Controls SOC2 PDF

Controls_SOC2
ID Controls_SOC2
04 July 2015
08:52:57
Control_Guidance
1 1.35.a
The system description, when addressing

privacy controls, must contain the types of
personal information that is collected or
obtained and how the information is
collected or obtained, in order to meet the
criteria for being fairly presented.
2 1.35.e.vii

privacy controls, must contain a statement
that the service organization is responsible
for providing its privacy practices to the user
entities and the privacy practice statement
must include a description of the process for
determining if personal information is
complete and accurate and how the
correction process is implemented, in order
to meet the criteria for being fairly presented,
if user entities provide the privacy notice to
individuals.
3 1.35.e.vii

individuals.
4 1.35.e.iv

must include a statement that personal
information will be kept for a period no
longer than necessary, in order to meet the
criteria for being fairly presented, if user
entities provide the privacy notice to
individuals.
Page 1 of 36
ID Controls_SOC2
Control_Guidance
5 1.35.e.v

information is disposed in a way that
prevents misuse, theft, loss, or unauthorized
access, in order to meet the criteria for being
fairly presented, if user entities provide the
privacy notice to individuals.
6 1.35.e

privacy controls, must contain a statement on
how the privacy notice is communicated to
individuals, in order to meet the criteria for
being fairly presented, if user entities provide
the privacy notice to the individuals.
7 1.35.e

that the user entities are responsible for
providing the notice to the individuals, in
order to meet the criteria for being fairly
presented, if user entities provide the privacy
notice to individuals.
8 1.35.e.vi

must include how the organization supports
the process the user entity uses to allow
individuals to review, update, and correct
personal information, in order to meet the
individuals.
9 1.35.e.vii

individuals.
Page 2 of 36
ID Controls_SOC2
Control_Guidance
10 1.35.e.viii

must include how complaints, questions, and
disputes about personal information is
handled by the organization, in order to meet
the criteria for being fairly presented, if user
individuals.
11 1.40
The service auditor should conduct

procedures that are related to any additional
subject matter the service organization
requests.
12 3.46
The service auditor should test the operating

effectiveness of the controls stated in the
system description that are needed to meet
the applicable trust services criteria
throughout the named time period, for a type
2 engagement.
13 3.64

effectiveness of controls that are effective
during the period covered by the audit report
and determine if it has operated often
enough to be assessed.
14 3.72
The service auditor should test superseded

controls before they are changed and the
new controls after the change, when changes
are made during the period that are relevant
to the applicable trust services criteria and
the changes are considered significant by the
users.
15 2.27
The service auditor should determine what

test procedures to perform and when a test
result will be a deviation, before the service
auditor begins testing controls and
compliance.
16 3.63
The service auditor should consider audit

sampling for obtaining reasonable assurance
about the operating effectiveness of the
control, when the control operates often.
17 3.70
The service auditor should consider the

nature of the controls, the frequency of its
application, and the expected deviation rate
when determining the extent of tests and if
sampling is appropriate.
18 3.74
The service auditor should determine the

extent of performing tests to detect material
noncompliance with the privacy
commitments.
Page 3 of 36
ID Controls_SOC2
Control_Guidance
19 3.71
The service auditor's tests should identify the

applicable trust services criteria for which
tests have not been conducted and the
reason that the tests have not been
conducted, when the control did not operate
during the examination period.
20 3.02 Bullet 5
The service auditor may perform

walkthroughs to evaluate if the system
description is fairly presented.
21 3.29 Bullet 2
The system description should identify any

parts of the personal information lifecycle for
which the subservice organization has
responsibility, when the carve-out method is
used.
22 2.01 Bullet 3
Management of the service organization must

determine which type of engagement to
perform, what principle(s) to look at, the
scope, and if any subservice organizations will
be included or carved out of the description
and service auditor's report.
23 2.02 Bullet 1
The service auditor must either accept or

continue the engagement.
24 2.02 Bullet 2
The service auditor must read the system

description and gain an understanding of the
system.
25 2.03.c.i
The service auditor should accept or continue

an engagement only if the preliminary
engagement knowledge indicates that the
criteria for use will be suitable and available
to the report's intended users.
26 4.24
The service auditor should request that

management include omitted criteria and
controls in the system description, and, if
management refuses, the service auditor
should disclaim an opinion or withdraw from
the engagement.
27 3.96
The service auditor should withdraw from the

engagement or disclaim an opinion, if
management refuses to provide
representations to reaffirm its assertion or
representations that it has furnished all of the
information and access that was agreed to.
Page 4 of 36
ID Controls_SOC2
Control_Guidance
28 3.102
The service auditor is not required to stay

informed of subsequent events before the
date of the service auditor's report. If the
service auditor becomes aware of conditions
that might have affected management's
assertion and the service auditor's report, the
service auditor should evaluate this
information by adapting and applying the
guidance from au section 561.
29 4.10
The service auditor should adapt and apply

the requirements of paragraph .27 of au
section 322, when the service auditor uses
the internal audit function to provide direct
assistance.
30 3.81 Bullet 1
The service auditor should notify the internal

auditors of their responsibilities; the
procedure's objectives; and matters that may
affect the timing, nature, and extent of the
audit procedures, when the internal audit
function is providing direct assistance to the
service auditor.
31 1.26
The boundaries of the system being examined

for a soc 2 engagement must be clearly
defined, understood, and communicated.
32 2.04 Bullet 1
The service auditor should consider

reputation and integrity of management and
the significant principal owners or
shareholders before accepting an
engagement.
33 2.04 Bullet 2

likelihood that associating with the
organization will expose the service auditor to
financial loss, undue risk of damage to
professional reputation, or expose report
users to financial loss or misinformation
before accepting an engagement.
34 1.35.e.ix

must include a statement that a written
security program exists and what standard or
industry it is based on, in order to meet the
individuals.
35 1.32
The service auditor's report shall not include a

