Service organization evaluation

Entity name
Date of financial statements

When to use this form

Use of this form is optional except for audits conducted in accordance with US auditing
standards, when its use is required.

Purpose
Completion of this form addresses the EY Canvas tasks:
► Understand SCOTs, identify WCGWs and relevant controls and relate them to relevant
SCOTs and significant disclosure processes
► Identify and address IT risks

Many entities outsource aspects of their business activities to organizations that provide
services ranging from performing a specific task under the direction of the entity to replacing
entire business units or functions of the entity. Many of the services provided by such
organizations are integral to the entity’s business operations; however, not all of those services
are relevant to the audit. Services provided by a service organization are relevant to the audit of
a user entity's financial statements when those services, and the controls over them, are part of
the user entity's information system, including related business processes, relevant to financial
reporting.

The purpose of this form is to document our evaluation of the nature and significance of
services provided by a service organization and their effect on internal control relevant to the
audit as well as to evaluate a System and Organization Controls (SOC) 1 report issued by the
service organization under the AICPA Statement on Standards for Attestation Engagements No.
18, AT-C 320 Reporting on an Examination of Controls at a Service Organization Relevant to
User Entities' Internal Control over Financial Reporting, or equivalent attestation standard such
as the International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on
Controls at a Service Organization or the Canadian Standard on Assurance Engagements
(CSAE) 3416 Reporting on Controls at a Service Organization when relevant to our audit. All
equivalent reports are referred to in this form as “SOC 1” reports. This form is not designed to
evaluate reports on controls based on other attestation standards, such as SOC 2 – SOC
for Service Organizations: Trust Services Criteria or SOC for Cybersecurity reports, and
should not be used for such reports.

This form has three parts:

 Part I: Complete this part to document our understanding of the nature and significance
of the services provided by the service organization and their effect on the user entity’s
internal control relevant to the audit
 Part II: Complete this part if using a type 1 or type 2 SOC 1 report as audit evidence to
support our understanding of the processes at the service organization
 Part III: Complete this part if using a type 2 SOC 1 report as audit evidence to support
our understanding of the design, implementation and operating effectiveness of controls
at the service organization

We use the appendices referenced in Part III (or equivalent documentation) to address the
following aspects of evaluating a SOC 1 report:

Form 107GL (15 December 2021) 1

  Appendix A: WCGWs addressed by controls performed by the service organization
 Appendix B: Effect of complementary user entity controls
 Appendix C: Effect of control exceptions
 Appendix D: IT process risks arising from the relevant IT processes performed at the
service organization and related IT general controls
 Appendix E: Effect of complementary subservice organization controls1

The shaded portions of the form indicate information that may be input by Global Delivery
Services (GDS) personnel when the GDS Service Organization Report Review (SORR) team is
used to transfer information into this form.

Applicable methodology
SVC_ORG Purpose

Sign-off
We sign-off this form in EY Canvas to evidence the preparation, review and approval of this
form at the Scope & Strategy and Execution phases of the audit as well as completion of the
following EY Canvas tasks:
► Understand SCOTs, identify WCGWs and relevant controls and relate them to relevant
SCOTs and significant disclosure processes
► Identify and address IT risks

1
Complementary subservice organization controls are controls that management of the service organization
assumes, in the design of the service organization's system, will be implemented by the subservice organization and
are necessary to achieve the control objectives stated in management's description of the service organization's
system. These controls are defined only in reports issued in compliance with AICPA Statement-s on Standards for
Attestation Engagements No. 18, section AT-C 320 when a subservice organization is used and is handled using the
carve-out method.

