Back

Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary.


CONTROL ID
13971
CONTROL TYPE
Process or Activity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Accept the attestation engagement when all preconditions are met., CC ID: 13933

This Control has the following implementation support Control(s):
  • Review the subject matter expert's findings., CC ID: 16559


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • If the necessary competence is not covered by the auditors in the audit team, technical experts with additional competence should be made available to support the team. (§ 5.5.4 ¶ 6, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, consultation, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2.2 ¶ 1 a), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The engagement partner may decide to supplement the knowledge and skills of the engagement team with the use of specialists. Planning to use the work of a service auditor's specialist is discussed in paragraph 2.161. (¶ 2.42, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When planning a SOC 2® examination, a service auditor may decide that engaging or assigning a specialist with specific skills and knowledge is necessary to execute the planned examination. If a service auditor's specialist will be used in the SOC 2® examination, paragraph .36 of AT-C section 205 r… (¶ 2.160, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Assigning more experienced staff or using specialists (¶ 3.03 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Ascertain the nature, timing, and extent of resources necessary to perform the engagement, including the use of other service auditor's or service auditor's specialists. (¶ 2.97 i., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor may seek the assistance of a service auditor's specialist (for example, an IT specialist with experience with a system component such as an unusual or proprietary operating system) when obtaining the understanding of the system and the related processes and controls. A service au… (¶ 2.125, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When planning a SOC 2 examination, a service auditor may decide that engaging or assigning a specialist with specific skills and knowledge is necessary to execute the planned examination. If a service auditor's specialist will be used in the SOC 2 examination, paragraph .37 of AT-C section 205 state… (¶ 2.176, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Assigning more-experienced staff or using specialists (¶ 3.05 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The practitioner and the specified parties should explicitly agree to the involvement of a practitioner's external specialist if assisting a practitioner in the performance of an agreed-upon procedures engagement. (AT-C Section 215.21, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Obtain a sufficient understanding of the field of expertise of a practitioner's specialist to enable the practitioner to (AT-C Section 205.36 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)