Subject Index
A
ACCEPTING OR CONTINUING AN ENGAGEMENT 2.03–.73
. Competence of engagement team members 2.70–.73
. Examination addressing portion of program 2.17–.23
. Independence of practitioner 2.66–.69
. Management’s acceptance of responsibilities 2.03–.07
. Management’s refusal to provide written assertion 2.64
. Preconditions of acceptance 2.01, 2.10–.14, 2.28, 2.30
. Reasonable basis for management’s assertion 2.28–.36
. Requesting written assertion and representation from management 2.62–.65
. Subject matter appropriateness 2.15–.36
. Suitability and availability of criteria 2.42–.54
. Suitability of cybersecurity objectives 2.55–.61
. Third-party considerations 2.37–.41
ACCESS CONTROL LISTS 3.65
ACCOUNTANT’S REPORT. See also opinion; practitioner’s report Appendix F-1, Appendix F-2, Appendix G
ADVERSE OPINION. See also opinion 3.37, 4.30–.31, Table at 4.20
ALERT PARAGRAPHS RESTRICTING USE OF ACCOUNTANT’S REPORTS 2.44, 2.78, 4.11, 4.49–.54
APPROPRIATENESS OF SUBJECT MATTER FOR EXAMINATION 2.15–.36
ASSURANCE SERVICES EXECUTIVE COMMITTEE (ASEC) 2.46
ATTESTATION ENGAGEMENT, GENERALLY. See also cybersecurity risk management examination 1.11
ATTESTATION STANDARDS
. Applicable standards 1.51–.55
. Coded of Professional Conduct 1.56
. Generally 1.09–.14
. Quality control standards and 1.57–.59
AUDIT SAMPLING 3.88–.91, 3.109–.110
AVAILABILITY OF CRITERIA 1.34, 2.42–.61
B
BOARD OF DIRECTORS 1.02, 1.04, 1.17, 1.22
BUSINESS OBJECTIVES 1.22–.26, 2.55, 2.57, 2.60
BUSINESS PARTNERS. See also third parties 1.05–.07
C
COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY COMMISSION (COSO) 1.22–.23, 2.49, 2.56
COMPARISON OF CYBERSECURITY RISK MANAGEMENT EXAMINATION AND SOC 2 EXAMINATION Appendix B
COMPETENCE CONSIDERATIONS
. Engagement team members 2.70–.73
. Internal auditors 2.118–.123, 3.101
. Other practitioner 2.135
. Specialists 2.139–.140, 3.114
COMPLIANCE OBJECTIVES
. Applicability to examination 1.36, 3.40
. Defined 1.23
CONFIDENTIALITY 3.129–.130
CONTROL CRITERIA
. Incident considerations 3.124
. Management responsibility for selection of 2.48
. Suitability and availability of 2.42
. Trust services criteria and 1.35, Appendix D
. Use in examination 1.08–.12, 1.28, 2.48–.54
CONTROLS, EFFECTIVENESS OF
. Alignment between security policies and controls 3.32, 3.40
. Criteria and 1.08–.12
. Deficiencies in. See deficiencies in controls
. Defined 1.27–.29
. Deviations in 3.03, 3.40–.41, 3.86, 3.119–.122
. Evaluation of results of procedure 3.118–.119
. Management responsibilities 2.29, 2.40
. Materiality considerations 3.38–.42
. Monitoring of controls 2.32–.40, 2.112, 3.95–.98
. Opinion of practitioner 1.36, 2.83, 4.08, 4.16
. Practitioner responsibilities and 4.01, 4.05
. Procedures to obtain evidence about 2.33, 2.48–.54, 3.38–.42, 3.57–.92, 3.104–.105
. Risk of material misstatement 2.109–.110
. Third parties 2.39, 3.93–.98
. Understanding requirements 2.100–.104
COSO. See Committee of Sponsoring Organizations of the Treadway Commission
CRITERIA. See also control criteria; description criteria
. Assessment of 2.42–.61
