Back

Include the timing of each control in the audit assertion's in scope system description.


CONTROL ID
14916
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include a section regarding in scope controls related to the system in the audit assertion's in scope system description., CC ID: 14897

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • When: The frequency with which the control is performed, or the timing of its occurrence (Table 3-1 Column 1 Row 5, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When: The frequency with which the control is performed, or the timing of its occurrence (Table 3-2 Column 1 Row 5, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The frequency or timing of the occurrence or performance of the control (¶ 3.97 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor may consider whether to use audit sampling to select items for testing the operating effectiveness of controls. When determining the extent of tests of controls and whether sampling is appropriate, consideration is given to (a) the characteristics of the population of the control… (¶ 3.157, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The frequency with which the control operates (¶ 3.149 Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Certain types of controls, such as entity-level controls, may operate with limited frequency, such as on an annual or semiannual basis. When service organization management identifies such controls (referred to as periodic controls in this discussion) in the description of the system as relevant to … (¶ 3.176, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The length of time between the operation of the control and the examination period (For example, a control that operated one month prior to the start of the examination period is more likely to have an effect on the performance of controls during the examination period than one performed nine months… (¶ 3.177 ¶ 1 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The nature of the control and the frequency with which it operates (¶ 3.126 Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Service organization management would continue to include the processes in its description and may indicate that the controls did not operate during the period covered by the examination. (¶ 4.24 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)