ExpertHard1 markMultiple Choice
CPA · Question 37 · Area III: SOC Engagements
A company is using a 'SaaS' CRM application. The auditor wants to verify that the SaaS provider backs up the data. Since the auditor cannot physically visit the SaaS provider, what is the most appropriate evidence to obtain?
A company is using a 'SaaS' CRM application. The auditor wants to verify that the SaaS provider backs up the data. Since the auditor cannot physically visit the SaaS provider, what is the most appropriate evidence to obtain?
Answer options:
A.
A screenshot of the backup settings from the provider's website.
B.
A SOC 2® Type II report from the SaaS provider
C.
A letter from the SaaS provider's CEO promising backups are done.
D.
Performing a penetration test on the SaaS provider.
How to approach this question
Third-party assurance = SOC report. You don't audit the cloud; you read their audit report.
Full Answer
B.A SOC 2® Type II report from the SaaS provider✓ Correct
A SOC 2® Type II report from the SaaS provider
A SOC 2 Type II report provides independent assurance regarding the design and operating effectiveness of the service organization's controls (including availability/backups) over a period of time.
Common mistakes
Accepting screenshots or letters as sufficient audit evidence.
Practice the full CPA ISC Practice Exam 4
82 questions · hints · full answers · grading
More questions from this exam
Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environ...HardQ02An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provi...HardQ03A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor disco...HardQ04An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its...HardQ05During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can...Hard