type 1 opinion and a type 2 opinion.
Page 5 of 36
ID Controls_SOC2
Control_Guidance
36 4.02.c.iii
The service auditor's type 2 report should

include the criteria to evaluate if the system
37 4.02.c.iv

include the applicable trust services criteria to
evaluate if the controls are operating
effectively and suitably designed.
38 4.09
The service auditor should not reference any

used work of the internal audit function in the
service auditor's opinion, since the service
auditor has sole responsibility for the opinion
in the service auditor's report.
39 2.21.b
The service auditor should determine if the

work of the internal audit function is likely to
be adequate for the engagement by
evaluating if the work is conducted with due
professional care, if the service auditor
intends to use their work or internal audit
personnel in a direct assistance capacity.
40 2.22.a
The service auditor should evaluate the

nature and scope of the specific work
conducted by the internal audit function to
determine the planned effects this work will
have on the nature, timing, and extent of the
service auditor's procedures.
41 2.22.c

degree of subjectivity that is involved in
evaluating evidence to support the
conclusions to determine the planned effect
of the internal audit function's work on the
nature, timing, and extent of the service
auditor's procedures.
42 3.79.b
The service auditor should evaluate and

perform procedures on the work of the
internal audit function to determine whether
it was properly supervised, reviewed, and
documented, to determine if it is adequate
for the service auditor's purposes.
43 3.81 Bullet 2
The service auditor should supervise,

evaluate, review, and test the work
conducted by the internal auditors that are
providing direct assistance to the service
auditor.
44 3.79.e

unusual matters or exceptions that are
disclosed by the internal audit function are
resolved, to determine if it is adequate for
the service auditor's purposes.
Page 6 of 36
ID Controls_SOC2
Control_Guidance
45 2.21.a

evaluating the technical competence and
objectivity of the internal audit function team
members, if the service auditor intends to use
their work or internal audit personnel in a
direct assistance capacity.
46 2.21.c

evaluating the likelihood that effective
communication will occur between the
internal audit function and the service
auditor, if the service auditor intends to use
their work or internal audit personnel in a
direct assistance capacity.
47 3.79.a

it was performed by personnel who have
adequate technical training and proficiency,
to determine if it is adequate for the service
auditor's purposes.
48 2.05
The service auditor is not required to review a

previous service auditor's working papers, if
the previous service auditor issued an audit
report.
49 2.03.c.iii

knowledge indicates that the scope and
system description will not be limited.
50 3.79.c

enough evidence was obtained to draw
reasonable conclusions, to determine if it is
adequate for the service auditor's purposes.
51 2.03.b

an engagement only if the service auditor is
independent in all matters that relate to the
engagement.
52 2.08
The service auditor is not required to have

and be independent of the service
organization's users.
53 2.28
An engagement letter is required to establish

an understanding with the client about the
services that need to be performed.
Page 7 of 36
ID Controls_SOC2
Control_Guidance
54 2.29
The engagement letter should include

objectives, the services that will be provided,
the service auditor's responsibilities,
management's responsibilities, and the
limitations of the engagement.
55 2.02 Bullet 3
The service auditor must establish an

understanding with the organization's
management, usually via an engagement
letter, about what services will be performed
and the responsibilities of the service auditor
and management.
56 2.03.c.ii

knowledge indicates that the service auditor
will have access to the evidence needed to
conduct the engagement.
57 2.03.a

an engagement only if the service auditor has
the appropriate competence and capabilities.
58 2.03.a.i
The service auditor must have the technical

proficiency and technical training to perform
an attestation engagement.
59 2.03.a.ii
The service auditor must have adequate

knowledge of the subject matter to continue
or accept an engagement.
60 2.03.a.iv
The service auditor must have knowledge of

the organization's business and industry.
61 2.03.a.v
The service auditor must have appropriate

knowledge of technology and systems.
62 2.03.a.vi
The service auditor must have experience

evaluating risks that are related to the
suitability of the control design.
63 2.03.a.vii
The service auditor must have experience

evaluating the design of Information
Technology controls and manual controls,
conducting tests on the controls, and
evaluating the test results.
64 2.03.b

an engagement only if the service auditor
exercises due professional care while
planning and conducting the engagement and
preparing the audit report.
65 2.22.b

significance of the internal audit function's
work to the service auditor's conclusions to
determine the planned effects this work will
have on the nature, timing, and extent of the
service auditor's procedures.
Page 8 of 36
ID Controls_SOC2
Control_Guidance
66 3.79.d

appropriate conclusions are reached and
reports are consistent with the work results,
to determine if it is adequate for the service
auditor's purposes.
67 3.32
The service auditor should agree that a

reasonable justification exists and the
requirements for acceptance and continuance
are still met before making a change in the
scope that management requests.
68 3.33
The service auditor should disclaim an

opinion if the change in scope request is due
to management refusing to provide a written
representation or written assertion after
agreeing to provide it.
69 3.04
The description of the control should include

who is responsible, the frequency or timing of
the control, the nature of the activity, and
what the control is applied to.
70 2.23(a)
The service auditor should evaluate

materiality with respect to the fair
presentation of the system description.
71 2.23(b)

materiality with respect to the suitability of
the design of the controls.
72 2.23(c)

materiality with respect to the control's
operating effectiveness for a type 2
engagement.
73 2.23(d)

materiality with respect to the organization's
compliance with its privacy practices
statement, for type 2 engagements that
address the privacy principle.
74 3.49
The service auditor should consider

materiality when evaluating if the controls
are operating effectively to meet the
applicable trust services criteria.
75 3.99
The service auditor should ask if management

is aware of any subsequent events that could
have a significant effect on management's
assertion and the subject matter of the
assertion.
Page 9 of 36
ID Controls_SOC2
Control_Guidance
76 3.27 Bullet 7
The service organization should obtain

evidence that the subservice organization is
complying with the privacy commitments it
made with the organization, when the
inclusive method is used.
77 1.35.d

