, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Having a reasonable basis for its assertion (¶ 2.101 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The description is presented in accordance with the description criteria if the CUECs are complete, accurately described, and relevant to the service organization's achievement of its service commitments and system requirements based on the applicable trust services criteria. When making this evalua… (¶ 3.41, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • evaluate whether the controls the service organization has implemented are suitably designed to achieve the service organization's service commitments to those user entities (for example, reading service level agreements may help the service auditor understand the specific processing commitments mad… (¶ 3.59 Bullet 5 Sub-Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In contrast, a deficiency in the operation of a control exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively. A service organization may be able to corr… (¶ 3.102, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In some situations, two or more controls are suitably designed only when operating in conjunction with each other. In these situations, the service auditor evaluates the suitability of design and operating effectiveness of the controls together in order to reach a conclusion. (¶ 3.103, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • After performing the procedures and considering the guidance in paragraphs 3.79–3.105, the service auditor should accumulate instances in which controls were not suitably designed or were not properly implemented, which are considered deficiencies in the SOC 2® examination. As part of the evaluat… (¶ 3.104, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Controls are suitably designed if they have the potential to meet the applicable trust services criteria, thereby enabling the service organization's controls to provide reasonable assurance that the service organization's service commitments and system requirements were achieved. Suitably designed … (¶ 3.106, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Evaluating the suitability of the design of controls involves assessing whether the controls stated in the description are suitably designed to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust service… (¶ 3.81, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Alignment between the processes and controls stated in the description and the underlying system controls implemented by the service organization. If the description includes a particular control, it is likely that report users will presume that the control is material for the purposes of the SOC 2Â… (¶ 3.163 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Suitably designed controls, if complied with satisfactorily, provide reasonable assurance of achieving the service organization's service commitments and system requirements based on the applicable trust services criteria. Suitably designed controls operate as designed by persons who have the necess… (¶ 3.79, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • AT-C section 205 does not address the need for additional language in certain situations unique to a SOC 2® examination that may affect report users' understanding of the subject matter and the examination. One of those situations occurs when service organization management assumes, during the desi… (¶ 4.36, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Another situation that affects the subject matter of the SOC 2® examination occurs when a service organization uses a subservice organization and service organization management assumes, in the design of the service organization's system, that the subservice organization would apply certain control… (¶ 4.39, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • evaluate their reasonableness and consistency with other evidence obtained, including other representations (oral or written) made by service organization management, and (¶ 3.205(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When a separate SOC 2® report exists for a subservice organization, obtaining and reading the SOC 2® report and paying particular attention to the CUECs identified by the subservice organization in the report helps the service auditor evaluate whether controls at the service organization are suita… (¶ 2.114, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • During a walk-through, the service auditor may inquire about instances during the period in which controls did not operate as described or designed. In addition, the service auditor may inquire about variations in the process for different types of events or transactions. For example, the service or… (¶ 3.61, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the service organization uses the carve-out method for a subservice organization, the service auditor also evaluates whether the types of controls expected to be implemented at the subservice organization would, if operating effectively in combination with the controls at the service organization… (¶ 3.99, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • A service organization's system of internal control is evaluated by using the trust services criteria to determine whether the service organization's controls provide reasonable assurance that its business objectives and sub-objectives are achieved. When a service organization provides services to u… (¶ 1.44, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor designs and performs procedures to obtain sufficient appropriate evidence about whether the description presents the system that was designed and implemented in accordance with the description criteria and whether (a) the controls stated in the description were suitably designed … (¶ 1.20, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Service organization management is responsible for having a reasonable basis for asserting that (a) the description of the service organization's system is presented in accordance with the description criteria, (b) the controls stated in the description were suitably designed to provide reasonable a… (¶ 2.04, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Having a reasonable basis for its assertion (¶ 2.32 Bullet 5, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • A service organization's system of internal control is evaluated by using the trust services criteria to determine whether the service organization's controls provide reasonable assurance that its business objectives and sub-objectives are achieved. When a service organization provides services to u… (¶ 1.56, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Based on the requirements in paragraph .47 of AT-C section 205, the service auditor service auditor should consider the additional evidence obtained for the extended or modified period when forming an opinion about the description, suitability of the design of controls, or in a type 2 examination, o… (¶ 2.87, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Having a reasonable basis for its assertion (¶ 2.105 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Understanding which controls are necessary to provide reasonable assurance that the service organization's service commitments and system requirements are achieved based on the applicable trust services criteria, whether the controls were suitably designed to achieve them, and in a type 2 report, wh… (¶ 