controls_soc2.pdf

Controls_SOC2 04 July 201508:52:57

ID Controls_SOC2 Control_Guidance

1 1.35.a The system description, when addressing privacy controls, must contain the types of personal information that is collected or obtained and how the information is collected or obtained, in order to meet the criteria for being fairly presented.

2 1.35.e.vii The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include a description of the process for determining if personal information is complete and accurate and how the correction process is implemented, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.


4 1.35.e.iv The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include a statement that personal information will be kept for a period no longer than necessary, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

Page 1 of 36


5 1.35.e.v The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include a statement that personal information is disposed in a way that prevents misuse, theft, loss, or unauthorized access, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

6 1.35.e The system description, when addressing privacy controls, must contain a statement on how the privacy notice is communicated to individuals, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to the individuals.

7 1.35.e The system description, when addressing privacy controls, must contain a statement that the user entities are responsible for providing the notice to the individuals, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

8 1.35.e.vi The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include how the organization supports the process the user entity uses to allow individuals to review, update, and correct personal information, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.


Page 2 of 36


10 1.35.e.viii The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include how complaints, questions, and disputes about personal information is handled by the organization, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

11 1.40 The service auditor should conduct procedures that are related to any additional subject matter the service organization requests.

12 3.46 The service auditor should test the operating effectiveness of the controls stated in the system description that are needed to meet the applicable trust services criteria throughout the named time period, for a type 2 engagement.

13 3.64 The service auditor should test the operating effectiveness of controls that are effective during the period covered by the audit report and determine if it has operated often enough to be assessed.

14 3.72 The service auditor should test superseded controls before they are changed and the new controls after the change, when changes are made during the period that are relevant to the applicable trust services criteria and the changes are considered significant by the users.

15 2.27 The service auditor should determine what test procedures to perform and when a test result will be a deviation, before the service auditor begins testing controls and compliance.

16 3.63 The service auditor should consider audit sampling for obtaining reasonable assurance about the operating effectiveness of the control, when the control operates often.

17 3.70 The service auditor should consider the nature of the controls, the frequency of its application, and the expected deviation rate when determining the extent of tests and if sampling is appropriate.

18 3.74 The service auditor should determine the extent of performing tests to detect material noncompliance with the privacy commitments.

Page 3 of 36


19 3.71 The service auditor's tests should identify the applicable trust services criteria for which tests have not been conducted and the reason that the tests have not been conducted, when the control did not operate during the examination period.

20 3.02 Bullet 5 The service auditor may perform walkthroughs to evaluate if the system description is fairly presented.

21 3.29 Bullet 2 The system description should identify any parts of the personal information lifecycle for which the subservice organization has responsibility, when the carve-out method is used.

22 2.01 Bullet 3 Management of the service organization must determine which type of engagement to perform, what principle(s) to look at, the scope, and if any subservice organizations will be included or carved out of the description and service auditor's report.

23 2.02 Bullet 1 The service auditor must either accept or continue the engagement.

24 2.02 Bullet 2 The service auditor must read the system description and gain an understanding of the system.

25 2.03.c.i The service auditor should accept or continue an engagement only if the preliminary engagement knowledge indicates that the criteria for use will be suitable and available to the report's intended users.

26 4.24 The service auditor should request that management include omitted criteria and controls in the system description, and, if management refuses, the service auditor should disclaim an opinion or withdraw from the engagement.

27 3.96 The service auditor should withdraw from the engagement or disclaim an opinion, if management refuses to provide representations to reaffirm its assertion or representations that it has furnished all of the information and access that was agreed to.

Page 4 of 36


28 3.102 The service auditor is not required to stay informed of subsequent events before the date of the service auditor's report. If the service auditor becomes aware of conditions that might have affected management's assertion and the service auditor's report, the service auditor should evaluate this information by adapting and applying the guidance from au section 561.

29 4.10 The service auditor should adapt and apply the requirements of paragraph .27 of au section 322, when the service auditor uses the internal audit function to provide direct assistance.

30 3.81 Bullet 1 The service auditor should notify the internal auditors of their responsibilities; the procedure's objectives; and matters that may affect the timing, nature, and extent of the audit procedures, when the internal audit function is providing direct assistance to the service auditor.

31 1.26 The boundaries of the system being examined for a soc 2 engagement must be clearly defined, understood, and communicated.

32 2.04 Bullet 1 The service auditor should consider reputation and integrity of management and the significant principal owners or shareholders before accepting an engagement.

33 2.04 Bullet 2 The service auditor should consider the likelihood that associating with the organization will expose the service auditor to financial loss, undue risk of damage to professional reputation, or expose report users to financial loss or misinformation before accepting an engagement.

34 1.35.e.ix The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include a statement that a written security program exists and what standard or industry it is based on, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

35 1.32 The service auditor's report shall not include a type 1 opinion and a type 2 opinion.

Page 5 of 36


36 4.02.c.iii The service auditor's type 2 report should include the criteria to evaluate if the system description is fairly presented.

37 4.02.c.iv The service auditor's type 2 report should include the applicable trust services criteria to evaluate if the controls are operating effectively and suitably designed.

38 4.09 The service auditor should not reference any used work of the internal audit function in the service auditor's opinion, since the service auditor has sole responsibility for the opinion in the service auditor's report.

39 2.21.b The service auditor should determine if the work of the internal audit function is likely to be adequate for the engagement by evaluating if the work is conducted with due professional care, if the service auditor intends to use their work or internal audit personnel in a direct assistance capacity.

40 2.22.a The service auditor should evaluate the nature and scope of the specific work conducted by the internal audit function to determine the planned effects this work will have on the nature, timing, and extent of the service auditor's procedures.