2
Part I
Service organization name
Describe the nature of the services provided by
the service organization and the significance of
the services to the user entity, including their
effect on the user entity's internal control.
Additional information
 SVC_ORG 2.1 Nature of the services
Significant account(s) affected by the services
Significant class(es) of transactions (SCOTs)
affected by the services

A. Obtain an understanding of how the user entity uses the services of the service
organization
1 Describe the nature and materiality of the
3 transactions processed or accounts or
financial reporting processes affected by the
service organization. Consider the volume of
transactions processed in addition to
balances at reporting dates.
Additional information
SVC-ORG 2.1 Nature of the services
SVC-ORG 2.2 Materiality of transactions
processed or accounts or financial reporting
processes affected
2 Describe the degree of interaction between
the activities of the service organization and
those of the user entity. The degree of
interaction refers to the extent to which the
user entity is able to, and chooses to
implement effective internal controls over
the processing performed by the service
organization.
Additional information
SVC-ORG 2.3 Degree of interaction
3 Describe the nature of the relationship
between the user entity and the service
organization, including the relevant
contractual terms for the activities
undertaken by the service organization.
Additional information
SVC-ORG 2.4 Nature of the relationship

3
B. Make fraud inquiries
1 Inquire of the user entity’s management whether the service organization has reported, or
management is otherwise aware of, any intentional acts, fraud affecting user entities,
noncompliance with laws and regulations or uncorrected misstatements at the service
organization affecting the financial statements of the user entity.
No items noted. Inquiries made of (name and title):
Item(s) noted. If item(s) are noted, evaluate how such matters affect the nature,
timing and extent of our audit procedures, including the effect on our conclusions
and our reports on the internal control over financial reporting and on the financial
statements, as applicable.

C. Respond to the assessed risks of material misstatement related to services provided

by the service organization
1 For the services documented above, we have determined (select one):
Sufficient appropriate audit evidence concerning the relevant financial statement
assertions is available from records held at the user entity, and if we are reporting
on internal control, controls at the user entity are sufficient to provide reasonable
assurance that the financial statement assertions are achieved through those
controls. Indicate workpaper(s) where procedures are performed to support this
assessment:
(We do not complete Parts II and III of this form, which we delete along with the
appendices.)
Audit evidence concerning the relevant financial statement assertions, processes,
risks and controls will be obtained from a SOC 1 report. Continue to Part II of this
form.
Audit evidence concerning the relevant financial statement assertions, processes,
risks and controls will be obtained through us, or other auditors, performing
procedures at the service organization. These procedures are documented at
workpaper reference:
(We do not complete Parts II and III of this form, which we delete along with the
appendices.)

4
Part II
If we plan to use a type 1 or type 2 SOC 1 report as audit evidence to support our
understanding of the processes and risks at the service organization, we read the report and
evaluate whether:
• The type 1 report is as of a date, or the type 2 report is for a period, that is appropriate
for our purposes
• The report addresses the system2, which includes the IT applications, policies and
procedures and service organization locations, used by the entity
• The report identifies issues with the processes at the service organization
• The report identifies the use of subservice organizations
• We, as the user entity's auditors, are intended users of the report
• The standard under which the type 1 or type 2 SOC 1 report was issued is appropriate
for our purposes
• The evidence provided by the report is sufficient and appropriate for understanding the
service organization's processes and risks relevant to the audit
In addition, reading the report may provide evidence of whether the service auditor is competent
and independent from the service organization. If so, we add this evidence to Part II, B(2)
below.

A. Evaluation of report
1 SOC 1 report
1 name:
2 SOC 1 report type (select one): Type 1 – As of date:
1
Type 2 – Period covered:
3 System2 and location(s)
1 covered:
4 IT applications covered by the SOC 1 report, at least Some portion of
in part (list, adding rows as needed)3: IT processes
IT application is
are carved out
relevant?
(See Part II,
C.4.b)
☐ Yes No
☐ Yes No
☐ Yes No

2
'System' refers to the policies and procedures designed, implemented and documented by management of the
service organization, including IT components, to provide user entities with the services covered by the service
auditor's report. The term 'System' does not refer to just the IT applications.
3
If no parts of the related IT processes are performed by the service organization, no IT applications are listed.