that the privacy notice was prepared in
compliance with the requirements of the
applicable trust services criteria, in order to
meet the criteria for being fairly presented, if
the service organization provides the privacy
notice to the individuals.
78 1.27
The system boundaries should include all the

system components as they relate to the
personal information life cycle in informal ad
hoc procedures and well-defined processes,
when the soc 2 engagement addresses the
privacy principle.
79 3.86
The service auditor should reassess the risk

that the system description is not fairly
presented; controls are not suitably designed
and are not operating effectively; and the
service organization has not complied with
the privacy practices statement, when the
service auditor becomes aware that identified
deviations resulted from intentional acts by
the service organization's personnel.
80 3.87

effect of noncompliance incidents with laws
and regulations or adverse events that are
not detected or prevented with controls on
the system description, the suitability of
design and operating effectiveness,
compliance with the privacy practices
statement, and the service auditor's report.
81 3.29 Bullet 5
The system description should identify the

types of activities the subservice organization
must conduct to comply with the service
organization's privacy practices, when the
carve-out method is used and the system
description addresses the privacy principle.
82 1.35.e

privacy controls, must contain a statement on
how the privacy notice is communicated to
individuals, in order to meet the criteria for
the privacy notice to the individuals.
Page 10 of 36
ID Controls_SOC2
Control_Guidance
83 3.85
The service auditor should determine

whether deviations from intentional acts,
noncompliance with laws and regulations,
and other adverse events that are not
detected or protected by a control should be
communicated to affected user entities and if
the communication has already occurred.
84 1.17
The statement of privacy practices should be

attached to or included in the description,
when the audit report addresses the privacy
principle.
85 1.40
The service auditor should include the

description of the scope and the related
opinion on the additional subject matter in
separate paragraphs of the service auditor's
report.
86 1.40
The service auditor may include any

additional tests and the detailed results in a
separate attachment to the service auditor
report.
87 4.01 Bullet 1
The service auditor must prepare the service

auditor's report with all the items listed in
paragraph 4.02 and change it, as necessary.
88 4.10
The part of the service auditor's report that

describes the control tests and results should
include a description of the internal auditor's
work and the service auditor's procedures, if
the work was used in performing the tests.
89 4.14

individual and aggregate effect of identified
deviations in the system description and the
suitability and operating effectiveness during
the named time period, when determining
whether to change the service auditor's
report.
90 2.03.a.iii
The service auditor must have reasons for

believing that the subject matter may be
evaluated against criteria appropriate for the
intended use, in order to accept or continue
the engagement.
91 2.13.a
The service auditor should normally accept or

continue an engagement only if management
accepts and acknowledges responsibility for
preparing the system description and
assertion.
92 2.13.b

providing a written assertion.
Page 11 of 36
ID Controls_SOC2
Control_Guidance
93 2.13.c

having a reasonable basis for the assertion.
94 2.05
The service auditor may gather information

about the matters in paragraph 2.04 by
talking with the previous service auditor
about the reasons for changing the service
auditor and any disagreements between the
auditor and organization.
95 2.13.e.i

providing the service auditor with access to
all required information.
96 2.13.e.ii

providing the service auditor with any
information the service auditor requests for
the examination.
97 2.13.e.iii

providing the service auditor with
unrestricted access to organizational
personnel.
98 2.01 Bullet 1
The service organization's management must

prepare the system description.
99 2.01 Bullet 2

provide a written assertion.
100 2.01 Bullet 4

provide written representations at the end of
the engagement and, if the inclusive method
is used, management of the service
organization and the subservice organization
agree to provide these written
representations.
101 3.27 Bullet 8
The service organization should obtain a

written assertion from the subservice
organization that includes the items listed in
paragraphs 1.17.a(ii)(1) through 1.17.a(ii)(4)
for a type 2 report and paragraphs
1.17.b(ii)(1) through 1.17.b(ii)(2) for a type 1
report, when the inclusive method is used.
Page 12 of 36
ID Controls_SOC2
Control_Guidance
102 3.27 Bullet 9
The service organization should obtain a

written representation from the subservice
organization about the items listed in
paragraph 3.90, when the inclusive method is
used.
103 3.27 Bullet 9
The service auditor should obtain written

representations about the items in paragraph
3.90 that are relevant to the furnished
services, when the inclusive method is used.
104 3.90.a

management provide a written
representation reaffirming the assertion that
is attached to the system description.
105 3.91
The service auditor should obtain written

representations from the subservice
organization addressing the items in
paragraph 3.90, when the system description
uses the inclusive method and the service
organization uses a subservice organization.
106 3.94
The written representations should be a

representation letter that is addressed to the
service auditor, signed by individuals
identified by the service auditor, and dated
with the same date as the service auditor's
report.
107 3.28 Bullet 1
The service auditor should evaluate if the

system description, including the relevant
aspects of the system furnished by the
subservice organization, is fairly presented,
when the inclusive method is used.
108 3.28 Bullet 2

suitability of the control design at the
subservice organization, when the inclusive
method is used.
109 1.34.a.i
The system description must contain the

types of services provided, in order for it to
meet the criteria for being fairly presented.
110 1.34.a.ii(1)

hardware components and physical
components of the system providing the
services, in order for it to meet the criteria for
being fairly presented.
111 1.34.a.ii(2)