41 2.22.c The service auditor should evaluate the degree of subjectivity that is involved in evaluating evidence to support the conclusions to determine the planned effect of the internal audit function's work on the nature, timing, and extent of the service auditor's procedures.

42 3.79.b The service auditor should evaluate and perform procedures on the work of the internal audit function to determine whether it was properly supervised, reviewed, and documented, to determine if it is adequate for the service auditor's purposes.

43 3.81 Bullet 2 The service auditor should supervise, evaluate, review, and test the work conducted by the internal auditors that are providing direct assistance to the service auditor.

44 3.79.e The service auditor should evaluate and perform procedures on the work of the internal audit function to determine whether unusual matters or exceptions that are disclosed by the internal audit function are resolved, to determine if it is adequate for the service auditor's purposes.

Page 6 of 36


45 2.21.a The service auditor should determine if the work of the internal audit function is likely to be adequate for the engagement by evaluating the technical competence and objectivity of the internal audit function team members, if the service auditor intends to use their work or internal audit personnel in a direct assistance capacity.

46 2.21.c The service auditor should determine if the work of the internal audit function is likely to be adequate for the engagement by evaluating the likelihood that effective communication will occur between the internal audit function and the service auditor, if the service auditor intends to use their work or internal audit personnel in a direct assistance capacity.

47 3.79.a The service auditor should evaluate and perform procedures on the work of the internal audit function to determine whether it was performed by personnel who have adequate technical training and proficiency, to determine if it is adequate for the service auditor's purposes.

48 2.05 The service auditor is not required to review a previous service auditor's working papers, if the previous service auditor issued an audit report.

49 2.03.c.iii The service auditor should accept or continue an engagement only if the preliminary knowledge indicates that the scope and system description will not be limited.

50 3.79.c The service auditor should evaluate and perform procedures on the work of the internal audit function to determine whether enough evidence was obtained to draw reasonable conclusions, to determine if it is adequate for the service auditor's purposes.

51 2.03.b The service auditor should accept or continue an engagement only if the service auditor is independent in all matters that relate to the engagement.

52 2.08 The service auditor is not required to have and be independent of the service organization's users.

53 2.28 An engagement letter is required to establish an understanding with the client about the services that need to be performed.

Page 7 of 36


54 2.29 The engagement letter should include objectives, the services that will be provided, the service auditor's responsibilities, management's responsibilities, and the limitations of the engagement.

55 2.02 Bullet 3 The service auditor must establish an understanding with the organization's management, usually via an engagement letter, about what services will be performed and the responsibilities of the service auditor and management.

56 2.03.c.ii The service auditor should accept or continue an engagement only if the preliminary knowledge indicates that the service auditor will have access to the evidence needed to conduct the engagement.

57 2.03.a The service auditor should accept or continue an engagement only if the service auditor has the appropriate competence and capabilities.

58 2.03.a.i The service auditor must have the technical proficiency and technical training to perform an attestation engagement.

59 2.03.a.ii The service auditor must have adequate knowledge of the subject matter to continue or accept an engagement.

60 2.03.a.iv The service auditor must have knowledge of the organization's business and industry.

61 2.03.a.v The service auditor must have appropriate knowledge of technology and systems.

62 2.03.a.vi The service auditor must have experience evaluating risks that are related to the suitability of the control design.

63 2.03.a.vii The service auditor must have experience evaluating the design of Information Technology controls and manual controls, conducting tests on the controls, and evaluating the test results.

64 2.03.b The service auditor should accept or continue an engagement only if the service auditor exercises due professional care while planning and conducting the engagement and preparing the audit report.

65 2.22.b The service auditor should evaluate the significance of the internal audit function's work to the service auditor's conclusions to determine the planned effects this work will have on the nature, timing, and extent of the service auditor's procedures.

Page 8 of 36


66 3.79.d The service auditor should evaluate and perform procedures on the work of the internal audit function to determine whether appropriate conclusions are reached and reports are consistent with the work results, to determine if it is adequate for the service auditor's purposes.

67 3.32 The service auditor should agree that a reasonable justification exists and the requirements for acceptance and continuance are still met before making a change in the scope that management requests.

68 3.33 The service auditor should disclaim an opinion if the change in scope request is due to management refusing to provide a written representation or written assertion after agreeing to provide it.

69 3.04 The description of the control should include who is responsible, the frequency or timing of the control, the nature of the activity, and what the control is applied to.

70 2.23(a) The service auditor should evaluate materiality with respect to the fair presentation of the system description.

71 2.23(b) The service auditor should evaluate materiality with respect to the suitability of the design of the controls.

72 2.23(c) The service auditor should evaluate materiality with respect to the control's operating effectiveness for a type 2 engagement.

73 2.23(d) The service auditor should evaluate materiality with respect to the organization's compliance with its privacy practices statement, for type 2 engagements that address the privacy principle.

74 3.49 The service auditor should consider materiality when evaluating if the controls are operating effectively to meet the applicable trust services criteria.

75 3.99 The service auditor should ask if management is aware of any subsequent events that could have a significant effect on management's assertion and the subject matter of the assertion.

Page 9 of 36


76 3.27 Bullet 7 The service organization should obtain evidence that the subservice organization is complying with the privacy commitments it made with the organization, when the inclusive method is used.

77 1.35.d The system description, when addressing privacy controls, must contain a statement that the privacy notice was prepared in compliance with the requirements of the applicable trust services criteria, in order to meet the criteria for being fairly presented, if the service organization provides the privacy notice to the individuals.

78 1.27 The system boundaries should include all the system components as they relate to the personal information life cycle in informal ad hoc procedures and well-defined processes, when the soc 2 engagement addresses the privacy principle.

79 3.86 The service auditor should reassess the risk that the system description is not fairly presented; controls are not suitably designed and are not operating effectively; and the service organization has not complied with the privacy practices statement, when the service auditor becomes aware that identified deviations resulted from intentional acts by the service organization's personnel.

