Back

Include a section regarding in scope controls related to the system in the audit assertion's in scope system description.


CONTROL ID
14897
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an in scope system description., CC ID: 14873

This Control has the following implementation support Control(s):
  • Include how the in scope system meets external requirements in the audit assertion's in scope system description., CC ID: 16502
  • Include the timing of each control in the audit assertion's in scope system description., CC ID: 14916
  • Include the nature of the control in the audit assertion's in scope system description., CC ID: 14910
  • Include the information sources used in performing the control in the audit assertion's in scope system description., CC ID: 14909
  • Include the responsible party for performing the control in the audit assertion's in scope system description., CC ID: 14907
  • Include the subject matter to which the control is applied in the audit assertion's in scope system description., CC ID: 14904


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Controls at the subservice organization may also include aspects of the subservice organization's control environment, risk assessment process, information and communications, and monitoring activities to the extent that they are relevant to controls at the service organization. The description shou… (¶ 3.44, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Because of the important effect entity-level controls may have on the operating effectiveness of controls stated in the description, the description of the system often includes disclosures about the entity-level controls designed, implemented, and operated to address the risks that would threaten t… (¶ 2.148, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Description criterion DC3 requires that service organization management include in the description an identification and discussion of the components of the system used to provide the services, including the (a) infrastructure, (b) software, (c) people, (d) procedures, and (e) data. Description crit… (¶ 3.35, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Description criterion DC5 requires that the description disclose the applicable trust services criteria (that is, those that relate to the categories addressed by the description) and the related controls designed and implemented to provide reasonable assurance that the service organization's servic… (¶ 3.45, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The description of controls at the subservice organization may also include aspects of the subservice organization's control environment, risk assessment process, information and communications, and monitoring activities to the extent that they are relevant to controls at the service organization. T… (¶ 3.61, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As part of its monitoring activities, service organization management may obtain a copy of a type 1 or type 2 report from the subservice organization if one is available. If the subservice organization's type 1 or type 2 report identifies the need for CUECs at the service organization, the descripti… (¶ 3.104, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor may consider whether to use audit sampling to select items for testing the operating effectiveness of controls. When determining the extent of tests of controls and whether sampling is appropriate, consideration is given to (a) the characteristics of the population of the control… (¶ 3.157, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When using the carve-out method, description criterion DC7 requires service organization management to include in the description certain disclosures about the use of a subservice organization, including the services provided by the subservice organization and the types of CSOCs it is expected to pe… (¶ 4.42, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If service organization management does not obtain a type 2 report from a subservice organization, its monitoring of subservice organizations may include tests performed at the subservice organization through the execution of a right-to-audit clause. In such situations, management generally will ide… (¶ 3.173, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When deviations have been identified, report users may also find it helpful for management to disclose, to the extent known, the causative factors for the deviations, the controls that mitigate the effect of the deviations, corrective actions taken, and other qualitative factors that would assist us… (¶ 4.21, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If management's responses to identified deviations are included in the description, they are usually included in the section of the description that lists the applicable control and related criteria. In these circumstances, management's response would be considered part of the description; therefore… (¶ 4.22, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Service organization management would continue to include the processes in its description and may indicate that the controls did not operate during the period covered by the examination. (¶ 4.24 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)