2.16
The phrase using the work of the internal audit function is derived from AU section 322, The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements (AICPA, Professional Standards), and it refers to work designed and performed by the internal audit function. This includes tests of controls designed and performed by the internal audit function during the period covered by the type 2 report and the results of those tests. This differs from work that the internal audit function performs to provide direct assistance to the service auditor, including assistance in performing tests of controls that are designed by the service auditor and performed by members of the internal audit function, under the direction, supervision, and review of the service auditor.
2.17
If the service organization has an internal audit function, the service auditor may obtain an understanding of the responsibilities and activities of the internal audit function to determine whether the work of the internal audit function is likely to be relevant to the engagement. The service auditor may obtain this understanding by making inquiries of appropriate management of the service organization and internal audit personnel. Examples of matters that may be important to this understanding are the internal audit function’s
l organizational status within the service organization; l application of, and adherence to, professional standards; l audit plan, including the nature, timing, and extent of audit
procedures; and
l access to records and whether limitations exist on the scope of
the internal audit function's activities.
2.18
Work of the internal audit function that provides information or evidence about the fairness of the presentation of the description of the service organization’s system, the suitability of the design of the controls, or the operating
effectiveness of the controls that pertain to the trust services principle being reported on would be considered relevant to the engagement. The following are examples of information that may assist the service auditor in assessing the relevancy of that work:
l Knowledge gained from prior-year examinations related to the
principle being reported on
l How management and the internal audit function assess risk
related to the trust services principle being reported on and how audit resources are allocated to address those risks
Certain internal audit activities may not be relevant to a SOC 2 engagement (for example, the internal audit function’s evaluation of the efficiency of certain management decision-making processes).
2.20
If, after obtaining an understanding of the internal audit function, the service auditor concludes that (a) the activities of the internal audit function are not relevant to the trust services principle being reported on, or (b) it may not be efficient to consider the work of the internal audit function, the service auditor does not need to give further consideration to the work of the internal audit function.
2.21
If the service auditor intends to use the work of the internal audit function or use internal audit personnel in a direct assistance capacity, the service auditor should determine whether the work performed by the internal audit function is likely to be adequate for the purposes of the engagement by evaluating the following:
a. The objectivity and technical competence of the members of the internal audit function
b. Whether the work of the internal audit function is likely to be carried out with due professional care
c. Whether it is likely that effective communication will occur between the internal audit function and service auditor, including
consideration of the effect of any constraints or restrictions placed on the internal audit function by the service organization
2.22
If the service auditor determines that the work of the internal audit function is likely to be adequate for the purposes of the engagement, the service auditor should evaluate the following factors in determining the planned effect that the work of the internal audit function will have on the nature, timing, and extent of the service auditor’s procedures:
a. The nature and scope of specific work performed or to be performed by the internal audit function
b. The significance of that work to the service auditor’s conclusions c. The degree of subjectivity involved in the evaluation of the
evidence gathered in support of those conclusions
Materiality
2.23
When planning and performing a SOC 2 engagement, the service auditor should evaluate materiality with respect to (a) the fair presentation of management’s description of the service organization’s system; (b) the suitability of the design of the controls; (c) in a type 2 engagement, the operating effectiveness of the controls; and (d) in a type 2 engagement that addresses the privacy principle, the service organization’s compliance with the commitments in its statement of privacy practices. The concept of materiality takes into account that the report is intended to provide information to meet the common information needs of a broad range of users who understand the manner in which the system is being
used. Materiality with respect to the service organization also applies to the subservice organization.
2.24
Materiality with respect to the fair presentation of management’s description of the service organization’s system and with respect to the design of controls primarily includes the consideration of qualitative factors. For example, whether
l management’s description of the service organization’s system
includes the significant aspects of system processing.
l management’s description of the service organization’s system
omits or distorts relevant information.
l the controls have the ability, as designed, to provide reasonable
assurance that the applicable trust services criteria stated in management’s description of the service organization’s system would be met.
2.25
Materiality with respect to the operating effectiveness of controls includes the consideration of both quantitative and qualitative factors (for example, the service auditor’s tolerable rate and observed rate of deviation in the results of tests [a quantitative matter] and the nature and cause of any observed deviations [a qualitative matter]).
2.26
The concept of materiality is not applicable when disclosing in the description of tests of controls (and tests of compliance with privacy commitments, if
applicable) the results of those tests for which deviations have been identified. This is because a deviation may have significance for a specific user entity beyond whether, in the opinion of the service auditor, it prevents a control from operating effectively. For example, the control to which the deviation relates may be particularly significant in preventing a certain type of error, the results of which may be material to a particular user entity but not other users.
Identifying Deviations
2.27
Before the service auditor begins tests of controls and tests of compliance, the service auditor should determine the procedures that will be performed and the circumstances under which a test result will be considered a deviation, so that all such results are reported as deviations in the description of tests of controls and tests of compliance.