80 3.87 The service auditor should determine the effect of noncompliance incidents with laws and regulations or adverse events that are not detected or prevented with controls on the system description, the suitability of design and operating effectiveness, compliance with the privacy practices statement, and the service auditor's report.

81 3.29 Bullet 5 The system description should identify the types of activities the subservice organization must conduct to comply with the service organization's privacy practices, when the carve-out method is used and the system description addresses the privacy principle.

82 1.35.e The system description, when addressing privacy controls, must contain a statement on how the privacy notice is communicated to individuals, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to the individuals.

Page 10 of 36


83 3.85 The service auditor should determine whether deviations from intentional acts, noncompliance with laws and regulations, and other adverse events that are not detected or protected by a control should be communicated to affected user entities and if the communication has already occurred.

84 1.17 The statement of privacy practices should be attached to or included in the description, when the audit report addresses the privacy principle.

85 1.40 The service auditor should include the description of the scope and the related opinion on the additional subject matter in separate paragraphs of the service auditor's report.

86 1.40 The service auditor may include any additional tests and the detailed results in a separate attachment to the service auditor report.

87 4.01 Bullet 1 The service auditor must prepare the service auditor's report with all the items listed in paragraph 4.02 and change it, as necessary.

88 4.10 The part of the service auditor's report that describes the control tests and results should include a description of the internal auditor's work and the service auditor's procedures, if the work was used in performing the tests.

89 4.14 The service auditor should consider the individual and aggregate effect of identified deviations in the system description and the suitability and operating effectiveness during the named time period, when determining whether to change the service auditor's report.

90 2.03.a.iii The service auditor must have reasons for believing that the subject matter may be evaluated against criteria appropriate for the intended use, in order to accept or continue the engagement.

91 2.13.a The service auditor should normally accept or continue an engagement only if management accepts and acknowledges responsibility for preparing the system description and assertion.

92 2.13.b The service auditor should normally accept or continue an engagement only if management accepts and acknowledges responsibility for providing a written assertion.

Page 11 of 36


93 2.13.c The service auditor should normally accept or continue an engagement only if management accepts and acknowledges responsibility for having a reasonable basis for the assertion.

94 2.05 The service auditor may gather information about the matters in paragraph 2.04 by talking with the previous service auditor about the reasons for changing the service auditor and any disagreements between the auditor and organization.

95 2.13.e.i The service auditor should normally accept or continue an engagement only if management accepts and acknowledges responsibility for providing the service auditor with access to all required information.

96 2.13.e.ii The service auditor should normally accept or continue an engagement only if management accepts and acknowledges responsibility for providing the service auditor with any information the service auditor requests for the examination.

97 2.13.e.iii The service auditor should normally accept or continue an engagement only if management accepts and acknowledges responsibility for providing the service auditor with unrestricted access to organizational personnel.

98 2.01 Bullet 1 The service organization's management must prepare the system description.

99 2.01 Bullet 2 Management of the service organization must provide a written assertion.

100 2.01 Bullet 4 Management of the service organization must provide written representations at the end of the engagement and, if the inclusive method is used, management of the service organization and the subservice organization agree to provide these written representations.

101 3.27 Bullet 8 The service organization should obtain a written assertion from the subservice organization that includes the items listed in paragraphs 1.17.a(ii)(1) through 1.17.a(ii)(4) for a type 2 report and paragraphs 1.17.b(ii)(1) through 1.17.b(ii)(2) for a type 1 report, when the inclusive method is used.

Page 12 of 36


102 3.27 Bullet 9 The service organization should obtain a written representation from the subservice organization about the items listed in paragraph 3.90, when the inclusive method is used.

103 3.27 Bullet 9 The service auditor should obtain written representations about the items in paragraph 3.90 that are relevant to the furnished services, when the inclusive method is used.

104 3.90.a The service auditor should request that management provide a written representation reaffirming the assertion that is attached to the system description.

105 3.91 The service auditor should obtain written representations from the subservice organization addressing the items in paragraph 3.90, when the system description uses the inclusive method and the service organization uses a subservice organization.

106 3.94 The written representations should be a representation letter that is addressed to the service auditor, signed by individuals identified by the service auditor, and dated with the same date as the service auditor's report.

107 3.28 Bullet 1 The service auditor should evaluate if the system description, including the relevant aspects of the system furnished by the subservice organization, is fairly presented, when the inclusive method is used.

108 3.28 Bullet 2 The service auditor should evaluate the suitability of the control design at the subservice organization, when the inclusive method is used.

109 1.34.a.i The system description must contain the types of services provided, in order for it to meet the criteria for being fairly presented.

110 1.34.a.ii(1) The system description must contain the hardware components and physical components of the system providing the services, in order for it to meet the criteria for being fairly presented.

111 1.34.a.ii(2) The system description must contain the Operating System and the programs of the system providing the services, in order for it to meet the criteria for being fairly presented.

Page 13 of 36


112 1.34.a.ii(3) The system description must contain the personnel who are involved in the use and operation of the system providing the service, in order for it to meet the criteria for being fairly presented.

113 1.34.a.ii(5) The system description must contain the information that is used and supported by the system providing the services, in order for it to meet the criteria for being fairly presented.

114 1.34.a.viii(1) The system description must include the nature of the services, when the carve out method is used, the subservice organization uses, in order to meet the criteria for being fairly presented.

115 3.29 Bullet 1 The system description should identify the nature of the services furnished by the subservice organization, when the carve-out method is used.

116 1.34.a.iv The system description must include the how the system captures and addresses significant conditions and events, in order to meet the criteria for being fairly presented.

117 1.13 Management of the service organization should include all of the description criteria from paragraphs 1.34 and 1.35 in its assertion.