Operating System and the programs of the
system providing the services, in order for it
to meet the criteria for being fairly presented.
Page 13 of 36
ID Controls_SOC2
Control_Guidance
112 1.34.a.ii(3)

personnel who are involved in the use and
operation of the system providing the service,
in order for it to meet the criteria for being
fairly presented.
113 1.34.a.ii(5)

information that is used and supported by the
system providing the services, in order for it
114 1.34.a.viii(1)
The system description must include the

nature of the services, when the carve out
method is used, the subservice organization
uses, in order to meet the criteria for being
fairly presented.
115 3.29 Bullet 1

nature of the services furnished by the
subservice organization, when the carve-out
method is used.
116 1.34.a.iv
The system description must include the how

the system captures and addresses significant
conditions and events, in order to meet the
117 1.13
Management of the service organization

should include all of the description criteria
from paragraphs 1.34 and 1.35 in its assertion.
118 1.14

description includes all of the applicable trust
services criteria.
119 1.34.a.v

process the organization uses to prepare and
deliver reports to other parties and user
entities, in order to meet the criteria for
120 1.35.b(i)

privacy controls, must contain the process to
identify the laws and regulations and the
specific requirements in agreements
applicable to personal information, in order
121 1.35.b(ii)

privacy controls, must contain the process
used to implement the controls and practices
to meet the legal and agreement
requirements, in order to meet the criteria
for being fairly presented.
Page 14 of 36
ID Controls_SOC2
Control_Guidance
122 1.35.d

that the privacy notice was prepared in
compliance with the requirements of the
applicable trust services criteria, in order to
meet the criteria for being fairly presented, if
the service organization provides the privacy
notice to the individuals.
123 1.35.e

that the user entities are responsible for
providing the notice to the individuals, in
124 1.35.e.i

must include a summary of the significant
requirements that are common to most
agreements between the organization and
the user entities, in order to meet the criteria
for being fairly presented, if user entities
provide the privacy notice to individuals.
125 1.35.e.i

must include the requirements in the user
entities agreement that the service
organization meets for all or most user
entities, in order to meet the criteria for
the privacy notice to individuals.
126 1.35.e.ii

must include a summary of the significant
requirements that are mandated by law,
regulation, market, or industry and not
included in the agreements, but the service
organization complies with for all or most
user entities, in order to meet the criteria for
Page 15 of 36
ID Controls_SOC2
Control_Guidance
127 1.35.e.iii

must include the purposes, uses, and
disclosures of personal information that are
allowed in the agreements, in order to meet
individuals.
128 1.35.e.iv

information will be kept for a period no
longer than necessary, in order to meet the
individuals.
129 1.35.e.v

information is disposed in a way that
prevents misuse, theft, loss, or unauthorized
access, in order to meet the criteria for being
fairly presented, if user entities provide the
privacy notice to individuals.
130 1.35.e.vi

must include how the organization supports
the process the user entity uses to allow
individuals to review, update, and correct
personal information, in order to meet the
individuals.
Page 16 of 36
ID Controls_SOC2
Control_Guidance
131 1.35.e.vii

individuals.
132 1.35.e.viii

must include how complaints, questions, and
disputes about personal information is
handled by the organization, in order to meet
individuals.
133 1.35.e.ix

must include a statement that a written
security program exists and what standard or
industry it is based on, in order to meet the
individuals.
134 1.35.e.x

must include any other relevant information
about privacy practices that is appropriate for
user entities, in order to meet the criteria for
135 1.34.a.x
The system description must include aspects

of the risk assessment process, control
environment, communication systems,
Information Systems, and monitoring of
controls that are relevant to the applicable
trust services criteria and the provided
services, in order to meet the criteria for
Page 17 of 36
ID Controls_SOC2
Control_Guidance
136 3.10
The service auditor should ask if there were

any changes made to the system, and if the
service auditor believes the changes are
significant to the users, determine if they are
included in the system description at an
appropriate level of detail, including the date
of the change and how the system is different.
137 1.34.b
The system description must not distort or

omit information that is relevant to the
system and it must acknowledge that the
description covers a wide range of users and
may not contain aspects that individual users
may consider important to their personal
needs, in order to meet the criteria for being
fairly presented.
138 3.19
The service auditor should consider whether

significant system aspects and processing
aspects are included or if relevant
information was distorted or omitted, when
evaluating the fair presentation of the system
description.
139 3.27 Bullet 3
The service organization should obtain and

evaluate evidence that the part of the system
description furnished by the subservice
organization are fairly presented, when the
inclusive method is used.
140 1.13

description meets the description criteria
located in paragraphs 1.34 and 1.35, when
evaluating the fairness of the presentation of
the system description.
141 1.17.b.ii(1)
The type 1 report must include a written

assertion about whether the system
description fairly presents the system that
was designed and implemented as of named
date.
142 1.34.a.iii

system boundaries or system aspects, in
presented.
143 1.34.a.vii(1)

applicable trust services criteria and controls
designed to meet the criteria for each
principle being reported on including the
complementary user entity controls, in order
Page 18 of 36
ID Controls_SOC2
Control_Guidance
144 1.34.a.vii(2)

applicable trust services criteria and controls
designed to meet the criteria for each
principle being reported on including the
controls at the subservice organization if the
inclusive method is used, in order to meet the
145 1.34.a.viii(2)
The system description must include, when

the carve out method is used, each applicable
trust services criteria being met by controls at
the subservice organization or alone or in
combination with the organization and the
controls expected to be implemented to
meet the criteria, in order to meet the criteria
for being fairly presented.
146 1.34.a.xi
The system description must contain, for type

2 reports, details of any system changes
during the period the description covers, in
presented.
147 1.35.c.i

privacy controls and using the carve-out
method, must contain the parts of the
personal information life cycle that the
subservice organization has responsibility for,
in order to meet the criteria for being fairly
presented.
148 2.09
The service auditor should consider the scope

of the system, the functions, how the
subservice organizations are used, how the
information is presented, the relevance of the
trust services principles, and the time period
of the report when determining whether to
accept or continue an engagement.
149 3.01
The service auditor should read the system

description and determine if it is fairly
presented.
150 3.02 Bullet 1
The service auditor may read Service Level

