Back

Determine if the audit assertion's in scope procedures are accurately documented.


CONTROL ID
06982
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Audit in scope audit items and compliance documents., CC ID: 06730

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The system description should separately identify the complementary user entity controls that are needed to meet the applicable trust services criteria and the criteria that cannot be met by the organization's controls alone. (¶ 1.21, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The system description must contain the manual procedures and automated procedures involved in operating the system that provides the services, in order for it to meet the criteria for being fairly presented. (¶ 1.34.a.ii(4), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The system description must include the procedures the organization uses to determine if the information furnished to or received from subservice organizations or other parties, along with its processing, maintenance, and storage use appropriate controls, in order to meet the criteria for being fair… (¶ 1.34.a.vi(2), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The system description, when addressing privacy controls and using the carve-out method, must contain the activities the subservice organization has to perform to meet the privacy commitments of the organization, in order to meet the criteria for being fairly presented. (¶ 1.35.c.ii, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The system description, when addressing privacy controls, must contain the service organization's statement of privacy practices, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals. (¶ 1.35.f, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should read management's system description and evaluate whether the parts of the description that are included in the scope are presented fairly, including whether complementary user entity controls are adequately described. (¶ .19.c, SSAE No. 16 Reporting on Controls at a Service Organization)
  • the underlying transaction (or event), the pro forma adjustments, the significant assumptions, and the significant uncertainties, if any, about those assumptions have been appropriately described. (AT-C Section 310.13 i.i., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • management's assertion about compliance with the specified requirements is fairly stated, in all material respects. (AT-C Section 315.20 f.ii.(2), SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • If, as a result of performing the procedures in paragraph .32, the service auditor becomes aware that any identified deviations have resulted from fraud by service organization personnel, the service auditor should assess the risk that management's description of the service organization's system is… (AT-C Section 320.33, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Determine whether the scope of the outsourced internal audit procedures is adequate. (TIER I OBJECTIVES AND PROCEDURES Objective 11:4. Bullet 4, FFIEC IT Examination Handbook - Audit, April 2012)