118 1.14 The service auditor should determine if the description includes all of the applicable trust services criteria.

119 1.34.a.v The system description must include the process the organization uses to prepare and deliver reports to other parties and user entities, in order to meet the criteria for being fairly presented.

120 1.35.b(i) The system description, when addressing privacy controls, must contain the process to identify the laws and regulations and the specific requirements in agreements applicable to personal information, in order to meet the criteria for being fairly presented.

121 1.35.b(ii) The system description, when addressing privacy controls, must contain the process used to implement the controls and practices to meet the legal and agreement requirements, in order to meet the criteria for being fairly presented.

Page 14 of 36


122 1.35.d The system description, when addressing privacy controls, must contain a statement that the privacy notice was prepared in compliance with the requirements of the applicable trust services criteria, in order to meet the criteria for being fairly presented, if the service organization provides the privacy notice to the individuals.

123 1.35.e The system description, when addressing privacy controls, must contain a statement that the user entities are responsible for providing the notice to the individuals, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

124 1.35.e.i The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include a summary of the significant requirements that are common to most agreements between the organization and the user entities, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

125 1.35.e.i The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include the requirements in the user entities agreement that the service organization meets for all or most user entities, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

126 1.35.e.ii The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include a summary of the significant requirements that are mandated by law, regulation, market, or industry and not included in the agreements, but the service organization complies with for all or most user entities, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

Page 15 of 36


127 1.35.e.iii The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include the purposes, uses, and disclosures of personal information that are allowed in the agreements, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

128 1.35.e.iv The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include a statement that personal information will be kept for a period no longer than necessary, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

129 1.35.e.v The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include a statement that personal information is disposed in a way that prevents misuse, theft, loss, or unauthorized access, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

130 1.35.e.vi The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include how the organization supports the process the user entity uses to allow individuals to review, update, and correct personal information, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

Page 16 of 36



132 1.35.e.viii The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include how complaints, questions, and disputes about personal information is handled by the organization, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

133 1.35.e.ix The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include a statement that a written security program exists and what standard or industry it is based on, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

134 1.35.e.x The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include any other relevant information about privacy practices that is appropriate for user entities, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

135 1.34.a.x The system description must include aspects of the risk assessment process, control environment, communication systems, Information Systems, and monitoring of controls that are relevant to the applicable trust services criteria and the provided services, in order to meet the criteria for being fairly presented.

Page 17 of 36


136 3.10 The service auditor should ask if there were any changes made to the system, and if the service auditor believes the changes are significant to the users, determine if they are included in the system description at an appropriate level of detail, including the date of the change and how the system is different.

137 1.34.b The system description must not distort or omit information that is relevant to the system and it must acknowledge that the description covers a wide range of users and may not contain aspects that individual users may consider important to their personal needs, in order to meet the criteria for being fairly presented.

138 3.19 The service auditor should consider whether significant system aspects and processing aspects are included or if relevant information was distorted or omitted, when evaluating the fair presentation of the system description.

139 3.27 Bullet 3 The service organization should obtain and evaluate evidence that the part of the system description furnished by the subservice organization are fairly presented, when the inclusive method is used.

140 1.13 The service auditor should determine if the description meets the description criteria located in paragraphs 1.34 and 1.35, when evaluating the fairness of the presentation of the system description.

141 1.17.b.ii(1) The type 1 report must include a written assertion about whether the system description fairly presents the system that was designed and implemented as of named date.

142 1.34.a.iii The system description must include the system boundaries or system aspects, in order to meet the criteria for being fairly presented.

143 1.34.a.vii(1) The system description must include the applicable trust services criteria and controls designed to meet the criteria for each principle being reported on including the complementary user entity controls, in order to meet the criteria for being fairly presented.

Page 18 of 36


144 1.34.a.vii(2) The system description must include the applicable trust services criteria and controls designed to meet the criteria for each principle being reported on including the controls at the subservice organization if the inclusive method is used, in order to meet the criteria for being fairly presented.

145 1.34.a.viii(2) The system description must include, when the carve out method is used, each applicable trust services criteria being met by controls at the subservice organization or alone or in combination with the organization and the controls expected to be implemented to meet the criteria, in order to meet the criteria for being fairly presented.

146 1.34.a.xi The system description must contain, for type 2 reports, details of any system changes during the period the description covers, in order to meet the criteria for being fairly presented.

147 1.35.c.i The system description, when addressing privacy controls and using the carve-out method, must contain the parts of the personal information life cycle that the subservice organization has responsibility for, in order to meet the criteria for being fairly presented.

148 2.09 The service auditor should consider the scope of the system, the functions, how the subservice organizations are used, how the information is presented, the relevance of the trust services principles, and the time period of the report when determining whether to accept or continue an engagement.

149 3.01 The service auditor should read the system description and determine if it is fairly presented.

150 3.02 Bullet 1 The service auditor may read Service Level Agreements and contracts to determine if the system description is fairly presented.

151 3.02 Bullet 2 The service auditor may obtain an understanding of the laws and regulations that are relevant to the services being provided to evaluate if the system description is fairly presented.

152 3.02 Bullet 3 The service auditor may observe the procedures being performed by personnel to evaluate if the system description is fairly presented.

Page 19 of 36


153 3.02 Bullet 4 The service auditor may read policy manuals, procedure manuals, and other system documentation to evaluate if the system description is fairly presented.

154 3.02 Bullet 6 The service auditor may obtain a list of the user entities and determine how the provided services are likely to affect the user entities to evaluate if the system description is fairly presented.

155 3.02 Bullet 7 The service auditor may discuss with management about the content of the assertion and the system description to evaluate if the system description is fairly presented.

156 3.02 Bullet 8 The service auditor may read reports from the internal audit function to evaluate if the system description is fairly presented.

