Back

Include how the in scope system meets external requirements in the audit assertion's in scope system description.


CONTROL ID
16502
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include a section regarding in scope controls related to the system in the audit assertion's in scope system description., CC ID: 14897

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In other situations, management may include such disclosures in the description of the system. This is likely to be the case when management has identified a principal service commitment or system requirement related to the process or control framework. In this situation, management would generally … (¶ 1.66, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Because the process or control framework represents additional criteria, in accordance with paragraph .10 of AT-C section 205, the service auditor should request that management's written assertion also address its evaluation of whether the controls implemented by the service organization met the re… (¶ 2.189, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Each of the applicable trust services criteria that are intended to be met by controls at the subservice organization (¶ 3.64 ¶ 1 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Description criterion DC8 requires the description to disclose any specific applicable trust services criterion that is not relevant to the system being described and the reasons it is not relevant. One way a trust services criterion may not be relevant is if it does not apply to the system being ex… (¶ 3.72, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor designs and performs procedures to obtain sufficient and appropriate evidence to form an opinion on whether the controls were implemented to meet the requirements of the process or control framework. In most situations, the controls identified by management in the description wil… (¶ 3.265, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)