Australasia's Biggest Online Store

Shop over a million Toys in our Huge New Range

Guide
By

Rating

Product Description
Product Details

Table of Contents

1 Introduction and Background .01-.77 Introduction .01-.06 Intended Users of a SOC 2 (R) Report .07-.13 Overview of a SOC 2 (R) Examination .14-.17 Contents of the SOC 2 (R) Report .18-.49 Definition of a System .19 -.20 Boundaries of the System 21-.23 Time Frame of Examination .24 Difference Between Privacy and Confidentiality .25-.26 Criteria for a SOC 2 (R) Examination .27-.43 The Service Organization's Service Commitments and System Requirements .44-.49 SOC 2 (R) Examination That Addresses Additional Subject Matters and Additional Criteria .50-.54 SOC 3 (R) Examination .55-.58 Other Types of SOC Examinations: SOC Suite of Services .59-.68 SOC 1 (R)-SOC for Service Organizations: ICFR .60-.62 SOC for Cybersecurity .63-.68 Professional Standards .69-.76 Attestation Standards .70-.72 Code of Professional Conduct .73 Quality in the SOC 2 (R) Examination .74-.76 Definitions .77 2 Accepting and Planning a SOC 2 (R) Examination .01-.172 Introduction .01-.02 Understanding Service Organization Management's Responsibilities .03-.29 Management Responsibilities Prior to Engaging the Service Auditor .04-.25 Management Responsibilities During the Examination .26-.28 Management's Responsibilities During Engagement Completion .29 Responsibilities of the Service Auditor .30 Engagement Acceptance and Continuance .31-.34 Independence .35-.38 Competence of Engagement Team Members .39-.42 Preconditions of a SOC 2 (R) Engagement .43-.65 Determining Whether the Subject Matter Is Appropriate for the SOC 2 (R) Examination .44-.48 Determining Whether Management Is Likely to Have a Reasonable Basis for Its Assertion .49-.56 Assessing the Suitability and Availability of Criteria .57-.58 Assessing the Appropriateness of the Service Organization's Principal Service Commitments and System Requirements Stated in the Description .59-.65 Requesting a Written Assertion and Representations From Service Organization Management .66-.69 Agreeing on the Terms of the Engagement .70-.90 Accepting a Change in the Terms of the Examination .75-.78 Additional Considerations for a Request to Extend or Modify the Period Covered by the Examination 79-.90 Establishing an Overall Examination Strategy for and Planning the Examination .91-.109 Planning Considerations When the Inclusive Method Is Used to Present the Services of a Subservice Organization .96-.103 Considering Materiality During Planning .104-.109 Performing Risk Assessment Procedures .110-.126 Obtaining an Understanding of the Service Organization's System .110-.119 Assessing the Risk of Material Misstatement .120-.126 Considering Entity-Level Controls .127-.131 Understanding the Internal Audit Function .132-.136 Planning to Use the Work of Internal Auditors .137-.153 Evaluating the Competence, Objectivity, and Systematic Approach Used by Internal Auditors .139-.144 Determining the Extent to Which to Use the Work of Internal Auditors .145-.147 Coordinating Procedures With the Internal Auditors .148-.152 Evaluating Whether the Work of Internal Auditors Is Adequate for the Service Auditor's Purposes .153 Planning to Use the Work of an Other Practitioner .154-.159 Planning to Use the Work of a Service Auditor's Specialist .160-.166 Accepting and Planning a SOC 3 (R) Examination .167-.172 3 Performing the SOC 2 (R) Examination .01-.229 Designing Overall Responses to the Risk Assessment and Obtaining Evidence .01-.11 Considering Materiality in Responding to the Assessed Risks and Planning Procedures .05-.08 Defining Misstatements in This Guide .09-.11 Obtaining and Evaluating Evidence About Whether the Description Presents the System That Was Designed and Implemented in Accordance With the Description Criteria .12-.78 The Service Organization's Service Commitments and System Requirements .24-.29 Disclosures About Individual Controls .30-.32 Disclosures About System Incidents .33-.35 Disclosures About Complementary User Entity Controls and User Entity Responsibilities .36-.41 Disclosures Related to Subservice Organizations .42-.51 Disclosures About Complementary Subservice Organization Controls .52-.54 Disclosures About Significant Changes to the System During the Period Covered by a Type 2 Examination .55-.56 Changes to the System That Occur Between the Periods Covered by a Type 2 Examination .57-.58 Procedures to Obtain Evidence About the Description .59-.63 Considering Whether the Description Is Misstated or Otherwise Misleading .64-.68 Identifying and Evaluating Description Misstatements .69-.71 Materiality Considerations When Evaluating Whether the Description Is Presented in Accordance With the Description Criteria .72-.78 Obtaining and Evaluating Evidence About the Suitability of the Design of Controls .79-.105 Additional Considerations for Subservice Organizations .88-.91 Multiple Controls Are Necessary to Address an Applicable Trust Services Criterion .92-.93 Multiple Controls to Achieve the Service Organization's Service Commitments and Service Requirements Based on the Same Applicable Trust Services Criterion .94 Procedures to Obtain Evidence About the Suitability of Design of Controls .95-.100 Identifying and Evaluating Deficiencies in the Suitability of Design of Controls .101-.105 Obtaining and Evaluating Evidence About the Operating Effectiveness of Controls in a Type 2 Examination .106-.114 Designing and Performing Tests of Controls .110-.114 Nature of Tests of Controls .115-.130 Evaluating the Reliability of Information Produced by the Service Organization .121-.130 Timing of Tests of Controls .131-.133 Extent of Tests of Controls .134-.139 Testing Superseded