157 3.06 The system description is not fairly presented if it implies or states that elements that do not exist actually exist, implies or states that controls are being performed when they are actually not being performed, and if it intentionally or inadvertently distorts or omits relevant system information.

158 3.08 The service auditor should determine if the system description includes all major parts of the system that are in the scope of the engagement, when evaluating if the system description materially omits information that is relevant to users.

159 3.09 The service auditor should determine if the system description clearly delineates the boundaries of the system that are included in the scope.

160 3.22 The service auditor should ask questions and read documents to evaluate whether the complementary user entity controls are adequately described in the system description.

161 2.01 Bullet 5 Management of the service organization must have a reasonable basis for its written assertion.

162 3.27 Bullet 5 The service organization should evaluate the suitability of the control design at the subservice organization, when the inclusive method is used.

163 3.13 The service auditor should determine if the controls stated in the system description have been implemented.

Page 20 of 36


164 3.14 The service auditor may perform a walkthrough inspection to determine if the controls have been implemented.

165 3.27 Bullet 4 The service organization should obtain evidence that the described controls are implemented at the subservice organization, when the inclusive method is used.

166 1.21 The system description should separately identify the complementary user entity controls that are needed to meet the applicable trust services criteria and the criteria that cannot be met by the organization's controls alone.

167 1.34.a.ii(4) The system description must contain the manual procedures and automated procedures involved in operating the system that provides the services, in order for it to meet the criteria for being fairly presented.

168 1.34.a.vi(2) The system description must include the procedures the organization uses to determine if the information furnished to or received from subservice organizations or other parties, along with its processing, maintenance, and storage use appropriate controls, in order to meet the criteria for being fairly presented.

169 1.35.c.ii The system description, when addressing privacy controls and using the carve-out method, must contain the activities the subservice organization has to perform to meet the privacy commitments of the organization, in order to meet the criteria for being fairly presented.

170 1.35.f The system description, when addressing privacy controls, must contain the service organization's statement of privacy practices, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to individuals.

171 3.07 The system description should not contain any statements which cannot be objectively evaluated for it to be fairly presented.

172 3.27 Bullet 6 The service organization should obtain evidence that the controls are operating effectively at the subservice organization, for a type 2 report and when the inclusive method is used.

Page 21 of 36


173 3.29 Bullet 3 The system description should identify each applicable trust services criteria that will be met with controls at the subservice organization, either alone or in combination with the service organization, when the carve-out method is used.

174 3.29 Bullet 4 The system description should identify the types of controls to implement at the subservice organization, when the carve-out method is used.

175 1.12 Bullet 3 The service auditor should express an opinion if the controls are operating effectively to meet the applicable trust services criteria, for type 2 reports.

176 3.04 The service auditor should evaluate each control, as it is presented in the system description, to determine if it provides sufficient information for users to understand how the control affects a particular user, when determining if the system description is fairly presented.

177 3.28 Bullet 3 The service auditor should test the operating effectiveness of the controls for a type 2 report, when the inclusive method is used.

178 3.35 The service auditor should use the information and evidence that was obtained while determining if the system description is fairly presented to evaluate the suitability of the design of the controls.

179 3.37 The service auditor should evaluate whether the types of controls that will be implemented at the subservice organization are needed to meet the applicable trust services criteria, if the carve-out method is used.

180 3.28 Bullet 4 The service auditor should test the subservice organization's compliance with the service organization's privacy practices statement, when the inclusive method is used for an audit report that addresses the privacy principle.

181 3.46 The service auditor should determine the timing, nature, and extent of the tests to evaluate whether the controls are operating effectively.

Page 22 of 36


182 3.50 Superseded controls should be included in the test population when the service organization implements changes to the controls during the period covered by the service auditor's report and the superseded controls could be relevant in meeting the applicable trust services criteria.

183 3.51 The service auditor should consider the type of evidence that can be obtained, if the control is designed to meet one or more criteria, and the risk that the controls will not operate effectively, when determining the nature, timing, and extent of controls tests to perform.

184 3.54.a.i The service auditor should perform procedures and conduct interviews to obtain evidence about how a control is applied.

185 3.54.a.ii The service auditor should perform procedures and conduct interviews to obtain evidence about the consistency that the control was applied throughout the period.

186 3.54.a.iii The service auditor should perform procedures and conduct interviews to obtain evidence about who and what means the control was applied.

187 3.54.b The service auditor should determine if the controls being tested depend on other controls and, if they do, determining if it is necessary to obtain evidence to support the operating effectiveness of the other controls.

188 3.54.c The service auditor should determine an effective method to select the test items to meet the procedure objectives.

189 3.58 The service auditor should obtain evidence about the completeness, validity, and accuracy of information produced by the Information System that is furnished as a source for testing.

190 3.61 The service auditor should determine what additional testing to accomplish during the remaining period, when testing is performed at an interim period.

191 3.62 The service auditor should perform and design tests to obtain sufficient evidence that the controls are operating effectively throughout the named time period.

Page 23 of 36


192 3.66 The service auditor should perform additional tests on the controls during the current period, if the service auditor intends to use evidence obtained during a prior period and the controls have changed since the last test.

193 3.67 The service auditor should may decide to increase the extent of testing during the current period if deviations were identified in a prior year.

194 3.76 The service auditor should implement procedures to provide reasonable assurance that material noncompliance will be detected.

195 3.82 The service auditor should investigate the nature and causes of identified deviations.

196 3.82.b The service auditor should investigate the nature and causes of identified deviations and determine if additional testing is needed to reach a conclusion about if the controls operated effectively throughout the named time period.

197 3.82.a The service auditor should investigate the nature and cause of identified deviations and determine if they are in the tolerable rate of deviation and acceptable. If it does, the testing provides a basis to conclude that the control operated effectively throughout the named time period.

