Submit Search
Upload
Evaluating Service Organization Control Reports
•
0 likes
•
153 views
J
Jay Crossland
Follow
Considerations when evaluating a Service Organization Control (SOC) report
Read less
Read more
Business
Report
Share
Report
Share
1 of 5
Download now
Download to read offline
Recommended
Auditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service Organizations
University of Waterloo
information system and computers
information system and computers
9535814851
Dimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paper
Jason Cumberland
BKMSH Basics of SOC II
BKMSH Basics of SOC II
MojoFinancial
Achieving SSAE 16 Certification
Achieving SSAE 16 Certification
Gary Pennington
ISO/DIS 45001:2017 OH&S manual (preview)
ISO/DIS 45001:2017 OH&S manual (preview)
Centauri Business Group Inc.
Internal audit ( pdf drive )
Internal audit ( pdf drive )
TaDo8
Audit Checklist for Information Systems
Audit Checklist for Information Systems
Ahmad Tariq Bhatti
Recommended
Auditor Reporting on Controls at Service Organizations
Auditor Reporting on Controls at Service Organizations
University of Waterloo
information system and computers
information system and computers
9535814851
Dimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paper
Jason Cumberland
BKMSH Basics of SOC II
BKMSH Basics of SOC II
MojoFinancial
Achieving SSAE 16 Certification
Achieving SSAE 16 Certification
Gary Pennington
ISO/DIS 45001:2017 OH&S manual (preview)
ISO/DIS 45001:2017 OH&S manual (preview)
Centauri Business Group Inc.
Internal audit ( pdf drive )
Internal audit ( pdf drive )
TaDo8
Audit Checklist for Information Systems
Audit Checklist for Information Systems
Ahmad Tariq Bhatti
NQA ISO 13485 Gap Guide – what’s changed?
NQA ISO 13485 Gap Guide – what’s changed?
NQA
SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013
Lorri Jongeneel, CPA
NQA ISO 9001 to ISO 27001 Gap Guide
NQA ISO 9001 to ISO 27001 Gap Guide
NQA
Building a QMS for Your SaMD
Building a QMS for Your SaMD
EMMAIntl
Computer system validation
Computer system validation
Nitor Infotech
Computer System Validation Training
Computer System Validation Training
NetZealous LLC
VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014
VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014
Brian McAuliffe
Computer-System-Validation
Computer-System-Validation
Hal Plant
Pravin
Pravin
Pravin Jadhao
SSAE 16 Transitions Overview
SSAE 16 Transitions Overview
Jeffrey Paulette
Computerized system validation
Computerized system validation
Devipriya Viswambharan
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
James W. De Rienzo
Tugas mandiri audit novita dewi 11353202277
Tugas mandiri audit novita dewi 11353202277
novita dewi
Audit process
Audit process
Next Generation Security Agency
Understanding changes of ISO 9001-2008 to ISO 9001-2015
Understanding changes of ISO 9001-2008 to ISO 9001-2015
Jose Alejandro Soto Zevallos
System Analysts_CSV
System Analysts_CSV
Victor J Colon Vidal
Overview on “Computer System Validation” CSV
Overview on “Computer System Validation” CSV
Anil Sharma
Computer system validation review article by-mahesh b wazade
Computer system validation review article by-mahesh b wazade
Mahesh B. Wazade
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal Audit
Manoj Agarwal
Overview of computer system validation
Overview of computer system validation
Nilesh Damale
Due dilligence on a cpa firm or other accounting services provdier
Due dilligence on a cpa firm or other accounting services provdier
aBIZinaBOX Inc - CPA's - Financial Advisory, Taxation, Predictive Analytics & Technology
Isae 3402 Abstract
Isae 3402 Abstract
Hut & Co. Registeraccountants
More Related Content
What's hot
NQA ISO 13485 Gap Guide – what’s changed?
NQA ISO 13485 Gap Guide – what’s changed?
