This Control directly supports the implied Control(s):
Establish, implement, and maintain an audit program., CC ID: 00684
This Control has the following implementation support Control(s):
Refrain from approving changes to the audit terms absent reasonable justification., CC ID: 13973
Include a statement about the inherent limitations of the audit in the audit terms., CC ID: 13883
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms., CC ID: 13882
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls; the number and frequency of such requests for scope modification should be reasonable and legitimate from a risk management perspective; and (4.13.3 93(g), Final Report on EBA Guidelines on outsourcing arrangements)
define the audit criteria and scope for each audit; (§ 9.2 ¶ 3 Bullet 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
Paragraph .07 of AT-C section 205 requires the service auditor to agree on, and document in a written communication such as an engagement letter, the terms of the engagement with the engaging party. A written agreement reduces the risk that either the service auditor or service organization manageme… (¶ 2.70, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Determining the type (type 1 or type 2) of SOC 2® examination to be performed (¶ 2.04 Bullet 1 Sub-Bullet 5, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Determining the type (type 1 or type 2) of SOC 2 examination to be performed (¶ 2.05 Bullet 1 Sub-Bullet 6, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Establishing an overall strategy for the examination that sets the scope, timing, and direction of the engagement and guides the development of the engagement plan, including the consideration of materiality and the identification of the risks of material misstatement (see paragraph 2.97) (¶ 2.36 Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Paragraph .07 of AT-C section 205 states that the service auditor should agree on, and document in a written communication such as an engagement letter, the terms of the engagement with the engaging party. A written agreement, such as an engagement letter, reduces the risk that either the service au… (¶ 2.76, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
whether it is appropriate to continue with the engagement; and (AT-C Section 105.28 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
The nature of the engagement (AT-C Section 215.14 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
Assist with developing audit compliance guidelines as well as identifying and reconciling security-related issues. (§ 3.2.10 ¶ 1(5), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Appropriate scope and detail of AIO-related audits or other reviews. (II.D Action Summary ¶ 2 Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
All TSPs that the Agencies supervise receive an examination sufficient in scope to assign or update the URSIT during each examination cycle. The number and frequency of supervisory activities conducted during the examination cycle varies depending on the risk profile of the TSP as established by the… (Frequency of Examinations ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