Controls .140-.141 Using Sampling to Select Items to Be Tested .142-.146 Selecting Items to Be Tested .145-.146 Additional Considerations Related to Risks of Vendors and Business Partners .147-.151 Additional Considerations Related to CSOCs .152-.155 Considering Controls That Did Not Need to Operate During the Period Covered by the Examination .156 Identifying and Evaluating Deviations in the Operating Effectiveness of Controls .157-.160 Materiality Considerations When Evaluating the Suitability of Design and Operating Effectiveness of Controls .161-.165 Using the Work of the Internal Audit Function .166-.177 Using the Work of a Service Auditor's Specialist .178-.180 Revising the Risk Assessment .181 Evaluating the Results of Procedures .182-.189 Responding to and Communicating Known and Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, and Deficiencies in the Design or Operating Effectiveness of Controls .190-.196 Known or Suspected Fraud or Noncompliance With Laws or Regulations .190-.192 Communicating Incidents of Known or Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, or Internal Control Deficiencies .193-.196 Obtaining Written Representations .197-.212 Requested Written Representations Not Provided or Not Reliable .209-.211 Representations From the Engaging Party When Not the Responsible Party .212 Subsequent Events and Subsequently Discovered Facts .213-.220 Subsequent Events Unlikely to Have an Effect on the Service Auditor's Report .220 Documentation .221-.225 Considering Whether Service Organization Management Should Modify Its Assertion .226-.229 4 Forming the Opinion and Preparing the Service Auditor's Report .01-.119 Responsibilities of the Service Auditor .01-.03 Forming the Service Auditor's Opinion .04-.14 Concluding on the Sufficiency and Appropriateness of Evidence .05-.09 Considering Uncorrected Description Misstatements and Deficiencies .10-.12 Expressing an Opinion on Each of the Subject Matters in the SOC 2 (R) Examination .13-.14 Describing Tests of Controls and the Results of Tests in a Type 2 Report .15-.30 Describing Tests of Controls and Results When Using the Internal Audit Function .23-.27 Describing Tests of the Reliability of Information Produced by the Service Organization .28-.30 Preparing the Service Auditor's SOC 2 (R) Report .31-.41 Elements of the Service Auditor's SOC 2 (R) Report .31-.32 Requirement to Restrict the Use of the SOC 2 (R) Report .33-.35 Reporting When the Service Organization's Design of Controls Assumes Complementary User Entity Controls .36-.38 Reporting When the Service Organization Carves Out the Controls at a Subservice Organization .39-.41 Reporting When the Service Auditor Assumes Responsibility for the Work of an Other Practitioner .42 Modifications to the Service Auditor's Report .43-.67 Qualified Opinion .51-.53 Adverse Opinion .54-.55 Scope Limitation .56-.60 Disclaimer of Opinion .61-.67 Report Paragraphs Describing the Matter Giving Rise to the Modification .68-.88 Illustrative Separate Paragraphs When There Are Material Misstatements in the Description .68-.78 Illustrative Separate Paragraphs: Material Deficiencies in the Suitability of Controls .79-.82 Illustrative Separate Paragraphs: Material Deficiencies in the Operating Effectiveness of Controls .83-.88 Other Matters Related to the Service Auditor's Report .89-.93 Emphasis-of-Matter Paragraphs and Other-Matter Paragraphs .89-.90 Distribution of the Report by Management .91-.93 Service Auditor's Recommendations for Improving Controls .94 Other Information Not Covered by the Service Auditor's Report .95-.104 Illustrative Type 2 Reports .105-.106 Preparing a Type 1 Report .107-.109 Forming the Opinion and Preparing a SOC 3 (R) Report .110-.119 Elements of the SOC 3 (R) Report .110-.115 Elements of the Service Auditor's Report .116-.118 Illustrative SOC 3 (R) Management Assertion and Service Auditor's Report .119 Supplement A-2018 Description Criteria for a Description of a Service Organization's System in a SOC 2 (R) Report Supplement B-2018 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy Appendix A Information for Service Organization Management B Comparison of SOC 1 (R), SOC 2 (R), and SOC 3 (R) Examinations and Related Reports C Illustrative Comparison of a SOC 2 (R) Examination and Related Report With the Cybersecurity Risk Management Examination and Related Report D D-1 Illustrative Management Assertion and Service Auditor's Report for a Type 2 Examination (Carved-Out Controls of a Subservice Organization and Complementary Subservice Organization and Complementary User Entity Controls) D-2 Illustrative Service Organization and Subservice Organization Management Assertions and Service Auditor's Report for a Type 2 Examination (Subservice Organization Presented Using the Inclusive Method and Complementary User Entity Controls) D-3 Illustrative Service Auditor's Report for a Type 2 Examination in Which the Service Auditor Disclaims an Opinion Because of a Scope Limitation D-4 Illustrative Type 2 Report (Including Management's Assertion, Service Auditor's Report, and the Description of the System) E Illustrative Management Assertion and Service Auditor's Report for a Type 1 Examination F Illustrative Management Assertion and Service Auditor's Report for a SOC 3 (R) Examination G G-1 Illustrative Management Representation Letter for Type 2 Engagement G-2 Illustrative Management Representation Letter for Type 1 Engagement H Performing and Reporting on a SOC 2 (R) Examination in Accordance With International Standards on Assurance Engagements (ISAEs) or in Accordance With Both the AICPA's Attestation Standards and the ISAEs I Definitions Index of Pronouncements and Other Technical Guidance Subject Index (R)