Agreements and contracts to determine if the
system description is fairly presented.
151 3.02 Bullet 2
The service auditor may obtain an

understanding of the laws and regulations
that are relevant to the services being
provided to evaluate if the system description
is fairly presented.
152 3.02 Bullet 3
The service auditor may observe the

procedures being performed by personnel to
evaluate if the system description is fairly
presented.
Page 19 of 36
ID Controls_SOC2
Control_Guidance
153 3.02 Bullet 4
The service auditor may read policy manuals,

procedure manuals, and other system
documentation to evaluate if the system
154 3.02 Bullet 6
The service auditor may obtain a list of the

user entities and determine how the provided
services are likely to affect the user entities to
presented.
155 3.02 Bullet 7
The service auditor may discuss with

management about the content of the
assertion and the system description to
presented.
156 3.02 Bullet 8
The service auditor may read reports from

the internal audit function to evaluate if the
system description is fairly presented.
157 3.06
The system description is not fairly presented

if it implies or states that elements that do
not exist actually exist, implies or states that
controls are being performed when they are
actually not being performed, and if it
intentionally or inadvertently distorts or
omits relevant system information.
158 3.08

system description includes all major parts of
the system that are in the scope of the
engagement, when evaluating if the system
description materially omits information that
is relevant to users.
159 3.09

system description clearly delineates the
boundaries of the system that are included in
the scope.
160 3.22
The service auditor should ask questions and

read documents to evaluate whether the
complementary user entity controls are
adequately described in the system
description.
161 2.01 Bullet 5

have a reasonable basis for its written
assertion.
162 3.27 Bullet 5
The service organization should evaluate the

suitability of the control design at the
subservice organization, when the inclusive
method is used.
163 3.13

controls stated in the system description have
been implemented.
Page 20 of 36
ID Controls_SOC2
Control_Guidance
164 3.14
The service auditor may perform a

walkthrough inspection to determine if the
controls have been implemented.
165 3.27 Bullet 4

evidence that the described controls are
implemented at the subservice organization,
166 1.21
The system description should separately

identify the complementary user entity
controls that are needed to meet the
applicable trust services criteria and the
criteria that cannot be met by the
organization's controls alone.
167 1.34.a.ii(4)

manual procedures and automated
procedures involved in operating the system
that provides the services, in order for it to
meet the criteria for being fairly presented.
168 1.34.a.vi(2)

procedures the organization uses to
determine if the information furnished to or
received from subservice organizations or
other parties, along with its processing,
maintenance, and storage use appropriate
controls, in order to meet the criteria for
169 1.35.c.ii

privacy controls and using the carve-out
method, must contain the activities the
subservice organization has to perform to
meet the privacy commitments of the
organization, in order to meet the criteria for
170 1.35.f

privacy controls, must contain the service
organization's statement of privacy practices,
in order to meet the criteria for being fairly
171 3.07
The system description should not contain

any statements which cannot be objectively
evaluated for it to be fairly presented.
172 3.27 Bullet 6

evidence that the controls are operating
effectively at the subservice organization, for
a type 2 report and when the inclusive
method is used.
Page 21 of 36
ID Controls_SOC2
Control_Guidance
173 3.29 Bullet 3
The system description should identify each

applicable trust services criteria that will be
met with controls at the subservice
organization, either alone or in combination
with the service organization, when the carveout method is used.
174 3.29 Bullet 4

types of controls to implement at the
subservice organization, when the carve-out
method is used.
175 1.12 Bullet 3
The service auditor should express an opinion

if the controls are operating effectively to
meet the applicable trust services criteria, for
type 2 reports.
176 3.04
The service auditor should evaluate each

control, as it is presented in the system
description, to determine if it provides
sufficient information for users to understand
how the control affects a particular user,
when determining if the system description is
fairly presented.
177 3.28 Bullet 3

effectiveness of the controls for a type 2
report, when the inclusive method is used.
178 3.35
The service auditor should use the

information and evidence that was obtained
while determining if the system description is
fairly presented to evaluate the suitability of
the design of the controls.
179 3.37
The service auditor should evaluate whether

the types of controls that will be
implemented at the subservice organization
are needed to meet the applicable trust
services criteria, if the carve-out method is
used.
180 3.28 Bullet 4
The service auditor should test the subservice

organization's compliance with the service
organization's privacy practices statement,
when the inclusive method is used for an
audit report that addresses the privacy
principle.
181 3.46

timing, nature, and extent of the tests to
evaluate whether the controls are operating
effectively.
Page 22 of 36
ID Controls_SOC2
Control_Guidance
182 3.50
Superseded controls should be included in the

test population when the service organization
implements changes to the controls during
the period covered by the service auditor's
report and the superseded controls could be
relevant in meeting the applicable trust
services criteria.
183 3.51
The service auditor should consider the type

of evidence that can be obtained, if the
control is designed to meet one or more
criteria, and the risk that the controls will not
operate effectively, when determining the
nature, timing, and extent of controls tests to
perform.
184 3.54.a.i
The service auditor should perform

procedures and conduct interviews to obtain
evidence about how a control is applied.
185 3.54.a.ii

evidence about the consistency that the
control was applied throughout the period.
186 3.54.a.iii

evidence about who and what means the
control was applied.
187 3.54.b

controls being tested depend on other
controls and, if they do, determining if it is
necessary to obtain evidence to support the
operating effectiveness of the other controls.
188 3.54.c
The service auditor should determine an

effective method to select the test items to
meet the procedure objectives.
189 3.58
The service auditor should obtain evidence

about the completeness, validity, and
accuracy of information produced by the
Information System that is furnished as a
source for testing.
190 3.61
The service auditor should determine what

additional testing to accomplish during the
remaining period, when testing is performed
at an interim period.
191 3.62
The service auditor should perform and

design tests to obtain sufficient evidence that
the controls are operating effectively
throughout the named time period.
Page 23 of 36
ID Controls_SOC2
Control_Guidance
192 3.66
The service auditor should perform additional

tests on the controls during the current
period, if the service auditor intends to use
evidence obtained during a prior period and
the controls have changed since the last test.
193 3.67
The service auditor should may decide to

increase the extent of testing during the
current period if deviations were identified in
a prior year.
194 3.76
The service auditor should implement

procedures to provide reasonable assurance
that material noncompliance will be detected.
195 3.82
The service auditor should investigate the

nature and causes of identified deviations.
196 3.82.b

nature and causes of identified deviations and
determine if additional testing is needed to
reach a conclusion about if the controls
operated effectively throughout the named
time period.
197 3.82.a

