Back

Include the nature of the control in the audit assertion's in scope system description.


CONTROL ID
14910
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include a section regarding in scope controls related to the system in the audit assertion's in scope system description., CC ID: 14897

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • How: The nature of the activity performed, including sources of information used in performing the control (Table 3-1 Column 1 Row 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • How: The nature of the activity performed, including sources of information used in performing the control (Table 3-2 Column 1 Row 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Whether the control is manual (that is, relies on performance by an individual) or automated (¶ 3.126 Bullet 7, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The complexity of the control and the significance of the judgments that would be made in connection with its operation (¶ 3.126 Bullet 8, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • By whom or by what means the control was applied (Is the control automated or manual? Has there been high turnover of the personnel in the position that performs the control, and is the control being performed by an inexperienced person?) (¶ 3.128 a.iii., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Determine whether the controls to be tested depend on the operating effectiveness of other controls and, if so, whether it is necessary to obtain evidence supporting the operating effectiveness of those controls. (¶ 3.128 b., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor may consider whether to use audit sampling to select items for testing the operating effectiveness of controls. When determining the extent of tests of controls and whether sampling is appropriate, consideration is given to (a) the characteristics of the population of the control… (¶ 3.157, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If management determines periodic controls are relevant to the achievement of service commitments and system requirements for the current examination period, management would include in the description information about the design of the periodic controls and may also include the most recent history… (¶ 3.177 ¶ 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The nature of the control and the frequency with which it operates (¶ 3.126 Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)