NQA
SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013
Lorri Jongeneel, CPA
NQA ISO 9001 to ISO 27001 Gap Guide
NQA ISO 9001 to ISO 27001 Gap Guide
NQA
Building a QMS for Your SaMD
Building a QMS for Your SaMD
EMMAIntl
Computer system validation
Computer system validation
Nitor Infotech
Computer System Validation Training
Computer System Validation Training
NetZealous LLC
VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014
VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014
Brian McAuliffe
Computer-System-Validation
Computer-System-Validation
Hal Plant
Pravin
Pravin
Pravin Jadhao
SSAE 16 Transitions Overview
SSAE 16 Transitions Overview
Jeffrey Paulette
Computerized system validation
Computerized system validation
Devipriya Viswambharan
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
James W. De Rienzo
Tugas mandiri audit novita dewi 11353202277
Tugas mandiri audit novita dewi 11353202277
novita dewi
Audit process
Audit process
Next Generation Security Agency
Understanding changes of ISO 9001-2008 to ISO 9001-2015
Understanding changes of ISO 9001-2008 to ISO 9001-2015
Jose Alejandro Soto Zevallos
System Analysts_CSV
System Analysts_CSV
Victor J Colon Vidal
Overview on “Computer System Validation” CSV
Overview on “Computer System Validation” CSV
Anil Sharma
Computer system validation review article by-mahesh b wazade
Computer system validation review article by-mahesh b wazade
Mahesh B. Wazade
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal Audit
Manoj Agarwal
Overview of computer system validation
Overview of computer system validation
Nilesh Damale
What's hot
(20)
NQA ISO 13485 Gap Guide – what’s changed?
NQA ISO 13485 Gap Guide – what’s changed?
SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013
NQA ISO 9001 to ISO 27001 Gap Guide
NQA ISO 9001 to ISO 27001 Gap Guide
Building a QMS for Your SaMD
Building a QMS for Your SaMD
Computer system validation
Computer system validation
Computer System Validation Training
Computer System Validation Training
VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014
VFD_QAM_1-_AAR_M-1003_Rev_B_-_04_AUG_2014
Computer-System-Validation
Computer-System-Validation
Pravin
Pravin
SSAE 16 Transitions Overview
SSAE 16 Transitions Overview
Computerized system validation
Computerized system validation
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
Tugas mandiri audit novita dewi 11353202277
Tugas mandiri audit novita dewi 11353202277
Audit process
Audit process
Understanding changes of ISO 9001-2008 to ISO 9001-2015
Understanding changes of ISO 9001-2008 to ISO 9001-2015
System Analysts_CSV
System Analysts_CSV
Overview on “Computer System Validation” CSV
Overview on “Computer System Validation” CSV
Computer system validation review article by-mahesh b wazade
Computer system validation review article by-mahesh b wazade
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal Audit
Overview of computer system validation
Overview of computer system validation
Similar to Evaluating Service Organization Control Reports
Due dilligence on a cpa firm or other accounting services provdier
Due dilligence on a cpa firm or other accounting services provdier
aBIZinaBOX Inc - CPA's - Financial Advisory, Taxation, Predictive Analytics & Technology
Isae 3402 Abstract
Isae 3402 Abstract
Hut & Co. Registeraccountants
Account Right SOC Services brochure.pptx
Account Right SOC Services brochure.pptx
GaneshMeenakshiSunda4
Planning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) report
Jay Crossland
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
gueste080564
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
renetta
Technology Controls in Business - End User Computing
Technology Controls in Business - End User Computing
guestc1bca2
Key Principles for SOC Certificate
Key Principles for SOC Certificate
ShyamMishra72
Asset Manager’s Guide to SOC 1
Asset Manager’s Guide to SOC 1
Grant Thornton LLP
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
NAFCU Services Corporation
September article SSAE 16 the SAS 70 Final Version (mp)
September article SSAE 16 the SAS 70 Final Version (mp)
Amara Omar Kuyateh
SMKI vs SMAP vs SMM vs SML v04
SMKI vs SMAP vs SMM vs SML v04
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
SOC Certification for Service Providers: Securing Customer Data
SOC Certification for Service Providers: Securing Customer Data
ShyamMishra72
Crafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC Strategy
Cognizant
BKMSH Basics of SOC III
BKMSH Basics of SOC III
MojoFinancial
BKMSH Basics of SOC III
BKMSH Basics of SOC III
MojoFinancial
SOC Certification.pdf
SOC Certification.pdf
SIS Certifications Pvt Ltd
A Beginner's Guide to SOC 2 Certification
A Beginner's Guide to SOC 2 Certification
ShyamMishra72
ISA 402 Audit Considerations Relating to an Entity Using a Service Organisation
ISA 402 Audit Considerations Relating to an Entity Using a Service Organisation
Sazzad Hossain, ITP, MBA, CSCA™
4 iso 9001 2000 standard
4 iso 9001 2000 standard
hrishikesh kulkarni
Similar to Evaluating Service Organization Control Reports
(20)
Due dilligence on a cpa firm or other accounting services provdier
Due dilligence on a cpa firm or other accounting services provdier
Isae 3402 Abstract
Isae 3402 Abstract
Account Right SOC Services brochure.pptx
Account Right SOC Services brochure.pptx
Planning for a new Service Organization Control (SOC) report
Planning for a new Service Organization Control (SOC) report
