Control Objectives, Control Criteria, Controls
ITGC and Transaction Processing
What are SOC 1 control objectives?
This report is for a point in time.
What is a type 1 report?
The PPCs forms that are completed during planning.
What are P forms?
Evidence cannot be provided to suffice testing or the evidence does not support the control.
What are exceptions noted?
This is executed first in order to start the audit.
What is the engagement letter?
The 5 Trust Services Criteria.
What is Security, Availability, Processing Integrity, Confidentiality and Privacy?
This section of the report is excluded from the opinion.
What is Section 5?
The PPC form that is completed when exceptions are noted.
What is a C1?
Samples are pulled either high or low.
What is the risk reliance?
This is done at the conclusion of planning to obtain team approval of the testing approach.
What is the TPM?
Change Management
What is CC8?
A general use report with no section 4.
What is a SOC 3 report?
The PPC form that is completed throughout the duration of the engagement.
What is P8?
The amount tested for automated controls.
What is a sample of 1?
The last and final step.
What is archiving?
Typically PI 1.2, PI1.3, PI1.4 are N/A.
What are SaaS providers?
This report opines on the operating effectiveness, suitability of design, and system description.
What is a Type 2 report?
The risk assessment PPC form for SOC 1.
What is P3?
Test of controls that begin with "Per inspection..."
What is no testing performed?
Management Inquiries
What is present and past?
This type of report requires a written assertion from the SSO and their controls are tested.
What is an inclusive report?
The date on this PPC form is the date in which the Engagement Letter was signed.
What is P2?
The testing results for if applicable or as applicable controls.
The Assertion and Management Representation Letter must be signed for this to happen.
What is the issuance of the final report?