SOC Engagement: Planning & Risk Assessment
Explore the initial phases of a SOC engagement by clicking on each step.
Step 1: Understanding Service Organization Management's Responsibilities
Before an engagement is accepted, the service auditor must establish a clear understanding of management's responsibilities. Management's decisions directly impact the nature, extent, and timing of the auditor's procedures.
Key Management Responsibilities (Applicable to SOC 1, 2, & 3):
- Defining the Scope: Determining which services, systems, report type (Type 1 or 2), and time period the engagement will cover.
- Handling Subservice Organizations: Identifying subservice organizations and deciding whether to use the "carve-out" or "inclusive" method.
- Preparing the Description & Assertion: Management is responsible for preparing a description of its system and a written assertion, and must have a reasonable basis for it.
- Identifying Risks & Controls: Identifying risks that threaten the achievement of control objectives (SOC 1) or service commitments (SOC 2/3) and designing appropriate controls.
- Providing Access: Granting the service auditor access to all relevant information, documentation, and personnel.
- Written Representations: Providing the service auditor with a written representation letter at the conclusion of the engagement.
- Disclosing Key Information: Disclosing any noncompliance, fraud, control deficiencies, or significant subsequent events to the auditor.
Step 2: Auditor's Planning & Objectives
The service auditor's primary objective is to obtain reasonable assurance about whether management's description of the system is fairly presented and the controls are suitably designed (and operating effectively for Type 2) based on suitable criteria.
Auditor's Key Planning Responsibilities:
- Acceptance & Continuance: Deciding whether to accept a new engagement or continue an existing one.
- Agreeing on Engagement Terms: Establishing a mutual agreement on the objectives, scope, responsibilities of each party, and the criteria to be used. This is typically documented in an engagement letter.
- Establishing an Overall Strategy: Setting the scope, timing, and direction of the engagement, which guides the development of the detailed audit plan.
- Performing Risk Assessment Procedures: Gaining an understanding of the service organization's system and its controls to identify and assess risks of material misstatement.
- Requesting Written Assertion: The service auditor must request that management provide a written assertion about their system and controls.
Step 3: Key Considerations in Planning
During the planning phase, the auditor must address several critical factors that can influence the engagement, including independence and materiality.
Independence Considerations:
- The service auditor must be independent of the service organization (the responsible party).
- If the "inclusive method" is used for a subservice organization, the auditor must also be independent of that subservice organization.
- The service auditor is not required to be independent of each user entity.
Materiality Considerations:
- For SOC 1: Materiality relates to the fair presentation of the description. It focuses on whether significant aspects of processing are included and information is not omitted or distorted. For a Type 2 report, it also includes quantitative (rate of deviations) and qualitative (nature of deviations) factors for control effectiveness.
- For SOC 2: Materiality is about the likelihood and magnitude of risks threatening the achievement of service commitments and system requirements. The auditor considers if misstatements or control deficiencies could reasonably influence the decisions of report users.
Types of Misstatements:
- Description Misstatement: An error or omission in the system description.
- Deviation/Exception: A control fails to operate in a specific instance.
- Design Deficiency: A necessary control is missing or poorly designed.
- Operating Deficiency: A well-designed control fails to operate as designed.
Step 4: The Risk Assessment Process
The service auditor must perform risk assessment procedures to identify and assess the risks of material misstatement. This provides the basis for designing further audit procedures.
Understanding the System (SOC 2):
The auditor must understand the five interrelated components of the system:
- Infrastructure: Physical and virtual resources (servers, networks, buildings).
- Software: Applications and programs supporting the system.
- People: Employees, contractors, and managers who operate and use the system.
- Procedures: Automated and manual business procedures.
- Data: Information used by the system, including its flow and storage.
Auditor's Risk Assessment Procedures:
The auditor performs a combination of procedures to understand the system and assess risk:
- Inquiring: Asking management, governance, and other relevant personnel.
- Observing and Inspecting: Watching operations and examining documents, reports, and records.
- Inspecting Agreements: Reviewing a selection of contracts with user entities and business partners.
- Reperforming: Reperforming the application of a control to test its effectiveness.
- Walk-throughs: Tracing a transaction from origination to completion to understand the process flow and controls.
Goal of Risk Assessment: To identify risks that the system description is not fairly presented, controls are not suitably designed, or (for Type 2) controls did not operate effectively. This includes assessing fraud risk and risk of noncompliance with laws.