198 3.82.c The service auditor should investigate the nature and causes of identified deviations and determine if the performed testing provided a basis to conclude that the control did not operate effectively throughout the named time period.

199 3.84 The service auditor should evaluate the deficiencies that are related to the control environment or other components of the internal control and determine its effect on the service auditor's opinion.

200 1.34.a.vi(1) The system description must include how information is furnished to or received from subservice organizations or other parties and their roles, in order to meet the criteria for being fairly presented.

201 3.90.b The service auditor should request that management provide a written representation that provides the service auditor with all the information and access agreed to.

Page 24 of 36


202 3.90.c.i The service auditor should request that management provide written representations that it disclosed instances of uncorrected errors or noncompliance with laws and regulations that may affect one or more user entities.

203 3.90.c.iii The service auditor should request that management provide a written representation that it has disclosed design deficiencies in the controls.

204 3.90.c.iv The service auditor should request that management provide a written representation that it has disclosed instances when the controls did not operate correctly.

205 3.90.c.v The service auditor should request that management provide written representations that it has disclosed instances of noncompliance about commitments in the privacy practices statement.

206 3.90.c.ii The service auditor should request that management provide written representations that it has disclosed any knowledge of suspected, actual, or alleged intentional acts that could adversely affect the fairness of the system description or if the controls were suitably designed and operating effectively to meet the applicable trust services criteria.

207 1.34.a.ix The system description must include applicable trust services criteria that do not have a control and the reasons the criteria does not have a control, in order to meet the criteria for being fairly presented.

208 3.90.c.vi The service auditor should request that management provide a written representation that it has disclosed any subsequent events that could have a significant effect on the assertion or that no subsequent events have occurred.

209 3.15 The service auditor should ask management to delete the controls from the system description that have not been implemented.

210 3.95 Bullet 1 The service auditor should discuss with management the fact that it did not provide one or more of the requested representations.

Page 25 of 36


211 3.95 Bullet 2 The service auditor should evaluate the effect of refusing to provide the requested representations on the service auditor's integrity assessment and evaluate the effect this may have on evidence in general and the reliability of management's representations.

212 3.33 The service auditor should take appropriate action when the service auditor determines that a request to change the scope is to hide information that is relevant to the user.

213 3.95 Bullet 3 The service auditor should take appropriate actions, including disclaiming an opinion or withdrawing from the engagement, if management does not provide one or more of the requested representations.

214 3.99 The service auditor should change the service auditor's opinion on the fairness of the system description and disclose any events that are of significance and nature that the disclosure is needed to prevent users from being misled and the information is not disclosed by management in the system description in the service auditor's report.

215 3.37 The service auditor should consider if evidence exists that the subservice organization is aware of the requirements for the service organization with respect to the controls, if the carve-out method is used.

216 3.65 The service auditor should adapt and apply the requirements of paragraph .40 of au section 318 if the service auditor plans on using evidence collected in a prior engagement.

217 3.104 Management is expected to change their assertion to state deficiencies that the service auditor identified, when the service auditor identifies deficiencies that cause the service auditor to give a qualified opinion.

218 4.02.a The service auditor's type 2 report should include the word independent in the title.

219 4.02.e.i The service auditor's type 2 report should include a statement that management is responsible for preparing the system description and assertion; the privacy practices statement, when the report includes privacy controls; and includes the completeness, accuracy, and method of presentation.

Page 26 of 36


220 4.02.e.ii The service auditor's type 2 report should include a statement that management is responsible for providing services that are stated in the system description.

221 4.02.e.iii The service auditor's type 2 report should include a statement that management is responsible for selecting the trust services principle(s) that it is reporting on and stating them in the system description.

222 1.33 Bullet 1 The type 2 report for a soc 2 engagement must contain the service auditor's opinion about whether management's system description is fairly presented.

223 2.13.d The service auditor should normally accept or continue an engagement only if management accepts and acknowledges responsibility for designing, documenting, and implementing suitably designed controls that are operating effectively to meet the applicable trust services criteria.

224 4.02.e.iv The service auditor's type 2 report should include a statement that management is responsible for identifying relevant applicable trust services criteria that have been omitted from the system description and the reason for them being omitted.

225 4.02.e.v The service auditor's type 2 report should include a statement that management is responsible for designing, implementing, and documenting controls that are operating effectively and have been suitably designed to meet the applicable trust services criteria.

226 4.02.f The service auditor's type 2 report should include a statement that the service auditor is responsible for expressing an opinion on the fairness of the system description; the suitability of the operating effectiveness and design of the controls; and compliance with its privacy practices statement, when the audit report addresses privacy principles, based on the service auditor's examination.

Page 27 of 36


227 4.02.g The service auditor's type 2 report should include a statement that the attestation standards of the American Institute of Certified Public Accountants was used for the examination and the standards require the service auditor to plan and perform the examination to obtain reasonable assurance that the system description is fairly presented; if the controls are suitably designed and operating effectively throughout the named time period; and, for reports that address the privacy principle, if the organization complied with its privacy practices statement.

228 4.02.h.i The service auditor's type 2 report should include a statement the examination of the system description and the design and operating effectiveness of the controls involved performing procedures to obtain evidence about the fairness of the system description.

229 4.02.h.ii The service auditor's type 2 report should include a statement the examination of the system description and the design and operating effectiveness of the controls involved performing procedures to obtain evidence about the suitability of the operating effectiveness and design of the controls to meet the applicable trust services criteria.

230 4.02.h.iii The service auditor's type 2 report should include a statement the examination of the system description and the design and operating effectiveness of the controls involved performing procedures to obtain evidence about compliance with the privacy practices statement, when the audit report covers the privacy principle.

