Back

Include commitments to third parties in the audit assertion.


CONTROL ID
14899
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an in scope system description., CC ID: 14873

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Specifying the principal service commitments made to user entities and the system requirements needed to operate the system (¶ 2.04 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Specifying the principal service commitments made to user entities and the system requirements needed to operate the system (¶ 2.168 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Relevance to compliance with laws and regulations. If the service organization is subject to requirements specified by laws or regulations related to security and the other trust services categories included within the scope of the SOC 2® examination, identified deficiencies and deviations related … (¶ 3.163 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • As discussed in the preceding paragraph, as part of its assertion, management describes the boundaries of the system and the principal service commitments and system requirements. The boundaries of a system addressed by the examination need to be clearly understood, defined, and communicated to repo… (¶ 4.112, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Service organization management is responsible for establishing its service commitments and system requirements. Service commitments are the declarations made by service organization management to user entities (its customers) about the system used to provide the service. Commitments can be communic… (¶ 1.45, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Service organization management is responsible for achieving its service commitments and system requirements. It is also responsible for stating in the description the service organization's principal service commitments and system requirements with sufficient clarity to enable report users to under… (¶ 1.49, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • A service organization's system of internal control is evaluated by using the trust services criteria to determine whether the service organization's controls provide reasonable assurance that its business objectives and sub-objectives are achieved. When a service organization provides services to u… (¶ 1.44, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When the description addresses privacy, service organization management discloses the service commitments and system requirements identified in the service organization's privacy notice or in its privacy policy that are relevant to the system being described. When making such disclosures, it may als… (¶ 2.61, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Disclosures about the boundaries of the system and the principal service commitments and system requirements ordinarily would be included in management's assertion or in an exhibit thereto. If management does not include those disclosures in its assertion (or in an exhibit thereto), the service audi… (¶ 4.114, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • An assertion by service organization management about whether the controls were effective throughout the period to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. As part of that a… (¶ 4.111 ¶ 1(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Service organization management is responsible for identifying the specific subject matter to be examined, including the components of the system used to provide the service and the boundaries of that system. Service organization management is also responsible for establishing its service commitment… (¶ 1.22, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In order to understand the service provided, the system, and the design and operation of the controls, SOC 2 report users usually require an understanding of the nature of the service organization's service commitments and system requirements. The service commitments and system requirements that are… (¶ 1.31, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As previously discussed, the trust services criteria presented in TSP section 100 are used to evaluate the effectiveness (suitability of design and operating effectiveness) of controls in a SOC 2 examination. These criteria are based on the COSO framework, which notes that "an organization adopts a … (¶ 1.55, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Service organization management is responsible for establishing its service commitments and identifying its system requirements. Service commitments are the declarations made by service organization management to user entities (its customers) about the system used to provide the service. Commitments… (¶ 1.57, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • A service organization adopts a mission and vision, sets strategies, and establishes objectives to help it achieve its mission and vision based on its strategies. Management designs and implements various systems to achieve specific objectives and designs and implements controls within the systems t… (¶ 1.30, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Specifying the principal service commitments made to user entities and the system requirements needed to operate the system (¶ 2.05 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Service organization management is responsible for having a reasonable basis for asserting that (a) the description of the service organization's system is presented in accordance with the description criteria, (b) the controls stated in the description were suitably designed to provide reasonable a… (¶ 2.04, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Service organization management is responsible for achieving its service commitments and system requirements. It is also responsible for stating in the description the service organization's principal service commitments and system requirements with sufficient clarity to enable report users to under… (¶ 1.61, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • There is no type 1 equivalent for a SOC 3 report. In a SOC 3 examination, service organization management prepares, and includes in the SOC 3 report, a written assertion about whether the controls within the system were effective throughout the specified period to provide reasonable assurance that t… (¶ 1.74, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Obtain an understanding of the services provided by the service organization, the system used to provide them, and the service organization's service commitments and system requirements that define the engagement. (¶ 2.97 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As stated in chapter 1, service organization management is responsible for identifying and achieving the service commitments it makes to user entities as well as for the requirements of the system that will enable the service organization to achieve them. Management is also responsible for designing… (¶ 2.66, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • For a SOC 3 examination, service organization management's responsibilities are substantially the same as those for a SOC 2 examination except that management does not prepare a system description. Although management does not prepare a system description, it does disclose the boundaries of the syst… (¶ 2.190, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Specifying the principal service commitments made to user entities and the system requirements needed to operate the system (¶ 2.191 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service commitments that a service organization makes to user entities vary based on the needs of the user entities. Service organization management need not disclose every service commitment to every user entity; however, it should disclose those that are likely to be useful to the broad range … (¶ 3.27, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • identifies the service organization's service commitments and system requirements; (¶ 3.93 Bullet 1 Sub-Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • An assertion by service organization management about whether the controls were effective throughout the period to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. As part of that a… (¶ 4.120 ¶ 1 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As discussed in the preceding paragraph, as part of its assertion, management describes the boundaries of the system and the principal service commitments and system requirements. The boundaries of the system addressed by the examination need to be clearly understood, defined, and communicated to re… (¶ 4.121, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Disclosures about the boundaries of the system and the principal service commitments and system requirements ordinarily would be included in management's assertion or in an exhibit thereto. If management does not include those disclosures in its assertion (or in an exhibit thereto), the service audi… (¶ 4.123, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As discussed in chapter 2, service organization management is responsible for designing, implementing, and operating the system to achieve its service commitments to user entities and the system requirements that are necessary to enable the system to achieve those commitments and comply with laws an… (¶ 3.26, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)