A company uses a SaaS-based CRM. The auditor wants to verify that the company's data is backed up. The SaaS provider's contract states they perform daily backups. What is the MOST appropriate evidence for the auditor to request?

Answer options:

Screenshots of the company's internal server backup logs.

A written representation from the company's IT manager.

The SaaS provider's source code for the backup script.

A SOC 2 Type II report from the SaaS provider covering the Availability criteria.

How to approach this question

When auditing a cloud vendor (SaaS), you generally cannot go onsite. You rely on Third-Party Assurance reports (SOC reports).

Full Answer

D.A SOC 2 Type II report from the SaaS provider covering the Availability criteria.✓ Correct

For SaaS vendors, the most appropriate and reliable evidence is a SOC 2 report (specifically covering Availability) which provides an independent auditor's opinion on the design and operating effectiveness of the provider's backup controls.

Common mistakes

Thinking the client can back up SaaS data themselves (sometimes they can, but the question asks about the provider's obligation).

Question 13 All questions Question 15

Practice the full CPA ISC Practice Exam

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is performing a risk assessment for a client that uses a public cloud provider for its core...Hard Q02During a walkthrough of a client's change management process, the auditor notes that developers h...Hard Q03A service organization provides a real-time transaction processing platform. The service level ag...Hard Q04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales tr...Hard Q05A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud dep...Hard

View all 82 questions →