Terms
What does "SOC" stand for?
System and Organization Controls
What is the difference between a type 1 and a type 2 report?
A type 1 report does not require sampling. This is testing the design of controls as of a point in time.
A type 2 report requires sampling. This is testing the design and operating effectiveness of controls over a period of time.
During a SOC 2 type 1 audit it was noted the as of date is September 30, 2023. The control states:
"Personnel are required to read and accept the Code of Conduct upon hire."
The client provided the following for evidence. Is this appropriate?
No. The evidence provided is from outside of the audit period.
During a SOC 2 type 2 audit it was noted the period covers January 1, 2023 to December 31, 2023. For a monthly control, how many months should be sampled?
2 Months
Controls that management of the service organization assumes, in the design of the service organization’s system, will be implemented by the subservice organizations and are necessary to achieve the control objectives stated in management’s description of the service organization’s system.
Carved-Out Method Only
Complementary Subservice Organization Controls (CSOCs)
The customer of the service organization using the service/product. (aka Reader of the Report)
User Entity
True or False
When testing password settings for a SOC 2, the settings must comply with the Company's documented standard. Explain your reasoning.
True - If the control states the settings must comply with the standard then this is true.
The SOC 2 control states:
Inspected the Risk Management Committee agendas for a sample of months to confirm the Committee meets to discuss risks to the organization and mitigation strategies on a monthly basis.
You sampled August 2023. Is the evidence provided sufficient?
No. The evidence provided was for the wrong sampled month.
The Company had 48 new employees onboarded during the audit period. How many new hires should be sampled?
3 New Hires
For inquiry controls, how many individuals should be interviewed?
At least two. Dual inquiry is required for all inquiry controls.
Report on management’s description of a service organization's system and the suitability of the design and operating effectiveness of controls
Type 2 Report
Wolf inspected a user list and compared it to the employee roster and noted the following:
- 7 accounts belong to terminated employees
- 16 generic/service accounts
- 4 unknown accounts
What are the next steps for each bullet noted above?
1. Confirm the term users are active within the system. If so, note the finding.
2. Confirm with management the generic/service accounts are appropriate/necessary. If so, note that within the testing performed.
3. Ask management to confirm the employment status of the unknowns. Update the user list testing with the explanations.
The SOC 2 type 2 control states:
"Passwords must be at least eight (8) characters in length and meet complexity requirements. Passwords must be changed every ninety (90) days and the previous twelve (12) passwords cannot be used."
The following evidence was provided. Is this sufficient?
No. The evidence should be system generated or a screenshot directly of the settings.
SOC 2 type 2 audit, no significant risk. The control states:
"Change requests are documented in tickets that include design specifications, risks, back-out plans, and approval."
Inspected the list of change requests and noted the following:
- 101 completed change requests
- 99 in progress change requests
How many changes should be sampled?
8 changes
SOC 2 type 2 audit. It was noted incremental backups are automatically performed on a daily basis.
How should you complete the testing to ensure the control is designed and operating effectively?
Request a screenshot of the backup logs for the full retention period and confirm the incremental backups were performed daily.
You do NOT select a sample days.
Controls that are designed, but did not have an opportunity to operate as a “trigger” event did not occur
Controls Did Not Operate
The Company switched their event log management solution halfway through the audit period. Is that ok and how should we test it?
Yes, this is an example of a change to the control environment. We have to update the control to state the change and test both the old and the new control for the part of the period that they covered.
The SOC 2 control states:
"All change requests must be formally documented and detail the reason for the change, a description on how the change is to be implemented, the impact of the change, and the rollback plan should the change not be successful, as appropriate."
The following screenshot was provided as evidence for a sampled change request. Is this appropriate?
No. The full ticket was not provided and the ticket does not show the rollback plan
The SOC 2 type 2 control states:
Antivirus software is installed on all workstations, laptops, and servers.
There are a total of 65 servers so you select a sample of 8 servers. Management confirms that 2 of the 8 sampled servers are appliances and not standard servers. How should you complete the testing?
Note this within the testing and re-sample the 2 servers.
The SOC 2 Type 2 audit covers the period October 1, 2023 to April 30, 2024. The SOC 2 control states:
"An alert is generated to appropriate personnel when malicious software is detected in the production environment."
The client provides a screenshot of the alert config and a recent alert. Is this appropriate?
No. The example alert is not sent to the group noted within the configuration screenshot
Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
SOC 2 Trust Services Criteria - Privacy
When completing a SOC 2 readiness assessment the client notes a shared user account is used by personnel to login to the Windows Jump Server and Linux Jump Server.
Is this appropriate?
No. A shared user account reduces accountability and increases the risk of unauthorized access.
The SOC 2 control states:
"Major security incidents are reported to the Information Security Team and tracked through to resolution in a ticketing system, if deemed necessary."
You confirm with management there were no major incidents during the audit period and they provided the following as evidence. Is this sufficient?
Yes, this is sufficient as you confirmed with management and inspected their tracking sheet.
The audit period for a SOC 2 type 2 report is July 1, 2023 to December 31, 2023. The control states:
"Antivirus details reports are automatically sent from Endpoint Central to the Security Notifications group on a daily basis."
The risk assessment determined this to be a high risk control. How many days should be sampled?
25 days should be sampled
The SOC 2 type 2 audit has a 6 month period (July 1, 2023 to December 31, 2023). How would you select a sample for a quarterly control?
List out the quarters that would be within the period:
- Q3 2023
- Q4 2023
Select a sample of 1 quarter from a population size of 2