Back

Accept the attestation engagement when all preconditions are met.


CONTROL ID
13933
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an audit program., CC ID: 00684

This Control has the following implementation support Control(s):
  • Audit in scope audit items and compliance documents., CC ID: 06730
  • Track and measure the implementation of the organizational compliance framework., CC ID: 06445
  • Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary., CC ID: 13971


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • confirm the authority to conduct the audit; (§ 6.2.2 ¶ 1(b), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • A service auditor should accept or continue an engagement to examine and report on controls at a service organization only if the preconditions for an attestation engagement identified in paragraphs .24–.25 of AT-C section 105 are met: (¶ 2.43, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • has determined that the engagement to be performed meets all the preconditions for an attestation engagement. (See paragraph 2.44.) (¶ 2.32(c), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • However, if the service auditor and the engaging party are unable to agree to a change of the terms of the SOC 2® examination, the service auditor and management may agree to continue the engagement in accordance with the original terms or mutually agree to terminate the engagement. If management d… (¶ 2.78, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Determining whether to accept or continue an engagement for a particular client. In making this determination, the service auditor needs to consider whether the preconditions for accepting an examination as discussed in paragraphs .24–.25 of AT-C section 105 have been met (see paragraph 2.44) (¶ 2.30 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Quality control policies and procedures to comply with the quality control requirements often include consideration of the integrity and reputation of service organization management and significant shareholders or principal owners to determine whether the firm's reputation is likely to suffer by as… (¶ 2.33, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Determining whether to accept or continue the engagement (¶ 2.172 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Prior to accepting a SOC 2® examination, AT-C section 105, Concepts Common to All Attestation Engagements, requires the service auditor to determine that certain preconditions are met. Among other things, those preconditions require the service auditor to determine whether the engagement team meets… (¶ 2.01, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Determining whether to accept or continue an engagement for a particular client. In making this determination, the service auditor needs to consider whether the preconditions for accepting an examination as discussed in paragraphs .26–.27 of AT-C section 105 have been met (see paragraph 2.51) (¶ 2.36 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • has determined that the engagement to be performed meets all the preconditions for an attestation engagement. (See paragraph 2.51.) (¶ 2.38 c., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • has considered the integrity of the client and does not have information that would lead it to conclude that the client lacks integrity. (¶ 2.37 c., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • However, if the service auditor and the engaging party are unable to agree to a change of the terms of the SOC 2 examination, the service auditor and management may agree to continue the engagement in accordance with the original terms or mutually agree to terminate the engagement. If management doe… (¶ 2.83, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If, after using professional judgment, the service auditor believes there is reasonable justification to change the terms of the engagement from those originally agreed on, the service auditor may continue with the engagement and issue an appropriate report on the service organization's system. Para… (¶ 2.82, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In accordance with paragraph .29 of AT-C section 105, the service auditor should accept or continue an engagement to examine and report on controls at a service organization only if the preconditions for an attestation engagement identified in paragraphs .26–.27 of AT-C section 105 are met: (¶ 2.51, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Determining whether to accept or continue the engagement (¶ 2.195 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • has determined that the engagement to be performed meets all the preconditions for an attestation engagement (see also paragraphs .24–.25); and (AT-C Section 105.27 c., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Selecting the criteria to be used and stating them in the assertion (AT-C Section 320.10 b.iii., SSAE No. 18, Attestation Standards: Clarification and Recodification)