. Defined 1.33
. Selection of 2.42–.54
. Suitability and availability of 1.34–.35, 2.42–.61
CYBERSECURITY. See also cybersecurity risk management program
. Definitions Appendix H
. Distinguished from information security 1.15–.17
. Relationship to business objectives 1.24, 2.55
CYBERSECURITY OBJECTIVES
. Attributes of 2.56–.57
. Basic matters addressed by 2.58
. Criteria assessment 2.42–.61
. Defined 1.20, 2.56
. Example 2.59, Appendix C
. Generally 1.22–.26
. Material deficiencies 4.38–.41
. Materiality considerations 2.94–.99, 3.38–.42
. Operating effectiveness of controls 3.57–.92
. Security incidents and 4.18
. Suitability considerations 2.57–.61, 3.29, 3.34–.37
. Third parties 2.38–.39
CYBERSECURITY RISK MANAGEMENT EXAMINATION
. Accepting or continuing an engagement 2.09–.14
. Appropriateness of subject matter 2.15–.41
. Attestation standards in 1.09–.14, 1.51
. Changes in program during 3.33
. Compared to SOC 2 engagement 1.49, Appendix B
. Criteria for use on 1.34–.35
. Description criteria. See description criteria
. Design-only examination 1.42–.44, 2.24–.27
. Documentation 3.147–.151
. Entity-level controls 3.12
. Generally 1.08–.14, 1.30–.44
. Independence of practitioner 1.56, 2.66–.69, 2.142
. Information for entity management Appendix A
. Internal audit function, understanding 2.111–.115
. Internal auditors, use of work of 2.116–.131
. Management responsibilities 1.09, 1.11–.12, 1.32, 1.34–.35, 1.37, 2.03–.07, 2.17, 2.42
. Management’s assertion. See management’s assertion
. Opinion of practitioner 1.36, 4.09–.11, 4.60
. Other practitioner, use of 2.132–.138
. Performing procedures to obtain evidence in 2.100–.110
. Planning 2.01, 2.86–.99, 2.116–.145
. Practitioner’s responsibilities 2.08–.14
. Preconditions for engagement acceptance 2.10–.14
. Professional standards 1.51–.56
. Quality control 1.57–.59
. Risk assessment 2.107–.110
. Scope limitations 2.17–.23, 3.27, 3.138
. Selection of criteria 2.42–.54
. Specialist, use of 2.139–.145
. Team member competence 2.70–.73
. Time frame of 1.37, 3.82
. Top-down approach 2.91
. Trust services criteria 2.50, 2.92, Appendix D
. Written representations 3.133
CYBERSECURITY RISK MANAGEMENT EXAMINATION REPORT
. Design-only report Appendix F-1, Appendix F-2
. Illustrative report Appendix G
. Intended purpose of 1.13, 1.27
. Key components 1.12–.13
. Other information 4.62–.65
. Potential users of 1.03–.07
. Subsequent events 3.139–.146
CYBERSECURITY RISK MANAGEMENT PROGRAM
. Changes in during examination 3.33
. Cybersecurity objectives 1.22–.26
. Defined 1.19
. Description. See description of cybersecurity risk management program
. Entity-wide examination of 1.39, 1.41
. Generally 1.01–.02, 1.18–.26
. Implementation of 2.32
. Management responsibilities for 2.03–.07, 2.40
. Objectives of. See cybersecurity objectives
. Potential users 1.03–.07
. Professional standards 1.51–.59, 2.121, Appendix I
. Reasonable basis for management assertion about 2.28–.36, 2.40–.41
. Scope limitations 1.39–.41, 2.17–.23
. Third party considerations 2.37–.41, 3.40, 3.93–.98