231 1.12 Bullet 2 The service auditor should express an opinion on if controls have been suitably designed to provide a reasonable assurance that the applicable trust services criteria would be met if the controls are operating effectively, for soc 2 reports.

232 1.17.a.iii(2) The type 2 report must include a service auditor's report that includes the control tests and the results, and when the report addresses the privacy principle, the tests and the results of the compliance with its privacy practices.

Page 28 of 36


233 1.17.a.ii(3) The type 2 report must include a written assertion about whether the controls named in the system description operated effectively throughout the named time period to meet the applicable trust services criteria.

234 1.17.a.ii(4) The type 2 report must include a written assertion about whether management has complied with its privacy practices statement throughout the named time period, when the system description addresses the privacy principle.

235 1.17.b.iii The type 1 report must include a service auditor's report expressing an opinion on the items in paragraphs 1.17.b.ii(1) and 1.17.b.ii(2).

236 1.33 Bullet 4 The type 2 report for a soc 2 engagement on the privacy principle must include the service auditor's opinion about whether management has complied with the commitments listed in the privacy practices throughout the named time period.

237 3.21 The service auditor should evaluate whether the system description adequately describes the complementary user entity controls, along with their importance in meeting the applicable trust services criteria.

238 4.02.m.i The service auditor's type 2 report should include the service auditor's opinion on whether the system description fairly presents the system that was designed and implemented throughout the named time period.

239 4.13.a The service auditor's opinion should be modified and a clear description of the modification reasons should be included in the service auditor's report, if the service auditor concludes that the system description is not fairly presented.

240 4.13.b The service auditor's opinion should be modified and a clear description of the modification reasons should be included in the service auditor's report, if the service auditor concludes that the controls are not suitably designed to provide reasonable assurance that the criteria will be met with the controls operating as described.

Page 29 of 36


241 4.13.c The service auditor's opinion should be modified and a clear description of the modification reasons should be included in the service auditor's report, if the service auditor concludes the controls did not operate effectively throughout the named time period, for a type 2 report.

242 4.13.d The service auditor's opinion should be modified and a clear description of the modification reasons should be included in the service auditor's report, if the service auditor concludes a scope limitation exists and the service auditor cannot obtain sufficient evidence.

243 4.13.e The service auditor's opinion should be modified and a clear description of the modification reasons should be included in the service auditor's report, if the service auditor concludes that the service organization did not comply with the privacy practices statement, for a type 2 report that addresses the privacy principle.

244 4.13.f The service auditor's opinion should be modified and a clear description of the modification reasons should be included in the service auditor's report, if the service auditor concludes the written assertion does not provide sufficient detail, does not disclose identified deficiencies that resulted in a qualified opinion, or it contains inaccuracies and management refuses to correct the assertion.

245 4.13.g The service auditor's opinion should be modified and a clear description of the modification reasons should be included in the service auditor's report, if the service auditor concludes that other information that is not covered by the service auditor's report contains material inconsistencies and management refuses to correct it.

246 4.35 The service auditor's type 2 report that covers privacy controls should include the service auditor's opinion on whether the organization complied with the privacy practices statement throughout the named time period.

247 3.73 The service auditor should express an opinion on how the service organization complied with its privacy commitments, when the type 2 engagement includes the privacy principle.

Page 30 of 36


248 4.02.n The service auditor's type 2 report should include a reference to if complementary user entity controls are needed to meet the applicable trust services criteria.

249 4.02.o.i The service auditor's type 2 report should include a reference to the control tests and the results, including identifying each applicable trust services criteria, which controls were tested, if the tested items represented all or part of the population, and the nature of the tests in sufficient detail to allow users to determine the effect on their risk assessments.

250 4.02.p.i The service auditor's type 2 report that addresses the privacy principle should include a reference to the compliance tests and results, including identifying the commitments that were tested, if the tested items represented all or part of the population, and the nature of the tests in sufficient detail to allow users to determine the effect on their risk assessments.

251 4.03 The service auditor's type 2 report should include a description of the control tests and the results, including identifying what was tested, if the tested items represented all or part of the population, and the nature of the tests in sufficient detail to allow users to determine the effect on particular objectives.

252 4.02.o.ii The service auditor's type 2 report should include a reference to the control tests and results, including if deviations were identified, the extent of the testing that led to the discovery of the deviations, the number of items tested, and the number and nature of the identified deviations, even if the service auditor concludes the criteria were met.

253 4.02.p.ii The service auditor's type 2 report that addresses the privacy principle should include a reference to the compliance tests and results, including identified deviations in complying with the privacy practices statement, the extent of testing that led to the discovery, the number of items tested, and the number and nature of the identified deviations, even if the service auditor concludes the commitments were complied with.

Page 31 of 36


254 4.07 Management may find it helpful to the audit report users to disclose the causative factors for the identified deviations, the controls that will mitigate the deviations, what corrective actions were taken, and other qualitative factors to assist the users in understanding the effect of the deviation.

255 4.02.q The service auditor's type 2 report should include a statement that the report is solely for the use of management and other named parties.

256 4.42 The service auditor's report should include a statement that the report is intended solely for the use and information of management and other named parties.

257 4.02.r The service auditor's type 2 report should include the date of the report.

258 1.15 The description should include an explanation of why applicable trust services criteria are not addressed by a control, if the description includes one or more criteria not addressed by a control.

259 2.10 The service auditor should consider who the intended users are when determining to accept or continue an engagement.

260 4.02.c.v The service auditor's type 2 report should include the organization's privacy practices statement, when it addresses privacy principles.

261 4.02.e.vi The service auditor's type 2 report should include a statement that management is responsible for complying with the privacy practices statement, when the audit report covers privacy controls.

262 3.105 The service auditor may determine that the assertion does not provide sufficient detail, contains inaccuracies, or fails to disclose identified deficiencies that resulted in a qualified opinion. In this case, the service auditor should request that management change its assertion.