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
Technology Controls in Business - End User Computing
Technology Controls in Business - End User Computing
Key Principles for SOC Certificate
Key Principles for SOC Certificate
Asset Manager’s Guide to SOC 1
Asset Manager’s Guide to SOC 1
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
September article SSAE 16 the SAS 70 Final Version (mp)
September article SSAE 16 the SAS 70 Final Version (mp)
SMKI vs SMAP vs SMM vs SML v04
SMKI vs SMAP vs SMM vs SML v04
SOC Certification for Service Providers: Securing Customer Data
SOC Certification for Service Providers: Securing Customer Data
Crafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC Strategy
BKMSH Basics of SOC III
BKMSH Basics of SOC III
BKMSH Basics of SOC III
BKMSH Basics of SOC III
SOC Certification.pdf
SOC Certification.pdf
A Beginner's Guide to SOC 2 Certification
A Beginner's Guide to SOC 2 Certification
ISA 402 Audit Considerations Relating to an Entity Using a Service Organisation
ISA 402 Audit Considerations Relating to an Entity Using a Service Organisation
4 iso 9001 2000 standard
4 iso 9001 2000 standard
Recently uploaded
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Delhi Call girls
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Dave Litwiller
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
discovermytutordmt
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Lviv Startup Club
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
Forklift Trucks in Minnesota
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
Matteo Carbone
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
IlamathiKannappan
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
lizamodels9
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
trishalcan8
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
Neil Kimberley
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
Ravindra Nath Shukla
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
Call girls in Ahmedabad High profile
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
Suhani Kapoor
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Denis Gagné
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
divyansh0kumar0
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024
christinemoorman
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
karancommunications
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
ritikaroy0888
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear Regression
Ravindra Nath Shukla
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Tina Ji
Recently uploaded
(20)
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear Regression
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Evaluating Service Organization Control Reports
1.
Page 1 of
5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 Evaluating Service Organization Control Reports (SOC1, SOC2, SOC3) Even though Service Organization Control (SOC) reports have been available since 1992, their actual usage and importance has increased significantly with the Sarbanes- Oxley (SOX) Act in 2002. Prior to SOX, contractual obligations for service organizations to provide a SOC report were generally not specific or not included (it is noted that prior to 2002, contractual requirements for SOC reports were typically found in the government sector, but not for commercial companies). Also, the client organization (aka the user entity) requesting and receiving the report seldom evaluated the report; often, it was a “check-the-box” compliance exercise only to make sure a report was received. With the advent of SOX, financial auditors realized that controls at service organizations needed to be thoroughly evaluated to make sure they were comprehensive, appropriate and operating effectively. The increased focus by financial auditors forced user entity management to also evaluate the controls at their service organization(s) since these services are an extension of the user entity’s processes and internal controls and could have a direct impact on other user entity controls and financial statements. The user entity should expect their service organization(s) to have at least the same level of controls as if those services were provided in-house. Unfortunately, most user entities do not have a thorough understanding of SOC reports and thus do not know how to effectively evaluate the report(s) they receive from their service organization(s). A comprehensive evaluation of a SOC report will ascertain whether: • The report as of a date or period is appropriate for user entity purposes • The standard under which the SOC report was issued is appropriate • The report identifies the use of subservice organizations • The intended users of the report are appropriate • The report addresses the “System”, which includes the IT applications, policies and procedures and service organization locations, used by the entity. “System” refers to the policies and procedures designed, implemented and documented by management of the service organization, including IT components, to provide user entities with the services covered by the service auditor's report. The term “System” does not refer to just the IT applications. • The evidence provided by the report is sufficient and appropriate for understanding the service organization's relevant processes and risks • The report identifies issues with the processes or controls at the service organization
2.
