SOC engagements
The SOC Mechanics
Know the roles and ownership: the service organization writes the description and assertion, the auditor opines, and CUECs sit with the user.
How the exam words it
- -The stem asks who is responsible for the description or the assertion, contrasting the service organization, the service auditor, and the user entity.
- -It describes a subservice organization and asks about the carve-out versus the inclusive method.
- -It defines complementary user entity controls (CUECs) and asks what they are or who must implement them.
- -It asks whether tests of controls appear in a Type 1 or a Type 2 report, or how points of focus are used.
The playbook
- 1Assign the roles: management of the service organization owns the system description and the written assertion, and the service auditor examines them and issues the opinion.
- 2Handle subservice organizations by method: carve-out excludes their controls from the description and scope, while the inclusive method folds them in.
- 3Treat CUECs as controls the report assumes the user entity operates; without them the service organization's controls may not achieve the objectives.
- 4Remember that only a Type 2 report includes tests of controls and their results over a period, and that points of focus are illustrative, not a checklist to test one by one.
The trap
Thinking the service auditor writes the description, or that a carved-out subservice is still tested. Management owns the description, and a carve-out is excluded from the auditor's scope.
How the exam varies it
The same pattern, re-skinned along these axes:
Role and ownership: description and assertion versus opinionCarve-out versus inclusive method for subservice organizationsCUECs, points of focus, and Type 2-only tests of controls
Drill this pattern
8 questions of The SOC Mechanics from across the AUD topics. Clear it by getting 5 right with a streak of 3.