Back

Determine the completeness of the audit assertion's in scope system description.


CONTROL ID
14883
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an in scope system description., CC ID: 14873

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Preparing a description of the service organization's system, including the completeness, accuracy, and method of presentation of the description (¶ 2.26 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In addition to providing the service auditor with a written assertion and representation letter at the end of the examination, subservice organization management is also responsible for preparing a description of the subservice organization's system, including the completeness, accuracy, and method … (¶ 2.100, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Preparing a description of the service organization's system, including the completeness, accuracy, and method of presentation of the description (¶ 2.32 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Are the principal service commitments and system requirements described in a level of detail that will enable report users to understand the evaluation of controls based on the trust services criteria? For example, disclosure of a principal service commitment to comply with privacy laws and regulati… (¶ 2.70 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Are the principal service commitments and system requirements complete? For example, in a SOC 2 examination that includes processing integrity, the service auditor would expect principal service commitments and system requirements to be identified related to completeness, validity, accuracy, timelin… (¶ 2.70 Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In addition to providing the service auditor with a written assertion and representation letter at the end of the examination, subservice organization management is also responsible for preparing a description of the subservice organization's system, including the completeness, accuracy, and method … (¶ 2.104, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Are the principal service commitments presented in sufficient detail for report users to understand the relationship between the controls implemented by the service organization and the service commitments and system requirements? For example, a service organization commits to implement certain syst… (¶ 3.31 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In addition to describing only controls that have been implemented, the description should provide sufficient details about each control to enable report users, particularly user entities and business partners, to understand how each control may affect their interactions with the service organizatio… (¶ 3.46, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As it relates to CUECs, the description is presented in accordance with the description criteria if the CUECs are complete, accurately described, and necessary as discussed in paragraph 3.53. When making this evaluation, the service auditor may review system documentation and contracts with user ent… (¶ 3.54, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The description of the services provided by a subservice organization should be prepared at a level of detail that could reasonably be expected to meet the common informational needs of the broad range of report users. The following is an example of a description of a service organization that uses … (¶ 3.65 ¶ 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If the service auditor believes that the changes would be considered significant by the broad range of report users, those changes would generally be included in the description. The narrative discussing the change would be expected to contain an appropriate level of detail, including the date the c… (¶ 3.75, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The expectations the service auditor developed related to the nature and extent of disclosures that should be included in the description of the system. Examples include the following: (¶ 3.81 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)