SOC Engagements, Service Auditor Reporting, and Cybersecurity Assurance

This part is the most assurance-specific segment of ISC. The chapters explain how SOC engagements are scoped, performed, and reported, and how the different report types serve different user needs.

In This Part

• Chapter 22: Overview of SOC Engagements introduces the SOC landscape and the major engagement families.
• Chapter 23: SOC 1 Examinations focuses on controls relevant to user-entity financial reporting.
• Chapter 24: SOC 2 Examinations covers the trust services framework and broader system controls.
• Chapter 25: Planning and Performing a SOC Engagement explains scoping, evidence, and execution.
• Chapter 26: Reporting and Opinions in SOC Engagements shows how conclusions are communicated.
• Chapter 27: SOC for Cybersecurity addresses cybersecurity-specific reporting and assurance.

How to Use This Part

• Read this part after Parts I through IV so the system and control background is already in place.
• Pay attention to the purpose, users, and reporting consequences of each engagement type.
• Return here whenever an ISC question turns on which SOC framework or report is appropriate.

In this section

• SOC Report Families, Report Structure, and Shared Control Responsibilities
  SOC report families, report structure, and user-versus-subservice control responsibilities.
  • SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity: Purpose, Users, and Use Cases
    SOC report families, intended users, and practical use cases.
  • Required Sections, Structure, and Core Content of SOC Reports
    Required sections, structure, and core content of SOC reports.
  • User Entity Controls, Subservice Controls, and Shared Responsibility Boundaries
    User entity controls, subservice controls, and shared responsibility boundaries.
• SOC 1 Scope, Assertions, Materiality, and Subservice Organization Treatment
  SOC 1 scope, assertions, materiality, and subservice organization methods.
  • When SOC 1 Applies: Objectives, Scope, and Financial Reporting Relevance
    When SOC 1 applies, what it covers, and why it matters to financial reporting.
  • Management Assertions, System Description Criteria, and SOC 1 Representation Requirements
    Management assertions, description criteria, and SOC 1 representation requirements.
  • Materiality in SOC 1 Engagements and How Significance Is Judged
    Materiality in SOC 1 engagements and how significance is judged.
  • Why IT Materiality Differs from Financial Statement Audit Materiality
    Why IT materiality differs from financial statement audit materiality.
  • Inclusive and Carve-Out Methods for Subservice Organizations in SOC 1
    Inclusive and carve-out methods for subservice organizations in SOC 1.
• SOC 2 Criteria Selection, System Boundaries, and Opinion Formation
  Trust services criteria, system boundaries, testing, deviations, and opinion formation.
  • Trust Services Criteria and How SOC 2 Engagements Select Them
    Trust services criteria and how SOC 2 engagements select them.
  • SOC 2 Description Criteria, System Boundaries, and Scope Definition
    SOC 2 description criteria, system boundaries, and scope definition.
  • Risk Assessment, Control Testing, and Evidence Design in SOC 2
    Risk assessment, control testing, and evidence design in SOC 2.
  • Evaluating Exceptions and Forming the Final SOC 2 Opinion
    Evaluating exceptions and forming the final SOC 2 opinion.
• SOC Engagement Acceptance, Fieldwork, and Evidence Gathering
  Engagement acceptance, independence, CUECs, fieldwork, and evidence gathering.
  • Accepting a SOC Engagement: Preconditions, Ethics, and Engagement Risk
    Preconditions, ethics, and engagement risk when accepting SOC work.
  • Service Auditor Independence and Management Responsibilities in SOC Work
    Service auditor independence and management responsibilities in SOC work.
  • Complementary User Entity Controls and Why They Matter to the Report
    Complementary user entity controls and why they matter to the report.
  • Fieldwork Execution and Communication with Management and Stakeholders
    Fieldwork execution and communication with management and stakeholders.
  • Gathering Evidence in SOC Engagements: Testing Tools and Techniques
    Evidence gathering, testing tools, and techniques in SOC engagements.
• SOC Report Opinions, Modifications, and Issuance Judgments
  Opinion types, modifications, subsequent events, specialists, and reporting pitfalls.
  • SOC Opinion Types, Report Modifications, and When Wording Changes
    SOC opinion types, report modifications, and when wording changes.
  • Subsequent Events and Post-Period Information in SOC Engagements
    Subsequent events and post-period information in SOC engagements.
  • Using Other Auditors and Specialists in SOC Engagements
    Using other auditors and specialists in SOC engagements.
  • Common SOC Reporting Pitfalls and Better Reporting Practices
    Common SOC reporting pitfalls and better reporting practices.
• Cybersecurity Assurance Reporting Beyond SOC 2 Security
  SOC for Cybersecurity scope, criteria, complex environments, and external communication.
  • How SOC 2 Security Differs from SOC for Cybersecurity
    How SOC 2 Security differs from SOC for Cybersecurity.
  • Description Criteria for Cybersecurity Risk Management Programs
    Description criteria for cybersecurity risk management programs.
  • Complex IT Environments, Incident Response, and SOC for Cybersecurity Scope
    Complex IT environments, incident response, and SOC for Cybersecurity scope.
  • Presenting Cybersecurity Findings to External Stakeholders
    Presenting cybersecurity findings to external stakeholders.