Engagement acceptance, independence, CUECs, fieldwork, and evidence gathering.
This chapter explains how a SOC engagement is planned and executed from acceptance through evidence collection. The exam focus is on professional responsibilities, engagement design, and practical fieldwork considerations.
SOC performance questions should follow the engagement lifecycle. Acceptance, independence, management responsibilities, CUECs, fieldwork coordination, and evidence gathering each answer a different question about whether the report can be supported.
| Engagement stage | First question | Common ISC trap |
|---|---|---|
| Acceptance and ethics | Should the service auditor accept or continue the engagement? | Beginning fieldwork before evaluating competence, scope, and ethical constraints. |
| Independence and responsibilities | What belongs to management, the service auditor, and user entities? | Letting the auditor own management’s system description. |
| CUECs | Which user-entity controls are necessary for the control objective to be achieved? | Reading the service organization’s controls as complete in isolation. |
| Fieldwork and communication | How will requests, exceptions, timing, and stakeholder communication be managed? | Treating SOC fieldwork as a simple checklist. |
| Evidence gathering | Which tests and evidence support the criteria and final opinion? | Collecting evidence without linking it to control objectives. |
| Step | What to do | Why it matters on ISC |
|---|---|---|
| 1. Evaluate acceptance and scope | Confirm competence, independence, subject matter, criteria, period, report type, and ethical constraints. | A SOC engagement must be supportable before fieldwork begins. |
| 2. Separate responsibilities | Identify what management owns, what the service auditor examines, and what user entities must do. | Responsibility confusion leads to unsupported report expectations. |
| 3. Identify CUECs and dependencies | Determine which user-entity or subservice controls are necessary for the stated objectives. | The service organization’s controls may not achieve objectives alone. |
| 4. Plan fieldwork and communication | Coordinate evidence requests, timing, walkthroughs, exceptions, and stakeholder communication. | SOC fieldwork requires controlled execution, not only a test list. |
| 5. Link evidence to objectives | Tie tests, exceptions, and conclusions back to the control objectives or trust services criteria. | Evidence is persuasive only when it supports the report opinion. |
| Checkpoint | Exam use | What to avoid |
|---|---|---|
| Acceptance basis | Confirm competence, independence, report type, subject matter, criteria, and engagement period. | Starting procedures before the engagement is supportable. |
| Responsibility split | Identify what management asserts, what the service auditor tests, and what user entities must operate. | Making the auditor responsible for management’s system description or controls. |
| CUEC dependency | Determine which complementary user entity controls are necessary for the report conclusions. | Treating service organization controls as complete without user-side controls. |
| Evidence linkage | Tie walkthroughs, inquiries, inspection, reperformance, and exception testing to specific objectives or criteria. | Collecting evidence that does not support the opinion being issued. |
| Exception handling | Evaluate whether deviations affect design, operating effectiveness, scope, communication, or report wording. | Treating all exceptions as minor without considering report impact. |