PART V: System and Organization Controls (SOC) Engagements

In this section

• Chapter 22: Overview of SOC Engagements
  • Purpose and Types of SOC Reports (SOC 1®, SOC 2®, SOC 3®, SOC for Cybersecurity)
    Explore the foundational purpose, scope, and audience of SOC 1®, SOC 2®, SOC 3®, and SOC for Cybersecurity reports, understanding how each addresses specific stakeholder needs and compliance objectives.
  • Form and Content of SOC Reports
    Explore the primary elements of a SOC report, including management’s assertion, auditor’s opinion, and system description, with practical scenarios and guidance for CPAs and IT auditors.
  • Comparing User Entity Controls and Subservice Organization Controls
    Explore the distinctions between user entity controls and subservice organization controls in SOC reporting, learn their complementary roles, review real-world examples, and master techniques for effective coordination.
• Chapter 23: SOC 1® Examinations
  • Objectives, Scope, and Applicability
    Discover how SOC 1® Examinations focus on financial reporting controls and address the specific needs of user entities relying on service organizations. Explore key objectives, scope boundaries, and typical applications—illustrated by practical payroll services use cases and industry scenarios.
  • Management Assertions and Description Criteria
    Exploring standard SOC 1® management assertions, their alignment with IT general controls, and how description criteria guide service organizations in presenting their systems.
  • Materiality Considerations in SOC 1®
    Explore the unique approach to materiality in SOC 1® examinations, contrasting it with external financial statement audits, and learn how materiality is determined, tested, and documented within service organizations.
  • Distinguishing Materiality in IT vs. Financial Statement Audits
    Explore how information technology materiality contrasts with traditional financial materiality, emphasizing how even small IT issues can pose business‑critical risks.
  • Inclusive vs. Carve‑Out Method for Subservice Organizations
    Explore the key distinctions between inclusive and carve-out methods for subservice organizations in SOC 1® examinations, including practical examples, flowcharts, and best practices.
• Chapter 24: SOC 2® Examinations
  • Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy)
    Explore the five key Trust Services Criteria in SOC 2® examinations—Security, Availability, Processing Integrity, Confidentiality, and Privacy—and their alignment with the COSO Internal Control Framework.
  • SOC 2® Description Criteria and System Boundaries
    Learn how to define SOC 2® system boundaries effectively while aligning with the AICPA’s Description Criteria. Avoid misrepresentations, refine scoping, and ensure accurate control coverage for high-quality SOC 2® examinations.
  • Risk Assessment and Testing Controls for SOC 2®
    Learn how to identify and evaluate risks within each SOC 2® trust service category and apply effective control testing methodologies to ensure a reliable, secure, and compliant environment.
  • Evaluating Deviations, Exceptions, and Forming the Opinion
    Learn how to weigh exceptions discovered during SOC 2® fieldwork, conclude their severity, and effectively form the final opinion in compliance with trust services criteria.
• Chapter 25: Planning and Performing a SOC Engagement
  • Engagement Acceptance and Ethical Considerations
    Learn the critical steps for accepting a SOC engagement while ensuring compliance with ethical standards and independence requirements. Explore professional standards references, conflict of interest warnings, and practical examples to guide CPAs through SOC engagement acceptance.
  • Independence and Responsibilities of Service Auditor and Management
    Learn how independence underpins SOC engagements, exploring the distinct roles and responsibilities of the service auditor and management in planning and performing an attestation under relevant AICPA standards.
  • Identifying Complementary User Entity Controls (CUECs)
    Discover how to identify and assess Complementary User Entity Controls (CUECs) in SOC engagements, ensuring clarity on user entity responsibilities and risk mitigation strategies.
  • Fieldwork and Communication with Stakeholders
    Explore essential methods for evidence gathering and effective communication with stakeholders to enhance SOC engagements, including best practices and a detailed fieldwork timeline.
  • Gathering Evidence: Tools and Example Testing Techniques
    Learn best practices for obtaining reliable audit evidence, including log sampling, configuration reviews, and re-performance of controls, to strengthen your SOC engagement.
• Chapter 26: Reporting and Opinions in SOC Engagements
  • Types of Opinions and Report Modifications
    Explore how service auditors arrive at unqualified, qualified, adverse, or disclaimer opinions in SOC engagements, and learn how to handle typical scenarios leading to each type of opinion.
  • Subsequent Events in SOC Engagements
    Comprehensive guidance on addressing control changes, business acquisitions, and major incidents that occur after the examination period for SOC engagements.
  • Coordination with Other Auditors and Specialists
    Explore the critical processes, communication strategies, and best practices involved in effective coordination among SOC engagement teams, external auditors, and subject-matter specialists.
  • Common Pitfalls and Best Practices in SOC Reporting
    Learn how to avoid common pitfalls in SOC reporting—from scope confusion and subservice coverage errors to missing disclaimers—and discover best practices for clear, compliant, and reliable SOC engagements.
• Chapter 27: SOC for Cybersecurity
  • Key Differences Between SOC 2® for Security vs. SOC for Cybersecurity
    Discover how SOC 2® for Security focuses on specific trust services criteria while SOC for Cybersecurity adopts a broader lens on enterprise-wide cyber risk management and disclosure.
  • Description Criteria for Cybersecurity Risk Management
    Explore how organizations describe and demonstrate their cybersecurity risk management programs for SOC for Cybersecurity engagements, focusing on presentation requirements, testing methodologies, and key stakeholders' responsibilities.
  • Considerations for Complex IT Environments and Response Plans
    Discover advanced considerations for SOC for Cybersecurity in large-scale, distributed IT environments, including incident response strategies and best practices.
  • Communicating Cybersecurity Findings to External Stakeholders
    Explore strategies, frameworks, and best practices for effectively communicating cybersecurity findings to boards, regulators, and the public within SOC for Cybersecurity engagements.