. Types of engagements 1.45–.50, 2.03–.85
CYBERSPACE 1.15, 1.16–.17, 1.21
D
DEFICIENCIES IN CONTROLS
. Consideration of 4.06–.08
. Defined 3.03
. Entity-level controls 3.10–.12, 3.62
. Evaluating results of procedures 3.118–.119, 3.122
. Separate paragraphs 4.38–.41
. Suitably designed controls 3.55–.56, 4.40
DESCRIPTION CRITERIA
. Authoritative basis 2.45–.46
. Defined 1.33
. Disclosure of subsequent events 3.146
. Evaluating results of procedures 3.117–.119
. Generally 1.08–.12
. Implementation guidance 1.35, 2.59, 3.16, Appendix C
. Management use of 1.09, 1.12, 1.34, 2.05, 2.62, 2.89
. Practitioner use of 1.36, 4.01, 4.08
. Procedures to obtain evidence about 2.102, 3.14–.37
. Separate paragraphs because of material misstatements 4.32–.37
. Suitability and availability 2.42, 4.03
. Table of criteria Appendix C
DESCRIPTION OF CYBERSECURITY RISK MANAGEMENT PROGRAM
. Changes in cybersecurity risk management program 3.33
. Defined 1.12, 1.18
. Design-only examination 1.43, 2.25
. Evaluation 3.22–.26
. Events that could affect 3.140
. Generally 1.08–.12, 1.18–.26
. Known or suspected fraud or noncompliance 3.124–.130
. Management responsibilities for 1.25, 1.31–.32, 2.05, 2.10, 2.69, 3.46
. Materiality considerations for evaluation 3.03, 3.06–.07, 3.19–.26, 4.06–.08, 4.44
. Misstated or misleading information 3.22–.26, 4.36–.37
. Other information included in 4.64
. Practitioner’s opinion on 4.01–.03
. Procedures to obtain evidence about 2.102, 3.14–.37
. Subsequent events 3.139–.146
. Written representations about 3.131
DESIGN OF CONTROLS. See suitably designed controls
DESIGN-ONLY EXAMINATION 1.42–.44, 2.24–.27, 4.14–.15
DESIGN-ONLY REPORTS 2.25–.27, Appendix F-1, Appendix F-2 DEVIATIONS IN OPERATING EFFECTIVENESS OF CONTROLS 3.03, 3.40–.41, 3.86, 3.119–.122
DISCLAIMER OF OPINION
. Change of engagement terms when management disagrees 2.85
. Conditions for Table at 4.20
. Defined 4.48
. Effect of opinion modification on one subject matter 4.09–.10
. Lack of practitioner independence when required by law or regulation to accept engagement 2.66
. Refusal of management to provide written assertion 2.64, 3.138
. Reporting 4.48
DISTRIBUTION OF REPORTS 4.56–.58
DOCUMENTATION REQUIRED FOR ENGAGEMENT 3.147–.151
E
EMPHASIS PARAGRAPHS 4.22–.23
ENGAGEMENT LETTER 2.06, 2.77, 2.140
ENTITY-LEVEL CONTROLS 3.09–.12, 3.62, 3.121
EVIDENCE
. Assessing risk of material misstatement 2.104–.110
. Description of entity’s cybersecurity risk management program 3.14–.37
. Designing responses to risk assessment 3.09–.13
. Materiality considerations 3.04–.09, 3.19–.21, 3.39–.42
. Operating effectiveness of controls 3.57–.59
. Procedures to obtain 3.01–.12, 3.29–.33, 3.43–.92, 3.104, 4.04–.05
. Responding to risks and obtaining 3.01–.03
. Revising the risk assessment 3.100
. Sufficiency and appropriateness of 3.117, 4.04–.05
. Suitability of design 3.43–.54
. Timing of procedures to obtain 3.79–.82
EXTENT OF PROCEDURES 3.83–.89
F
FRAUD CONSIDERATIONS 2.106, 3.39, 3.48, 3.69, 3.124–.130
I
