Include monitoring controls in the audit assertion's in scope system description.

Back

CONTROL ID
16501

CONTROL TYPE
Establish/Maintain Documentation

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain an in scope system description., CC ID: 14873

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

the controls at the service organization used to monitor the effectiveness of the subservice organization's controls. (¶ 2.14 Bullet 1 Sub-Bullet 3, SOC 2Â® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
the controls at the service organization used to monitor the effectiveness of the subservice organization's controls. (¶ 2.14 Bullet 2 ¶ 1 Sub-Bullet 3, SOC 2Â® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Additionally, regardless of the method used, service organization management is responsible for designing, implementing, and operating controls and other activities to monitor the effectiveness of controls performed by the subservice organization; such monitoring should be described in the system de… (¶ 3.67, SOC 2Â® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Obtaining an understanding of the procedures in place at the service organization to evaluate and monitor the implementation, suitability of design, and in a type 2 examination, the operating effectiveness of the controls at the subservice organization (for example, evaluation of a service auditor's… (¶ 3.114 Bullet 2, SOC 2Â® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Because service organization management is responsible for monitoring the suitability of design and operating effectiveness of controls at a subservice organization, the description needs to disclose the processes and controls the service organization uses to monitor the services provided by the sub… (¶ 3.103, SOC 2Â® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Reading sample contracts with subservice organizations and associated performance or service-level agreements and other documentation to understand how the service organization's contracting process addresses security-related matters; the interrelationship between the service organization and its su… (¶ 3.50 Bullet 5, SOC 2Â® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
When using the carve-out method, description criterion DC7 requires service organization management to include in the description certain disclosures about the use of a subservice organization, including the services provided by the subservice organization and the types of CSOCs it is expected to pe… (¶ 4.42, SOC 2Â® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Although a subservice organization may perform certain functions for a service organization, management of the service organization remains responsible to its user entities for performing the services it has agreed to provide, including the outsourced functions. As a result, management is responsibl… (¶ 3.168, SOC 2Â® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)