An auditor is reviewing the 'System Description' and notices it mentions 'The system is protected by a firewall'. However, the firewall is managed by a third-party MSP (Managed Service Provider) and is not included in the scope of the report (carve-out). What is the impact on the user entity?

Answer options:

The user entity can assume the firewall is secure.

The user entity must obtain assurance about the MSP's controls (e.g., get the MSP's SOC report).

The user entity must install their own firewall.

The service auditor will test the MSP's firewall anyway.

How to approach this question

Carve-out = Gap. User must fill the gap with another report.

Full Answer

B.The user entity must obtain assurance about the MSP's controls (e.g., get the MSP's SOC report).✓ Correct

When a subservice organization is carved out, the user entity (and their auditor) needs to obtain assurance regarding those controls separately, typically by obtaining the subservice organization's own SOC report.

Common mistakes

Ignoring carved-out controls.

Question 75 All questions Question 77

Practice the full CPA ISC Practice Exam

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is performing a risk assessment for a client that uses a public cloud provider for its core...Hard Q02During a walkthrough of a client's change management process, the auditor notes that developers h...Hard Q03A service organization provides a real-time transaction processing platform. The service level ag...Hard Q04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales tr...Hard Q05A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud dep...Hard

View all 82 questions →