ILLUSTRATIVE MANAGEMENT DESCRIPTION OF ENTITY’S CYBERSECURITY RISK MANAGEMENT PROGRAM Appendix G
IMPLEMENTATION GUIDANCE FOR DESCRIPTION CRITERIA 2.45, 3.16, Appendix C
INDEPENDENCE 1.56, 2.66–.69, 2.142
INFORMATION AND SYSTEMS, DEFINED 1.19–.20
INFORMATION ASSETS 2.34, 2.107, 3.39, 3.51, 3.94
INFORMATION PRODUCED BY ENTITY 3.70–.78
INFORMATION SECURITY. See also cybersecurity 1.15–.17
INFORMATION TECHNOLOGY (IT)
SYSTEMS 1.15–.20, 3.94
INHERENT LIMITATIONS
. Agreed-upon terms of engagement 2.75
. Effect on effectiveness of cybersecurity risk management program 1.21
. Effect on restriction on use of report 4.54
. Implied understanding of potential users of cybersecurity management report 2.97
. Required element in practitioner’s report 4.12
INTENTIONAL ACTS 3.40
INTERNAL AUDIT FUNCTION 2.111–.131
. Coordinating procedures with 2.126–.130
. Defined 2.113
. Determining extent to which to use 2.124–.125
. Evaluation of adequacy of work 2.131
. Evaluation of competence, objectivity and approach 2.118–.223
. Planning to use 2.79, 2.86, 2.116–.131
. Understanding of 2.111–.115
. Using work of 3.101–.113
INTERNAL CONTROL—INTEGRATED FRAMEWORK (COSO FRAMEWORK) 1.22–.23, 2.49, 2.56
IT. See information technology (IT) systems
M
MANAGEMENT
. Assertion from. See management’s assertion
. Cybersecurity objectives responsibility 2.56
. Cybersecurity risk management examination responsibilities 1.09, 1.11–.12, 1.32, 1.34–.35, 1.37, 2.03–.07, 2.29, 2.40, 3.152–.156
. Cybersecurity risk management program responsibilities 1.02, 1.06
. Documentation of assessment of control effectiveness 2.36
. Reasonable basis for assertion 2.29
. Responsibility to prepare description 1.25, 1.31–.32, 2.05, 2.10, 2.69, 3.46
. Scope of engagement responsibility 2.17
. SOC 2 engagement responsibilities 1.46–.48
. Third party risks to program 3.95–.98
. Written representations from 2.05, 2.65, 3.40, 3.131–.146
MANAGEMENT’S ASSERTION
. Illustrative example Appendix E, Appendix G
. Modifications to 3.153–.156
. Reasonable basis criteria for 2.28–.36, 2.40–.41
. Refusal to provide 2.64
. Requests for 2.62–.65, 3.138
. Scope limitations 2.23
. Subject matters addressed 1.12
. Subsequent events 3.140
MATERIAL DEFICIENCIES 3.127, 4.38–.41
MATERIAL MISSTATEMENT
. Adverse opinion 4.30–.31
. Effect on practitioner’s opinion 4.26, 4.32–.41, 4.46, 4.63
. Qualified opinion 4.27–.29
. Separate paragraphs to add to report 4.32–.41
MATERIALITY CONSIDERATIONS 2.08, 2.89, 2.94–.99, 3.04–.09, 3.19–.21, 3.38–.42
MISSTATEMENT, DEFINED. See also material misstatement 3.02
MODIFIED OPINION 3.36, 4.16–.25
MONITORING OF CONTROLS 2.32–.40, 2.112, 3.95–.98
N
NONASSURANCE CONSULTING ENGAGEMENT 1.50
NONCOMPLIANCE WITH LAWS OR REGULATIONS 2.106, 3.124, 3.126–.130
O
OBJECTIVES, CYBERSECURITY. See cybersecurity objectives
OPERATING EFFECTIVENESS OF CONTROLS
. Control criteria for evaluation. See control criteria
. Controls that did not operate during examination period 3.99
. Defined 1.28
. Deviations in 3.03, 3.40–.41, 3.86, 3.119–.122
. Effect of entity-level controls 3.10
. Evaluation of reliability of entity-prepared information 3.70–.78