5
 5 The report contains the required parts: Yes No
 Management's description of the service organization's system 2

 A written assertion by management of the service organization

 A service auditor's report
a If no, explain procedures performed to address the deficiency in the report such that we
may use the report as appropriate audit evidence:
6 Based on the date of the type 1 SOC 1 report or the period covered by the type 2 SOC 1
1 report, and the additional procedures performed (if applicable), we have determined (select
one):
The type 1 SOC 1 report is as of a date sufficient to support our understanding of
the services provided by the service organization, as applicable.
The type 2 SOC 1 report is for a period sufficient to support our understanding of
the service organization and our evaluation of the service organization’s controls, as
applicable.
The SOC 1 report is as of a date (type 1) or for a period (type 2) that is not sufficient
for our purposes and does not provide a sufficient basis to support our
understanding of the service organization or evaluation of the design or operating
effectiveness of the service organization’s controls, as applicable. (We do not
complete the remaining sections of Part II or the entire Part III of this form. We
delete the remainder of this form, including the appendices.)
7 If a significant period of time has elapsed between the as-of date for a type 1 SOC 1 report
1 or the time period covered by a type 2 SOC 1 report and the date of the user entity’s
financial statements, indicate additional procedures performed to update our understanding
of the service organization's processes and to evaluate the suitability of the design and
operating effectiveness of the service organization’s controls, as applicable, through the
financial statement date (refer to EY GAM SVC-ORG 5.2) (select all that apply):
Obtained a letter from the service organization updating the service organization’s
information through the financial statement date (sometimes referred to as a bridge
letter) (workpaper reference: )
Obtained additional type 1 or 2 SOC 1 report(s) – as-of date or period covered:
(workpaper reference: )
Other procedures performed as follows: (workpaper reference: )
No additional procedures necessary because (document rationale):

B. Evaluation of service auditor

In determining the sufficiency and appropriateness of the audit evidence provided by a type
1 or type 2 SOC 1 report, we evaluate the service auditor’s professional competence and
independence from the service organization.
1 Service auditor:
1

6
 2 Our understanding of service auditor’s competence and independence was obtained by
1 (select one):
Reputation of the service auditor (e.g., national firm).
Inquiries made of service auditor’s professional body (e.g., International Federation
of Accountants (IFAC), American Institute of Certified Public Accountants (AICPA)).
Inquired of:
Query of jurisdictional licensing (e.g., US state board of accountancy) website.
Indicate the jurisdictional licensing website queried:
Other:
3 Based on the procedures we performed (including reading the report), we have determined
1 (select one):
The evidence obtained indicates the service auditor is professionally competent and
independent.
The evidence obtained regarding the competence and/or independence of the
service auditor precludes our use of the report.
a If evidence obtained precludes our use of the report for our audit, describe below
the alternative procedures performed to gain an understanding of the services
provided by the service organization, and identify and test relevant controls and/or
compensating controls to provide sufficient appropriate audit evidence to support
our risk assessment. (Refer to EY GAM SVC-ORG 3.)
(We do not complete the remaining sections of Part II or the entire Part III of this
form. We delete the remainder of this form, including the appendices.)

C. Service auditor’s report (opinion)

1 Report opinion is unqualified as to system description Yes No

a If no:

i) Explain the nature of the qualification

ii) Describe the effect of the qualification on our
understanding of the service organization's
processes relevant to the user entity
iii) Describe the additional procedures performed in
response to the qualification
iv) Does this issue relate to a deficiency in control? If Yes
so, post the deficiency to the SOCD or other No. Document rationale:
issues list.

2 Report opinion covers all portions of service organization management’s Yes No

description of the system
a If no, explain the following:

7
 i) Portions of management’s description not covered
by service auditor’s report
ii) Effect of the exclusion on our understanding of the
service organization's processes relevant to the
user entity
iii) Additional procedures we performed in response
to the exclusion when the exclusion is relevant to
the audit
3 Report opinion contains an emphasis-of-matter paragraph related to the Yes No
system description
a If yes, explain the following:

i) Matter emphasized
ii) Effect of the emphasis-of-matter paragraph on our
understanding of the service organization's
processes relevant to the audit
4 Report opinion identifies subservice organization(s) addressed using either the carve-
out method or the inclusive method.

