Testing controls in SOC engagements
Area 3: SOC Engagements (15-25%)
Your Progress
0 of 60 questions attempted
Topics
- Test of design and operating effectiveness
- Sampling in SOC engagements
Lessons
Study Frameworks
SOC Test Type Selection
Is the control automated (system-enforced configuration)?
Yes
Are IT general controls (change management, access controls) over the system effective?
Yes
Inspect configuration + limited reperformance (one test may suffice — automated control operates consistently when ITGCs effective)
No
Cannot rely on consistency of automated control — test like a manual control with sampling across the period, plus investigate ITGC failures
No
Does the control produce documentary evidence (logs, signatures, reports)?
Yes
Is the control high-risk or were there prior-period exceptions?
Yes
Inspection of documentation with larger sample size + consider reperformance for complex controls; spread sample across full period
No
Inspection of documentation with standard sample size spread across the examination period; corroborate with inquiry
No
Observation of the control being performed + inquiry of personnel; note that observation only provides point-in-time evidence — combine with other procedures