. Evaluation of results of procedures 3.117–.124
. Extent of procedures 3.83–.89
. Materiality considerations 3.38–.43
. Nature of procedures 3.63–.69
. Procedures to obtain evidence about 3.47, 3.57–.92, 3.104
. Selecting items to test 3.90–.91
. Testing changes to controls 3.92
. Third party considerations 3.93–.98
. Timing of procedures 3.79–.81
OPERATIONS OBJECTIVES 1.23
OPINION
. Adverse opinion 3.37, 4.30–.31, Table at 4.20
. Alignment with management’s assertion 3.156
. Cybersecurity objectives and 2.61, 3.34–.37
. Design-only examination 2.27
. Disclaimer of opinion. See disclaimer of opinion
. Effect of subsequent events 3.146
. Forming 2.110, 4.04–.11
. Generally 1.36, 2.13, 4.01–.02
. Modified 4.10, 4.16–.25
. Qualified opinion 4.10, 4.27–.29, 4.45–.47, Table at 4.20
. Scope limitations 2.22
ORGANIZATIONAL CHARACTERISTICS OF ENTITY 2.88
OTHER INFORMATION 4.62–.65
OTHER PRACTITIONER, USE OF 2.132–.138, 4.59
P
PERIOD OF TIME OR SPECIFIED PERIOD OF TIME 1.37, 2.16, 2.29, 3.79–.81, 4.41
PERVASIVE EFFECTS 3.120–.121
PLANNING OF CYBERSECURITY RISK MANAGEMENT EXAMINATION 2.01, 2.86–.99, 2.116–.145
POINT IN TIME 1.37, 3.82
POINTS OF FOCUS 2.49, Appendix D
POTENTIAL USERS OF CYBERSECURITY PROGRAM 1.03–.07
PRACTITIONER’S REPORT 4.01–.65
. Additional disclosures 3.23–.24
. Alert paragraph restricting use of report 2.78
. Assertions included in 2.63
. Considering material uncorrected description misstatements and deficiencies 4.06–.08
. Considering sufficiency and appropriateness of evidence 4.05–.06
. Controls not operating during period of report 4.24–.25
. Description assessment 4.26–.41
. Design-only examination report 4.14–.15
. Disclaimer of opinion 4.48
. Distribution of report 4.56–.58
. Elements of 4.12–.13
. Emphasis of certain matters 4.22–.23
. Expressing an opinion on subject matters 4.09–.11
. Forming an opinion 4.04–.11, 4.27–.31
. Illustrative examples Appendix F-1, Appendix F-2, Appendix G
. Intended users of 1.03–.07
. Management responsibilities 2.17
. Material misstatements 4.26–.41
. Modifications to opinion 4.16–.21, 4.45–.48, Table at 4.20
. Other information 4.62–.65
. Other practitioner’s work, use of 4.59
. Practitioner’s responsibilities 4.01–.03
. Preparing report 4.12–.15
. Qualified opinions 4.27–.29, 4.45–.47
. Report date 4.61
. Restricting use of report 4.49–.55
. Scope limitation 4.42–.48
. Separate paragraph when a scope limitation results in a qualified opinion 4.47
. Separate paragraphs because of material misstatement in description 4.32–.36
. Separate paragraphs because of material misstatement in effectiveness of controls 4.38–.41
. Specialist’s work, use of 4.60
. Subsequent events 3.139–.46
PRACTITIONER’S SPECIALIST, USE OF 2.73, 2.139–.145, 3.114–.116, 4.60
PROFESSIONAL STANDARDS 1.51–.59, 4.49–.53
Q
QUALIFIED OPINION. See also opinion 4.10, 4.27–.29, 4.45–.47, Table at 4.20
QUALITATIVE AND QUANTITATIVE MATERIALITY FACTORS 2.94, 3.08, 3.19–.21, 3.40–.41, 3.118
QUALITY CONTROL 1.57–.59, 2.121, Appendix I
R
RELIABILITY OF ENTITY-PREPARED INFORMATION 3.70–.78