nature and cause of identified deviations and
determine if they are in the tolerable rate of
deviation and acceptable. If it does, the
testing provides a basis to conclude that the
control operated effectively throughout the
named time period.
198 3.82.c

nature and causes of identified deviations and
determine if the performed testing provided
a basis to conclude that the control did not
operate effectively throughout the named
time period.
199 3.84

deficiencies that are related to the control
environment or other components of the
internal control and determine its effect on
the service auditor's opinion.
200 1.34.a.vi(1)
The system description must include how

information is furnished to or received from
subservice organizations or other parties and
their roles, in order to meet the criteria for
201 3.90.b

representation that provides the service
auditor with all the information and access
agreed to.
Page 24 of 36
ID Controls_SOC2
Control_Guidance
202 3.90.c.i

management provide written representations
that it disclosed instances of uncorrected
errors or noncompliance with laws and
regulations that may affect one or more user
entities.
203 3.90.c.iii

representation that it has disclosed design
deficiencies in the controls.
204 3.90.c.iv

representation that it has disclosed instances
when the controls did not operate correctly.
205 3.90.c.v

that it has disclosed instances of
noncompliance about commitments in the
privacy practices statement.
206 3.90.c.ii

that it has disclosed any knowledge of
suspected, actual, or alleged intentional acts
that could adversely affect the fairness of the
system description or if the controls were
suitably designed and operating effectively to
meet the applicable trust services criteria.
207 1.34.a.ix
The system description must include

applicable trust services criteria that do not
have a control and the reasons the criteria
does not have a control, in order to meet the
208 3.90.c.vi

representation that it has disclosed any
subsequent events that could have a
significant effect on the assertion or that no
subsequent events have occurred.
209 3.15
The service auditor should ask management

to delete the controls from the system
description that have not been implemented.
210 3.95 Bullet 1
The service auditor should discuss with

management the fact that it did not provide
one or more of the requested
representations.
Page 25 of 36
ID Controls_SOC2
Control_Guidance
211 3.95 Bullet 2
The service auditor should evaluate the effect

of refusing to provide the requested
representations on the service auditor's
integrity assessment and evaluate the effect
this may have on evidence in general and the
reliability of management's representations.
212 3.33
The service auditor should take appropriate

action when the service auditor determines
that a request to change the scope is to hide
information that is relevant to the user.
213 3.95 Bullet 3
The service auditor should take appropriate

actions, including disclaiming an opinion or
withdrawing from the engagement, if
management does not provide one or more
of the requested representations.
214 3.99
The service auditor should change the service

auditor's opinion on the fairness of the
system description and disclose any events
that are of significance and nature that the
disclosure is needed to prevent users from
being misled and the information is not
disclosed by management in the system
description in the service auditor's report.
215 3.37
The service auditor should consider if

evidence exists that the subservice
organization is aware of the requirements for
the service organization with respect to the
controls, if the carve-out method is used.
216 3.65
The service auditor should adapt and apply

the requirements of paragraph .40 of au
section 318 if the service auditor plans on
using evidence collected in a prior
engagement.
217 3.104
Management is expected to change their

assertion to state deficiencies that the service
auditor identified, when the service auditor
identifies deficiencies that cause the service
auditor to give a qualified opinion.
218 4.02.a

include the word independent in the title.
219 4.02.e.i

include a statement that management is
responsible for preparing the system
description and assertion; the privacy
practices statement, when the report
includes privacy controls; and includes the
completeness, accuracy, and method of
presentation.
Page 26 of 36
ID Controls_SOC2
Control_Guidance
220 4.02.e.ii

responsible for providing services that are
stated in the system description.
221 4.02.e.iii

responsible for selecting the trust services
principle(s) that it is reporting on and stating
them in the system description.
222 1.33 Bullet 1
The type 2 report for a soc 2 engagement

must contain the service auditor's opinion
about whether management's system
223 2.13.d

designing, documenting, and implementing
suitably designed controls that are operating
effectively to meet the applicable trust
services criteria.
224 4.02.e.iv

responsible for identifying relevant applicable
trust services criteria that have been omitted
from the system description and the reason
for them being omitted.
225 4.02.e.v

responsible for designing, implementing, and
documenting controls that are operating
effectively and have been suitably designed
to meet the applicable trust services criteria.
226 4.02.f

include a statement that the service auditor is
responsible for expressing an opinion on the
fairness of the system description; the
suitability of the operating effectiveness and
design of the controls; and compliance with
its privacy practices statement, when the
audit report addresses privacy principles,
based on the service auditor's examination.
Page 27 of 36
ID Controls_SOC2
Control_Guidance
227 4.02.g

include a statement that the attestation
standards of the American Institute of
Certified Public Accountants was used for the
examination and the standards require the
service auditor to plan and perform the
examination to obtain reasonable assurance
that the system description is fairly
presented; if the controls are suitably
designed and operating effectively
throughout the named time period; and, for
reports that address the privacy principle, if
the organization complied with its privacy
practices statement.
228 4.02.h.i

include a statement the examination of the
system description and the design and
operating effectiveness of the controls
involved performing procedures to obtain
evidence about the fairness of the system
description.
229 4.02.h.ii

evidence about the suitability of the
operating effectiveness and design of the
controls to meet the applicable trust services
criteria.
230 4.02.h.iii

evidence about compliance with the privacy
practices statement, when the audit report
covers the privacy principle.
231 1.12 Bullet 2

on if controls have been suitably designed to
provide a reasonable assurance that the
applicable trust services criteria would be met
if the controls are operating effectively, for
soc 2 reports.
232 1.17.a.iii(2)
The type 2 report must include a service

auditor's report that includes the control tests
and the results, and when the report
addresses the privacy principle, the tests and
the results of the compliance with its privacy
practices.
Page 28 of 36
ID Controls_SOC2
Control_Guidance
233 1.17.a.ii(3)

