Audit Principles and Concepts

Carve-out method

Method of dealing with the services provided by a subservice organization. The nature of the services performed by the subservice Organization is included in section 3, but the relevant related controls are excluded. These controls are also excluded form the service auditors scope, hence the concept “carve-out” meaning: The subservice Organization’s controls are carved out from scope.

Inclusive method

Method of dealing with the services provided by a subservice organization, but now the subservice Organization controls are included in section 3 and are tested by the service auditor.

Complementary user entity controls (CUEC)

CUECs are controls that reside at the user entity level of a service organization. User entities are organizations that utilize the services of a service organization.

Controls at the service organization

Controls over the achievement of a criteria that is covered by the service auditor’s assurance report (SOC 2).

Controls at a subservice organization

Controls at a subservice organization to provide reasonable assurance about the achievement of a criteria.

Service auditor

A professional accountant in public practice who, at the request of the service organization, provides an assurance (SOC 2) report on controls at a service organization.

Service organization

A third-party organization (or segment of a third-party organization) that provides services to user entities that are likely to be relevant to user entities’ control environment.

Description of the system (Section 3)

The policies and procedures designed and implemented by the service organization to provide user entities with the services covered by the service auditor’s assurance report (SOC 2).  The service organization’s description of its system includes identification of: the services covered to which the description relates, IT elements, relevant Trust Service Criteria, and related controls.

Subservice organization

A service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to user entities’ control environment.

Population

The number of occurrences that a control was performed i.e. If there were 100 users terminated which required a signed off boarding form, then the auditors population for testing terminated users will be a 100.

Sampling

A number of instances to test the operation of the control (sample) is normally selected from the population. The auditor will have a sampling methodology that stipulates the number of samples that should be selected, based on the population of the control.

For example, the auditor would select a sample of 5 from a population of 100 terminated users, based on the auditors sampling methodology.

Management would then need to provide evidence for the 5 selected sample of terminated users.

Design of a control

Auditors will look at the design of the control and consider whether the control is capable of effectively preventing or detecting and correcting a specific risk. The auditors will also look at the factors or characteristics of the control that are most important to its effectiveness. The extent of this evaluation is a matter of professional judgment and will vary based on the complexity of the control.

Implementation of a control

Auditors will look at whether the control is implemented as designed. This means that auditors will select a sample of instance and require evidence to corroborate the design of the control. In most cases, the auditors will perform a walkthrough of the control when testing the implementation of the control.

Operating effectiveness of a control

Auditors use this term to determine whether a control was functioning as intended for a period of time i.e., the control was operating effectively throughout the period 1 January to 31 December. This conclusion is based on the sample that the auditor would select to test the operating effectiveness of a control.

For example, the auditors tested the sample of 5 terminated users and the evidence provided for all 5 users were deemed appropriate to conclude that the control was operating effective. Should 1 of the 5 samples fail for whatever reason, the control would be deemed ineffective i.e. the control was NOT operating effectively throughout the period 1 January to 31 December.

Type I

A type I audit indicates that the auditor will only test design and implementation of the controls provided by management at a point of time.

Type II

A type II audit indicates that the auditor will test design and implementation and operating effectiveness of the controls provided by management over a period of time ( 6 to 12 months).

Information produced by the entity (IPE)

IPE is information that the auditors use to understand the entity and its environment, to perform procedures, to test a control upon which they intend to rely, or information used by entity personnel to perform a control. Some IPE may be generated using the entity’s IT systems.