REPERFORMANCE 2.131, 3.64, 3.102–.103
REPORT DATE 4.61
REPORTING. See accountant’s report; cybersecurity risk management examination report; opinion; practitioner’s report
REPRESENTATION LETTER 3.40, 3.131–.146
RESPONSIBLE PARTY. See management
RESTRICTING USE OF ACCOUNTANT’S REPORT. See alert paragraphs restricting use of accountant’s reports
REVISING RISK ASSESSMENT 3.100
RISK ASSESSMENT PROCEDURES
. Assessing risk of material misstatement 2.104–.110, 3.100
. Consideration of cybersecurity objectives and 3.35
. Effect of control deviations on 3.86, 4.06
. Effect of fraud or suspected fraud 3.125
. Evaluating results of 3.117–.123
. Internal audit findings 2.115
. Materiality considerations 3.04–.08
. Obtaining understanding of cybersecurity risk management program and controls 2.100–.103
. Revising the risk assessment 3.100
. Risk mitigation related to third parties 3.93–.98
S
SAMPLING, AUDIT 3.88–.91, 3.109–.110
SCOPE LIMITATIONS 1.14, 1.39–.41, 2.17–.23, 3.27, 4.42–.48
SECURITY EVENTS, DEFINED 1.20
SECURITY INCIDENT, DEFINED 1.20
SEGMENTATION 3.121
SEPARATE PARAGRAPHS IN REPORT 3.126, 4.32–.41, 4.47, 4.65
SOC 2 ENGAGEMENTS 1.46–.49, Appendix B
SPECIALISTS, USE OF 2.73, 2.139–.145, 3.114–.116, 4.60
SUBSEQUENT EVENTS 3.139–.46
SUFFICIENCY AND APPROPRIATENESS OF EVIDENCE 3.117, 4.04–.05
SUITABILITY OF CYBERSECURITY OBJECTIVES 2.55–.61, 3.29, 3.34–.37, 3.43–.46
SUITABLE CRITERIA 1.34, 2.42–.61
SUITABLY DESIGNED CONTROLS
. Deficiencies in 3.55–.56, 4.40
. Defined 1.28, 3.57
. Description criteria used in evaluation 2.42, 4.03, Appendix C
. Evaluation of 3.43–.56
. Examination restricted to 1.42–.44, 2.24–.27, 4.14–.15
SYSTEMS, DEFINED 1.20
T
TEAM MEMBER COMPETENCE ASSESSMENT 2.70–.73
TERMS OF ENGAGEMENT 2.74–.85
THIRD PARTIES
. Consideration of in the examination 2.37–.41
. Effect on appropriateness of subject matter 2.16
. Effect on planning 2.88
. Effect on reasonable basis of management’s assertion 2.32–.39
. Management responsibility for controls of 2.04
. Materiality considerations 3.40
. Procedures to test effectiveness of monitoring controls over 3.96–.98
. Risk mitigation and control considerations 3.93–.98
TIME FRAME OF EXAMINATION. See also period of time; point in time 1.37, 3.82
TIMING OF EVIDENCE-OBTAINING PROCEDURES 3.79–.81
TOP-DOWN APPROACH 2.91
TRUST SERVICES CRITERIA 1.35, 2.48–.54, 2.92, Appendix D
U
UNDERSTANDING ENTITY PROGRAM AND CONTROLS 2.100–.103, 3.17
USE OF INQUIRY ALONE 3.31, 3.66
USE OF INTERNAL AUDITORS TO PROVIDE DIRECT ASSISTANCE 2.79, 2.117–.123, 2.130, 3.112–.113
USER ENTITY IN SOC 2 ENGAGEMENT 1.46–.48
W
WALKTHROUGHS 2.102, 3.17, 3.30–.31, 3.47
WITHDRAWAL FROM EXAMINATION
. Due to identification of fraud 3.125
. Management’s refusal to correct material inconsistencies in description 4.63
. Management’s refusal to modify assertion 2.64, 3.156
. Management’s refusal to provide written assertion 2.64
. Management’s refusal to provide written representations 3.138, 3.145
. Management’s refusal to sign engagement letter 2.80
WRITTEN REPRESENTATIONS 2.05, 2.65, 3.40, 3.131–.146
