M03_Risk assessment –IT understanding

Application

Database

Operating system

Network

Application, Database and Operating System.

Application and Operating System.

Application and Database

Database and Operating System

How the entity uses IT as part of financial reporting and related business processes.

The entity’s IT organization.

The entity’s IT policies and procedures.

All of the above.

To document your evaluation of a service organization controls (SOC) report.

To communicate the nature, timing and extent of procedures performed by the SSC auditor on behalf of the group engagement team and/or SSC user auditors.

When a SOC report is not provided by the Service Organization.

When the SSC auditor identifies issues that may require an audit response.

Yes

No

When an exception is noted during your testing of database access.

If an interface from an external source does not successfully complete.

When a cybersecurity incident at any layer comes to your attention during the audit.

When an terminated employee retains access privileges to a financially relevant application.