ExpertMedium1 markMultiple Choice
CPA · Question 72 · Area III: SOC Engagements
A service organization has a control that states: 'Firewall rules are reviewed semi-annually.' The auditor tests this by requesting the minutes of the review meetings. The client provides minutes for a meeting in January and a meeting in July. Is this sufficient evidence for a Type II report covering Jan 1 to Dec 31?
A service organization has a control that states: 'Firewall rules are reviewed semi-annually.' The auditor tests this by requesting the minutes of the review meetings. The client provides minutes for a meeting in January and a meeting in July. Is this sufficient evidence for a Type II report covering Jan 1 to Dec 31?
Answer options:
A.
Yes, two reviews cover the semi-annual requirement for the year.
B.
No, the auditor must re-perform the review themselves.
C.
No, there should be a review every month.
D.
No, minutes are not valid evidence.
How to approach this question
Check the frequency. Semi-annual = 2x/year. Did they do it 2x? Yes.
Full Answer
A.Yes, two reviews cover the semi-annual requirement for the year.✓ Correct
A
For a semi-annual control, evidence of two occurrences (spaced appropriately) within a 12-month period is sufficient to demonstrate operating effectiveness.
Common mistakes
Thinking you need more samples than the frequency dictates.
Practice the full CPA ISC Practice Exam
82 questions · hints · full answers · grading
More questions from this exam
Q01A CPA is performing a risk assessment for a client that uses a public cloud provider for its core...HardQ02During a walkthrough of a client's change management process, the auditor notes that developers h...HardQ03A service organization provides a real-time transaction processing platform. The service level ag...HardQ04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales tr...HardQ05A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud dep...Hard