263 4.02.b The service auditor's type 2 report should include an addressee.

264 4.02.s The service auditor's type 2 report should include the auditor's name and the city and state of the office that maintains responsibility for the engagement.

265 1.17.a.i The type 2 report must include management's system description.

Page 32 of 36


266 1.17.b.i The type 1 report must include management's system description.

267 1.17 Management's written assertion must be attached to the system description, for a type 1 engagement and a type 2 engagement, to clearly communicate that management is responsible for the system description, the suitability of the control design, and, for a type 2 report, the control's operating effectiveness.

268 4.02.c.i The service auditor's type 2 report should include management's system description and the system's functions or services that are furnished by the service organization.

269 4.02.e The service auditor's type 2 report should include a reference to management's assertion.

270 4.02.c.ii The service auditor's type 2 report should include the parts of the system description that are not covered by the service auditor's report.

271 3.16 The service organization may decide that it wants to provide the users with other information that is not required and will not be covered by the service auditor's report. This information should not be in the system description and should be differentiated from the information that is covered by the service auditor's report.

272 2.14 The service auditor should receive written acknowledgment and acceptance from the subservice organization of its responsibilities of the items in paragraph 2.13, when using the inclusive method.

273 3.24 The service organization's management should determine whether function controls that are performed by a vendor are needed to meet any of the applicable trust services criteria or are relevant to the fair presentation of the system description.

274 3.27 Bullet 1 The service organization should obtain acceptance and acknowledgment of responsibility for the items listed in paragraph 2.13 from management of the subservice organization, when the inclusive method is used.

275 3.27 Bullet 2 The service organization should obtain an understanding of the parts of the system that are furnished by the subservice organization, when the inclusive method is used.

Page 33 of 36


276 4.02.c.vi The service auditor's type 2 report should include the services that are performed by a subservice organization and if the inclusive method or the carve-out method is used.

277 4.02.c.vi(1) The service auditor's type 2 report should include a statement that the system description excludes the subservice organization's controls and the privacy practices statement, if the report addresses the privacy principle, and the service auditor's procedures do not extend to the subservice organization, when the carve-out method is used.

278 4.02.c.vi(2) The service auditor's type 2 report should include a statement that the system description includes the subservice organization's applicable trust services criteria and controls and its privacy practices statement, when the report addresses the privacy principle, and the service auditor's procedures include procedures that are related to the subservice organization, when the inclusive method is used.

279 4.02.d The service auditor's type 2 report should include a statement that the complementary user entity controls were not evaluated for operating effectiveness or suitability of design and the applicable trust services criteria can be met only if the complementary user entity controls are suitably designed and operating effectively, if the system description states the need for complementary user entity controls.

280 1.17.b.ii(2) The type 1 report must include a written assertion about whether the controls were suitably designed to meet the applicable trust services criteria as of a named date.

281 1.33 Bullet 2 The type 2 report for a soc 2 engagement must include the service auditor's opinion about whether the controls stated in the description were suitably designed to meet the applicable trust services criteria.

282 1.33 Bullet 3 The type 2 report for a soc 2 engagement must include the service auditor's opinion about whether the identified controls were operating effectively to meet the applicable trust services criteria.

283 4.01 Bullet 2 The service auditor must prepare a written description of the control tests and results, for a type 2 report.

Page 34 of 36


284 4.01 Bullet 3 The service auditor must provide a written description of the tests for compliance with its privacy practices and the results, for a type 2 report addressing the privacy principle.

285 4.02.i The service auditor's type 2 report should include a statement that the examination included assessing the risks that the system description is not fairly presented; the controls were not suitably designed or operating effectively; and that the organization did not comply with the privacy practices statement.

286 4.02.j The service auditor's type 2 report should include a statement that the examination included the testing the operating effectiveness of controls the service auditor believes is needed to provide reasonable assurance that the applicable trust services criteria were met and testing compliance with the privacy practices statement.

287 4.02.m.ii The service auditor's type 2 report should include the service auditor's opinion on whether the controls where suitably designed to provide reasonable assurance that the criteria would be met if the controls operated effectively throughout the named time period.

288 4.02.m.iii The service auditor's type 2 report should include the service auditor's opinion on whether the tested controls operated effectively throughout the named time period.

289 4.02.m.iv The service auditor's type 2 report should include the service auditor's opinion on whether the organization complied with the privacy practices statement throughout the named time period, it the audit report addresses the privacy principle.

290 1.17.a.iii(1) The type 2 report must include a service auditor's report that expresses an opinion on paragraphs 1.17.a.ii(1) through 1.17.a.ii(4), when the report includes the privacy principle.

291 4.02.k The service auditor's type 2 report should include a statement that the service auditor believes that the examination furnished a reasonable basis for the service auditor's opinion.

Page 35 of 36


292 4.02.l The service auditor's type 2 report should include a statement about the inherent limitations of the controls, including the risk of projecting to future evaluation periods on the fairness of the system description, conclusions about the operating effectiveness or design, and compliance with the privacy practices statement.

293 1.12 Bullet 1 The service auditor should express an opinion on if the system description is fairly presented based on the description criteria.

294 1.12 Bullet 4 The service auditor should express an opinion on if the organization is in compliance with the commitments stated in the privacy practices statement, for engagements to report on privacy principles.

295 1.17.a.ii(1) The type 2 report must include a written assertion about whether the system description fairly presents the system that was designed and implemented throughout the named time period.

296 1.17.a.ii(2) The type 2 report must include a written assertion about whether the controls named in the system description were suitably designed throughout the named time period to meet the applicable trust services criteria.

296

Page 36 of 36

controls_soc2.pdf

Documents

privacy controls

privacy notice

privacy practices

privacy practice statement

user entities

system description

user entity

id controls