2.109 Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In accordance with paragraph .14 of AT-C section 205, the service auditor should obtain an understanding of the description, suitability of design of controls, and in a type 2 examination, operating effectiveness of controls and other engagement circumstances sufficient to (¶ 2.108, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Reviewing service organization management's risk assessment. As discussed beginning at paragraph 2.58, service organization management must have a reasonable basis for its assertions about the description, suitability of design of controls, and in a type 2 examination, operating effectiveness of con… (¶ 2.133 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In some situations, two or more controls are suitably designed only when operating in conjunction with each other. In these situations, the service auditor evaluates the suitability of design and operating effectiveness of the controls together in order to reach a conclusion. (¶ 3.116, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service organization may have multiple controls in place to address the risks that threaten the achievement of the service organization's service commitments and system requirements based on the applicable trust services criteria. In this case, the service auditor may need to consider the suitab… (¶ 3.107, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • A deficiency in the design of a control occurs when a risk that threatens the achievement of one or more of the service organization's service commitments and system requirements is not sufficiently mitigated by one or more properly designed controls. In contrast, a deficiency in the operation of a … (¶ 3.115, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In accordance with paragraph .15 of AT-C section 205, the service auditor's understanding of the controls within a system includes an evaluation of the design of controls and whether the controls have been implemented. Evaluating the suitability of the design of controls involves assessing whether t… (¶ 3.92, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Evaluating whether the controls identified, designed, and implemented by service organization management are suitably designed (¶ 3.92 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When the service organization uses the carve-out method for the services and controls of a subservice organization, the service auditor evaluates whether the types of controls stated in the description and expected to be implemented at the subservice organization are necessary, in combination with c… (¶ 3.166, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Suitably designed controls operate as designed by persons who have the necessary authority and competence to perform the controls. Controls that operate effectively provide reasonable assurance of achieving the service organization's service commitments and system requirements based on the applicabl… (¶ 3.120, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • evaluate their reasonableness and consistency with other evidence obtained, including other representations (oral or written) made by service organization management, and (¶ 3.235 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • During the examination, the service auditor would also need to perform procedures to evaluate whether monitoring controls over vendors and business partners were suitably designed and, in a type 2 examination, operated effectively. Paragraph 2.61 discusses monitoring controls that may be implemented… (¶ 3.165, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor's understanding of the nature of changes to the service organization's system, if any, and the assessed risk and the design and implementation of related controls that may reduce the effectiveness of the design or operation of the periodic control in the current period under exam… (¶ 3.180 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Whether the nature and frequency with which the periodic control operates is sufficient to provide reasonable assurance that the service organization's service commitments and system requirements would be achieved (¶ 3.180 Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When management has described the relevant periodic controls in the description, these same factors may inform the service auditor's evaluation of the description, including whether the controls discussed in the description are suitably designed and implemented. (¶ 3.177 ¶ 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor should read management's system description and evaluate whether the parts of the description that are included in the scope are presented fairly, including whether the control objectives are reasonable. (¶ .19.a, SSAE No. 16 Reporting on Controls at a Service Organization)
  • the tests of controls that have been performed provide an appropriate basis for reliance on the controls, (AT-C Section 205.25 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • evaluate their reasonableness and consistency with other evidence obtained, including other representations (oral or written) and (AT-C Section 205.53 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • evaluate their reasonableness and consistency with other review evidence obtained, including other representations (oral or written) and (AT-C Section 210.36 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • evaluating whether controls were suitably designed to achieve the control objectives stated in the description, and (AT-C Section 320.14 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • the controls identified in management's description of the service organization's system would, if operating effectively, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved. (AT-C Section 320.16 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • assess the suitability of the design of the controls, and (AT-C Section 320.20 c., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • determine whether the controls to be tested depend on other controls, and if so, whether it is necessary to obtain evidence supporting the operating effectiveness of those other controls. (AT-C Section 320.31 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The service auditor's consideration of materiality should include the fair presentation of management's description of the service organization's system, the suitability of the design of controls to achieve the related control objectives stated in the description and, in the case of a type 2 report,… (AT-C Section 320.19, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • the control objectives stated in management's description of the service organization's system are reasonable in the circumstances; (AT-C Section 320.25 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Evaluate whether management's assumptions that underlie the pro forma adjustments are presented in a sufficiently clear and comprehensive manner. (AT-C Section 310.13 f., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Determine whether the board and senior management engage qualified audit or use other independent review functions to assess the AIO design, implementation, and operational effectiveness, including the adequacy of policies and procedures and the effectiveness of controls. Evaluate the appropriatenes… (App A Objective 2:11, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)