Back

Determine the presentation method of the audit assertion's in scope system description.


CONTROL ID
14885
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an in scope system description., CC ID: 14873

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Preparing a description of the service organization's system, including the completeness, accuracy, and method of presentation of the description (¶ 2.26 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In addition to providing the service auditor with a written assertion and representation letter at the end of the examination, subservice organization management is also responsible for preparing a description of the subservice organization's system, including the completeness, accuracy, and method … (¶ 2.100, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Use of the inclusive method becomes more complex when the service organization uses multiple subservice organizations. When the services of more than one subservice organization are likely to be relevant to report users, service organization management may use the inclusive method for one or more su… (¶ 2.97, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Determining whether subservice organizations, if any, are to be addressed in the report using the inclusive method or the carve-out method (paragraph 2.14) (¶ 2.05 Bullet 1 Sub-Bullet 9, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Preparing a description of the service organization's system, including the completeness, accuracy, and method of presentation of the description (¶ 2.32 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If the service organization uses a subservice organization, service organization management is responsible for determining whether to use the carve-out or inclusive method when addressing the subservice organization in the description of the system. Service organization management may need assistanc… (¶ 2.14, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The inclusive method is frequently difficult to implement and may not be feasible in certain circumstances. The approach entails extensive planning and communication between the service auditor, the service organization, and the subservice organization. Use of the inclusive method becomes more compl… (¶ 2.101, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • To avoid issues with the engagement, during planning, the service auditor would generally determine whether subservice organization management is willing to provide a written assertion and representation letter. In addition, in accordance with paragraph .27 of AT-C section 105, the service auditor s… (¶ 2.103, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When the subject matter of the engagement relates to only one part of a broader subject matter, paragraph .A43 of AT-C section 105 indicates that it may be appropriate for the service auditor to consider whether information about the aspect that the service auditor is asked to examine is likely to m… (¶ 2.55, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In addition to providing the service auditor with a written assertion and representation letter at the end of the examination, subservice organization management is also responsible for preparing a description of the subservice organization's system, including the completeness, accuracy, and method … (¶ 2.104, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When the service organization uses subservice organizations, there may be additional considerations in the SOC 2+ examination. For example, if required controls are implemented at the subservice organization but management has elected to use the carve-out method to present the subservice organizatio… (¶ 2.187, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The lack of a description may cause some report users to misunderstand a SOC 3 report of a service organization that uses a subservice organization when the subservice organization is presented using the carve-out method. Although the use of the carve-out method is permitted, consideration should be… (¶ 2.193, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As discussed in chapter 2, when using the carve-out method, the achievement of one or more of the service organization's service commitments or system requirements is dependent on one or more controls at the subservice organization. Such controls are called complementary subservice organization cont… (¶ 3.69 ¶ 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When deciding how best to present controls, service organization management may select the format that best meets its objectives, the needs of its users, and its users' likely frame of reference; it may also consider the risk that use of a particular format may be misleading to users. The service au… (¶ 3.48, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When management has included disclosures about how the system components, including processes and controls, addressed requirements of a process or control framework and how the implemented controls met these requirements, the service auditor would consider the adequacy of those disclosures based on … (¶ 3.260, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)