About the Author

Founded in 1887, the American Institute of Certified Public Accountants (AICPA) represents the CPA and accounting profession nationally and globally regarding rule-making and standard-setting, and serves as an advocate before legislative bodies, public interest groups and other professional organizations. The AICPA develops standards for audits of private companies and other services by CPAs; provides educational guidance materials to its members; develops and grades the Uniform CPA Examination; and monitors and enforces compliance with the accounting profession's technical and ethical standards. The AICPA's founding established accountancy as a profession distinguished by rigorous educational requirements, high professional standards, a strict code of professional ethics, a licensing status and a commitment to serving the public interest.

Ask a Question About this Product More...
Write your question below:
Look for similar items by category
Home » Books » Business » Accounting » Auditing
Home » Books » Business » Accounting » Financial
People also searched for
How Fishpond Works
Fishpond works with suppliers all over the world to bring you a huge selection of products, really great prices, and delivery included on over 25 million products that we sell. We do our best every day to make Fishpond an awesome place for customers to shop and get what they want — all at the best prices online.
Webmasters, Bloggers & Website Owners
You can earn a 5% commission by selling Guide: SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (AICPA) on your website. It's easy to get started - we will give you example code. After you're set-up, your website can earn you money while you work, play or even sleep! You should start right now!
Authors / Publishers
Are you the Author or Publisher of a book? Or the manufacturer of one of the millions of products that we sell. You can improve sales and grow your revenue by submitting additional information on this title. The better the information we have about a product, the more we will sell!
Item ships from and is sold by Fishpond World Ltd.
Back to top