Page 2 of
5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 The first step in evaluating a SOC report is to understand the sections of the report: SOC1 o Report cover o Auditor’s opinion o Management assertion o Description of the system o Control objectives, controls, tests and results SOC2 o Report cover o Auditor’s opinion o Management assertion o Description of the system o Criteria, controls, tests and results SOC3 o Report cover o Auditor’s opinion o Management assertion o Short description of the system Auditor’s opinion The Auditor’s opinion summaries the scope and conclusion of the report. The opinion includes: The system(s) included in scope and the period being audited An identification of subservice organizations included or carved-out Whether or not the system description fairly presents what was designed and implemented, the controls related to the control objectives were suitably designed to reasonably achieve the control objectives and the controls tested were operating effectively throughout the period The intended users of the report Management assertion The service organization makes an assertion regarding its description of the system and the operation of the system. Management asserts that: The description presents how the service organization’s system was designed and implemented
3.
Page 3 of
5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 The description of the service organization’s system includes relevant details of changes to the service organization’s system during the period covered by the description The description of the service organization’s system does not omit or distort information relevant to the service organization’s system, while acknowledging that management’s description of the service organization’s system is prepared to meet the common needs of a broad range of user entities and their user auditors, and may not, therefore, include every aspect of the service organization’s system that each individual user entity and its user auditor may consider important in its own particular environment The risks that threaten the achievement of the control objectives/criteria stated in management’s description of the service organization’s system have been identified by management The controls identified in management’s description of the service organization’s system would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives/criteria stated in the description from being achieved The controls were consistently applied as designed, throughout the specified period, including whether manual controls were applied by individuals who have the appropriate competence and authority An assertion should be included for any service organization whose control objectives and controls have been included in the Auditor’s opinion, system description and control objectives/ criteria, controls, tests and results. The assertion may include the name of the authorizing official at the service organization, but such naming is not required. Description of the system The system description identifies the services that are likely to affect a user entity’s internal controls, including applications, technology and supporting IT processes. The description will identify and document: The control environment, risk assessment and monitoring performed as part of internal control Each business process/principle being included as part of the service overview along with the processes owner(s), process description and related controls The control objectives/criteria associated with each business process/principle and document the risks that threaten the achievement of the control objectives/criteria, the controls that address the risks, and the service organization’s basis for its assertion that each control was implemented throughout the report period. While IT controls do not directly affect the financial statement assertions of user entities, they are almost always
4.
Page 4 of
5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 necessary for the proper functioning of the business process controls that do directly affect these assertions. The physical location(s) where processing occurs Subservice organizations and the services they provide Complementary user entity controls (CUECs). CUECs are controls assumed to be in place at the user entity in order for the specified control objectives and related controls to be achieved Control objectives/criteria, controls, tests and results The control objectives/criteria in scope are detailed in a matrix that includes a description of the tests performed to determine the operating effectiveness of the controls along with any control deviations noted during testing. The description of the tests performed should include the nature, timing and extent of the testing performed. Areas for follow-up when reviewing a report: The report date or period is not appropriate for the intended use The report type is not appropriate for the intended use The reporting standard is not appropriate for the intended use Subservice organizations are noted in the Auditor’s opinion and system description The auditor is not independent and competent The Auditor’s opinion is qualified The report has restricted usage There is not a Management Assertion for each subservice organization whose control objectives and controls have been included in the Auditor’s opinion, system description and control objectives/ criteria, controls, tests and results The Description of the system does not address, in detail, the processes and controls expected The processing location(s) listed are not the same as those contracted for with the service organization Complementary user entity controls (CUECs) will need to be assessed for applicability and testing The tests performed do not address all aspects of the control objectives/ criteria Testing deviations are noted
5.
Page 5 of
5 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2016 Crossland Advisors provides IT risk and control services to a number of industries, including: Manufacturing Pharmaceuticals Healthcare Financial Services Insurance Government Retail Utilities Our extensive experience allows us to develop real world solutions to complex challenges. We use a process-focused risk-based approach and are able to relate leading practices and improvements to understand, anticipate and address a wide variety of information system risk and process issues. Crossland Advisors is ready to work with you to satisfy your IT risk and control needs.
Download now