A company is using a 'SaaS' CRM application. The auditor wants to verify that the SaaS provider backs up the data. Since the auditor cannot physically visit the SaaS provider, what is the most appropriate evidence to obtain?

Answer options:

A screenshot of the backup settings from the provider's website.

A SOC 2® Type II report from the SaaS provider

A letter from the SaaS provider's CEO promising backups are done.

Performing a penetration test on the SaaS provider.

How to approach this question

Third-party assurance = SOC report. You don't audit the cloud; you read their audit report.

Full Answer

B.A SOC 2® Type II report from the SaaS provider✓ Correct

A SOC 2 Type II report provides independent assurance regarding the design and operating effectiveness of the service organization's controls (including availability/backups) over a period of time.

Common mistakes

Accepting screenshots or letters as sufficient audit evidence.

Question 36 All questions Question 38

Practice the full CPA ISC Practice Exam 4

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environ...Hard Q02An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provi...Hard Q03A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor disco...Hard Q04An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its...Hard Q05During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can...Hard

View all 82 questions →