assertion about whether the controls named
in the system description operated effectively
throughout the named time period to meet
the applicable trust services criteria.
234 1.17.a.ii(4)

assertion about whether management has
complied with its privacy practices statement
throughout the named time period, when the
system description addresses the privacy
principle.
235 1.17.b.iii

auditor's report expressing an opinion on the
items in paragraphs 1.17.b.ii(1) and
1.17.b.ii(2).
236 1.33 Bullet 4
The type 2 report for a soc 2 engagement on

the privacy principle must include the service
auditor's opinion about whether
management has complied with the
commitments listed in the privacy practices
throughout the named time period.
237 3.21
The service auditor should evaluate whether

the system description adequately describes
the complementary user entity controls,
along with their importance in meeting the
238 4.02.m.i

include the service auditor's opinion on
whether the system description fairly
presents the system that was designed and
implemented throughout the named time
period.
239 4.13.a
The service auditor's opinion should be

modified and a clear description of the
modification reasons should be included in
the service auditor's report, if the service
auditor concludes that the system description
is not fairly presented.
240 4.13.b

auditor concludes that the controls are not
suitably designed to provide reasonable
assurance that the criteria will be met with
the controls operating as described.
Page 29 of 36
ID Controls_SOC2
Control_Guidance
241 4.13.c

auditor concludes the controls did not
operate effectively throughout the named
time period, for a type 2 report.
242 4.13.d

auditor concludes a scope limitation exists
and the service auditor cannot obtain
sufficient evidence.
243 4.13.e

auditor concludes that the service
organization did not comply with the privacy
practices statement, for a type 2 report that
addresses the privacy principle.
244 4.13.f

auditor concludes the written assertion does
not provide sufficient detail, does not disclose
identified deficiencies that resulted in a
qualified opinion, or it contains inaccuracies
and management refuses to correct the
assertion.
245 4.13.g

auditor concludes that other information that
is not covered by the service auditor's report
contains material inconsistencies and
management refuses to correct it.
246 4.35
The service auditor's type 2 report that covers

privacy controls should include the service
auditor's opinion on whether the organization
complied with the privacy practices
statement throughout the named time period.
247 3.73

on how the service organization complied
with its privacy commitments, when the type
2 engagement includes the privacy principle.
Page 30 of 36
ID Controls_SOC2
Control_Guidance
248 4.02.n

include a reference to if complementary user
entity controls are needed to meet the
249 4.02.o.i

include a reference to the control tests and
the results, including identifying each
applicable trust services criteria, which
controls were tested, if the tested items
represented all or part of the population, and
the nature of the tests in sufficient detail to
allow users to determine the effect on their
risk assessments.
250 4.02.p.i
The service auditor's type 2 report that

addresses the privacy principle should include
a reference to the compliance tests and
results, including identifying the
commitments that were tested, if the tested
items represented all or part of the
population, and the nature of the tests in
sufficient detail to allow users to determine
the effect on their risk assessments.
251 4.03

include a description of the control tests and
the results, including identifying what was
tested, if the tested items represented all or
part of the population, and the nature of the
tests in sufficient detail to allow users to
determine the effect on particular objectives.
252 4.02.o.ii

include a reference to the control tests and
results, including if deviations were identified,
the extent of the testing that led to the
discovery of the deviations, the number of
items tested, and the number and nature of
the identified deviations, even if the service
auditor concludes the criteria were met.
253 4.02.p.ii
The service auditor's type 2 report that

addresses the privacy principle should include
a reference to the compliance tests and
results, including identified deviations in
complying with the privacy practices
statement, the extent of testing that led to
the discovery, the number of items tested,
and the number and nature of the identified
deviations, even if the service auditor
concludes the commitments were complied
with.
Page 31 of 36
ID Controls_SOC2
Control_Guidance
254 4.07
Management may find it helpful to the audit

report users to disclose the causative factors
for the identified deviations, the controls that
will mitigate the deviations, what corrective
actions were taken, and other qualitative
factors to assist the users in understanding
the effect of the deviation.
255 4.02.q

include a statement that the report is solely
for the use of management and other named
parties.
256 4.42
The service auditor's report should include a

statement that the report is intended solely
for the use and information of management
and other named parties.
257 4.02.r

include the date of the report.
258 1.15
The description should include an explanation

of why applicable trust services criteria are
not addressed by a control, if the description
includes one or more criteria not addressed
by a control.
259 2.10
The service auditor should consider who the

intended users are when determining to
accept or continue an engagement.
260 4.02.c.v

include the organization's privacy practices
statement, when it addresses privacy
principles.
261 4.02.e.vi

responsible for complying with the privacy
practices statement, when the audit report
covers privacy controls.
262 3.105
The service auditor may determine that the

assertion does not provide sufficient detail,
contains inaccuracies, or fails to disclose
identified deficiencies that resulted in a
qualified opinion. In this case, the service
auditor should request that management
change its assertion.
263 4.02.b

include an addressee.
264 4.02.s

include the auditor's name and the city and
state of the office that maintains
responsibility for the engagement.
265 1.17.a.i
The type 2 report must include

management's system description.
Page 32 of 36
ID Controls_SOC2
Control_Guidance
266 1.17.b.i
The type 1 report must include

management's system description.
267 1.17
Management's written assertion must be

attached to the system description, for a type
1 engagement and a type 2 engagement, to
clearly communicate that management is
responsible for the system description, the
suitability of the control design, and, for a
type 2 report, the control's operating
effectiveness.
268 4.02.c.i

include management's system description
and the system's functions or services that
are furnished by the service organization.
269 4.02.e

include a reference to management's
assertion.
270 4.02.c.ii

include the parts of the system description
that are not covered by the service auditor's
report.
271 3.16
The service organization may decide that it

wants to provide the users with other
information that is not required and will not
be covered by the service auditor's report.
This information should not be in the system
description and should be differentiated from
the information that is covered by the service
auditor's report.
272 2.14
The service auditor should receive written

