This Control directly supports the implied Control(s):
Audit in scope audit items and compliance documents., CC ID: 06730
This Control has the following implementation support Control(s):
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers., CC ID: 16775
Include audit irregularities in the work papers., CC ID: 16774
Include corrective actions in the work papers., CC ID: 16771
Include information about the organization being audited and the auditor performing the audit in the work papers., CC ID: 16770
Include discussions with interested personnel and affected parties in the work papers., CC ID: 16768
Include justification for departing from mandatory requirements in the work papers., CC ID: 13935
Include audit evidence obtained from previous engagements in the work papers., CC ID: 16518
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers., CC ID: 06998
Include the tests, examinations, interviews and observations performed during the audit in the work papers., CC ID: 07190
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers., CC ID: 07026
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers., CC ID: 06997
Include if the audit evidence has identified in scope control deficiencies in the work papers., CC ID: 07152
Include any subsequent events related to the audit assertion or audit subject matter in the work papers., CC ID: 07177
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers., CC ID: 06987
Include the causes of identified in scope control deficiencies in the work papers., CC ID: 07000
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
ensure that appropriate documented information is prepared and maintained, including audit programme records; (§ 5.4.1 ¶ 1(f), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
The form and level of detail of the records should demonstrate that the objectives of the audit programme have been achieved. (§ 5.5.7 ¶ 3, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
The use of these media should not restrict the extent of audit activities, which can change as a result of information collected during the audit. (§ 6.3.4 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
Documentation of the work performed (¶ 2.149 Bullet 5, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
The nature, timing, and extent of the procedures performed to comply with AT-C sections 105 and 205 and applicable legal and regulatory requirements, including the following: (¶ 3.222(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Additionally, paragraphs .87â.89 of AT-C section 205 discuss the service auditor's responsibilities for preparing and maintaining documentation that is appropriate to an examination. The service auditor's documentation in a SOC 2® examination is the principal record of attestation procedures appl… (¶ 3.222, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Appropriate engagement documentation being maintained to provide evidence of achievement of the service auditor's objectives and that the engagement was performed in accordance with the attestation standards and relevant legal and regulatory requirements (¶ 2.50 d., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Reviews being performed in accordance with the firm's review policies and procedures and reviewing the engagement documentation on or before the date of the service auditor's report (¶ 2.50 c., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Documentation of the work performed (¶ 2.165 Bullet 5, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
The nature, timing, and extent of the procedures performed to comply with AT-C section 205 and applicable legal and regulatory requirements, including the following: (¶ 3.252 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
