An auditor is reviewing the 'System Boundaries' in a SOC 2® engagement. The client has excluded their 'Customer Support Chatbot' from the system description. The chatbot collects customer names and account numbers. Is this exclusion appropriate?

Answer options:

Yes, chatbots are not IT systems.

Yes, if the chatbot is hosted by a third party.

No, because all software must be included.

No, because the chatbot processes sensitive data (PII) relevant to the system's objectives.

How to approach this question

Does it touch the data? If yes, it's in scope.

Full Answer

D.No, because the chatbot processes sensitive data (PII) relevant to the system's objectives.✓ Correct

The system description must include all components (infrastructure, software, people, data, procedures) that are necessary to achieve the service commitments and system requirements. Since the chatbot handles sensitive customer data, excluding it would misrepresent the system's risk profile.

Common mistakes

Thinking third-party tools are automatically out of scope (they are subservice orgs).

Question 81 All questions

Practice the full CPA ISC Practice Exam 3

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud-based s...Medium Q02During a review of a client's cloud governance structure, an auditor notes that the client uses a...Medium Q03An auditor is evaluating the 'Processing Integrity' principle for a financial institution's loan ...Hard Q04A company uses a batch processing system to update inventory records overnight. The 'Grandfather-...Hard Q05During a walkthrough of the change management process, an auditor observes that the 'Developer' r...Medium

View all 82 questions →