acknowledgment and acceptance from the
subservice organization of its responsibilities
of the items in paragraph 2.13, when using
the inclusive method.
273 3.24
The service organization's management

should determine whether function controls
that are performed by a vendor are needed
to meet any of the applicable trust services
criteria or are relevant to the fair
presentation of the system description.
274 3.27 Bullet 1

acceptance and acknowledgment of
responsibility for the items listed in paragraph
2.13 from management of the subservice
organization, when the inclusive method is
used.
275 3.27 Bullet 2
The service organization should obtain an

understanding of the parts of the system that
are furnished by the subservice organization,
Page 33 of 36
ID Controls_SOC2
Control_Guidance
276 4.02.c.vi

include the services that are performed by a
subservice organization and if the inclusive
method or the carve-out method is used.
277 4.02.c.vi(1)

include a statement that the system
description excludes the subservice
organization's controls and the privacy
practices statement, if the report addresses
the privacy principle, and the service auditor's
procedures do not extend to the subservice
organization, when the carve-out method is
used.
278 4.02.c.vi(2)

include a statement that the system
description includes the subservice
organization's applicable trust services
criteria and controls and its privacy practices
statement, when the report addresses the
privacy principle, and the service auditor's
procedures include procedures that are
related to the subservice organization, when
the inclusive method is used.
279 4.02.d

include a statement that the complementary
user entity controls were not evaluated for
operating effectiveness or suitability of design
and the applicable trust services criteria can
be met only if the complementary user entity
controls are suitably designed and operating
effectively, if the system description states
the need for complementary user entity
controls.
280 1.17.b.ii(2)

assertion about whether the controls were
suitably designed to meet the applicable trust
services criteria as of a named date.
281 1.33 Bullet 2

must include the service auditor's opinion
about whether the controls stated in the
description were suitably designed to meet
the applicable trust services criteria.
282 1.33 Bullet 3

must include the service auditor's opinion
about whether the identified controls were
operating effectively to meet the applicable
trust services criteria.
283 4.01 Bullet 2
The service auditor must prepare a written

description of the control tests and results,
for a type 2 report.
Page 34 of 36
ID Controls_SOC2
Control_Guidance
284 4.01 Bullet 3
The service auditor must provide a written

description of the tests for compliance with
its privacy practices and the results, for a type
2 report addressing the privacy principle.
285 4.02.i

include a statement that the examination
included assessing the risks that the system
description is not fairly presented; the
controls were not suitably designed or
operating effectively; and that the
organization did not comply with the privacy
286 4.02.j

include a statement that the examination
included the testing the operating
effectiveness of controls the service auditor
believes is needed to provide reasonable
assurance that the applicable trust services
criteria were met and testing compliance with
the privacy practices statement.
287 4.02.m.ii

whether the controls where suitably designed
to provide reasonable assurance that the
criteria would be met if the controls operated
effectively throughout the named time period.
288 4.02.m.iii

whether the tested controls operated
effectively throughout the named time period.
289 4.02.m.iv

whether the organization complied with the
privacy practices statement throughout the
named time period, it the audit report
addresses the privacy principle.
290 1.17.a.iii(1)

auditor's report that expresses an opinion on
paragraphs 1.17.a.ii(1) through 1.17.a.ii(4),
when the report includes the privacy principle.
291 4.02.k

include a statement that the service auditor
believes that the examination furnished a
reasonable basis for the service auditor's
opinion.
Page 35 of 36
ID Controls_SOC2
Control_Guidance
292 4.02.l

include a statement about the inherent
limitations of the controls, including the risk
of projecting to future evaluation periods on
the fairness of the system description,
conclusions about the operating effectiveness
or design, and compliance with the privacy
293 1.12 Bullet 1

on if the system description is fairly presented
based on the description criteria.
294 1.12 Bullet 4

on if the organization is in compliance with
the commitments stated in the privacy
practices statement, for engagements to
report on privacy principles.
295 1.17.a.ii(1)

assertion about whether the system
description fairly presents the system that
was designed and implemented throughout
the named time period.
296 1.17.a.ii(2)

assertion about whether the controls named
in the system description were suitably
designed throughout the named time period
to meet the applicable trust services criteria.
296
Page 36 of 36

Controls SOC2 PDF

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Controls SOC2 PDF

Загружено:

Авторское право:

Доступные форматы

Controls_SOC2

The system description, when addressing

The system description, when addressing

The system description, when addressing

The system description, when addressing

The system description, when addressing

The system description, when addressing

The system description, when addressing

The system description, when addressing

The system description, when addressing

The system description, when addressing

The service auditor should conduct

The service auditor should test the operating

The service auditor should test the operating

The service auditor should test superseded

The service auditor should determine what

The service auditor should consider audit

The service auditor should consider the

The service auditor should determine the

The service auditor's tests should identify the

The service auditor may perform

The system description should identify any

Management of the service organization must

The service auditor must either accept or

The service auditor must read the system

The service auditor should accept or continue

The service auditor should request that

The service auditor should withdraw from the

The service auditor is not required to stay

The service auditor should adapt and apply

The service auditor should notify the internal

The boundaries of the system being examined

The service auditor should consider

The service auditor should consider the

The system description, when addressing

The service auditor's report shall not include a

The service auditor's type 2 report should

The service auditor's type 2 report should

The service auditor should not reference any

The service auditor should determine if the

The service auditor should evaluate the

The service auditor should evaluate the

The service auditor should evaluate and

The service auditor should supervise,

The service auditor should evaluate and

The service auditor should determine if the

The service auditor should determine if the

The service auditor should evaluate and

The service auditor is not required to review a

The service auditor should accept or continue

The service auditor should evaluate and

The service auditor should accept or continue

The service auditor is not required to have

An engagement letter is required to establish

The engagement letter should include

The service auditor must establish an

The service auditor should accept or continue

The service auditor should accept or continue

The service auditor must have the technical

The service auditor must have adequate

The service auditor must have knowledge of

The service auditor must have appropriate