Back

Determine the appropriateness of the audit assertion's in scope system description.


CONTROL ID
16449
CONTROL TYPE
Audits and Risk Management
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an in scope system description., CC ID: 14873

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Service organization management is responsible for achieving its service commitments and system requirements. It is also responsible for stating in the description the service organization's principal service commitments and system requirements with sufficient clarity to enable report users to under… (¶ 1.61, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Because of the close relationship between the trust services criteria and the service organization's service commitments and system requirements, consideration of whether the principal service commitments and system requirements identified by management are appropriate for the SOC 2 examination is c… (¶ 2.69, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Do the principal system requirements address the types of risks that would have a substantial likelihood of influencing the judgments made by intended users of the service organization's services? For example, to address cybersecurity risks to users of the service organization's system that are affe… (¶ 2.70 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In any event, the service auditor needs to remember that the initial system description prepared by service organization management is ordinarily revised several times during the examination, as the service auditor's procedures provide further insight into the nature and extent of appropriate disclo… (¶ 2.116, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When the SOC 2 report is designed for a broad range of users, does the description disclose the principal service commitments that are common to such report users? For example, assume a service organization makes a general system availability commitment to all user entities but makes additional serv… (¶ 3.31 b., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As it relates to CUECs, the description is presented in accordance with the description criteria if the CUECs are complete, accurately described, and necessary as discussed in paragraph 3.53. When making this evaluation, the service auditor may review system documentation and contracts with user ent… (¶ 3.54, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If service organization management has referred to the communications of user entity responsibilities that relate only to specific users, the service auditor would need to consider whether other intended users of the SOC 2 report are likely to misunderstand the description. If the service auditor be… (¶ 3.57, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Qualitative factors that may affect the nature and extent of such disclosures. (See paragraph 3.86 for a more detailed discussion on qualitative factors.) (¶ 3.81 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Whether the characteristics of the presentation are appropriate, given that the description criteria allow for variations in presentation. (¶ 3.86 Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When deciding how best to present controls, service organization management may select the format that best meets its objectives, the needs of its users, and its users' likely frame of reference; it may also consider the risk that use of a particular format may be misleading to users. The service au… (¶ 3.48, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The expectations the service auditor developed related to the nature and extent of disclosures that should be included in the description of the system. Examples include the following: (¶ 3.81 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)