Additional information
a Name(s) of inclusive Service component(s) Subservice organization
subservice organization(s) provided by inclusive assertion present4?
subservice organization(s)
Yes No
Yes No
Yes No
b Name(s) of carved-out Service(s) provided by Reference Form 107GL for the
subservice organization(s) carved-out subservice subservice organization or if
(include page number organization(s) Form 107GL is not completed,
reference if not identified in cross reference to where we
the report opinion) evaluated the risks related to
procedures and controls
performed by the subservice
organization and documented
the procedures performed to
address those risks.

4
When the inclusive method for subservice organizations is used, each subservice organization must have an
assertion, prepared by management, included in the report.

8
 5 Is EY, as the entity's auditor, an intended user of the report? Yes No

a If no, document our evaluation of the use of restricted language and how we have
determined we may use the SOC 1 report. (Professional Practice resources are available
to assist engagement teams in evaluating the appropriateness of the language used in the
service auditor's report.)

D. Evaluation of standards used

1 Report prepared in accordance with:
AICPA Statement on Standards for Attestation Engagements (SSAE) No. 18, AT-C
320
International Standards on Assurance Engagements 3402
Canadian Standard on Assurance Engagements 3416
Other local standard substantially equivalent to SSAE 18, AT-C 320
Specify:
(Note: This form may not be appropriate to be used to evaluate such reports. If not,
refer to EY GAM AUDIT EVIDENCE for guidance.)
Note: This form is not designed to be used to evaluate any other type of service
organization report.

E. Management’s description of the service organization’s system2

A SOC 1 report is designed to meet the common needs of a broad range of user entities
and may not include aspects important to the user entity’s particular environment or
provide sufficient evidence to meet our audit needs.
1 For service organizations that provide transaction processing services Scenario applies:
for the user entity under audit, including the people to process the Yes
transactions, the IT applications and the computing environment (e.g.,
hardware, operating systems, database software, infrastructure, No
computer operations services):
a Management’s description addresses the services provided to the Yes
user entity including the processes by which services are No
delivered. The descriptions are sufficient to permit us to Not applicable
understand the services provided and the critical path of the
SCOTs (i.e., how transactions are initiated, authorized, recorded,
processed, corrected and transferred to reports).
b Management's description addresses the relevant IT processes. Yes
Carved out
No
Not applicable
c If we responded No to (a) or (b), reference where we have
performed additional procedures to obtain a sufficient
understanding of the services provided to the user entity.

9
2 For service organizations that only provide IT applications and the Scenario applies:
computing environment (e.g., hardware, operating systems, database Yes
software, infrastructure, computer operations services) for the user
entity under audit: No

a Management’s description addresses services provided to the user Yes

entity including the automated aspects of the IT applications No
provided and the processes by which applications are supported. Not applicable
The descriptions are sufficient to permit us to understand the
services provided and the effect on the critical path of the SCOTs.
b Management's description addresses the relevant IT processes. Yes
Carved out
No
Not applicable
c If we have responded No to (a) or (b) above, reference where we
have performed additional procedures to obtain a sufficient
understanding of the services provided to the user entity.
3 For service organizations that provide only the computing environment Scenario applies:
(e.g., hardware, operating systems, database software, infrastructure, Yes
computer operations services but not the IT application software) for
the user entity under audit: No

a Management’s description addresses the relevant IT processes. Yes

No
Not applicable
b If no, reference where we have performed additional procedures to
obtain a sufficient understanding of the relevant IT processes.

10
F. Respond to the assessed risks of material misstatement related to services provided
by the service organization
1 Based on the work performed as described in Parts I and II, (select one):
Sufficient, appropriate audit evidence concerning the design, implementation and
operating effectiveness of controls to address the risks of material misstatement
can be obtained solely from the user entity's controls. Indicate workpaper(s) where
procedures performed are documented to support the testing of the controls:
(We do not complete Part III of this form, which we delete along with the appendices.)
We will perform, or use another auditor to perform, procedures to test the relevant
controls stated in the type 1 SOC 1 report. Indicate workpaper(s) where such
procedures have been documented:
(We do not complete Part III of this form, which we delete along with the appendices.)
We will use the SOC 1 report as audit evidence only to support our understanding
of the processes at the service organization as part of our risk assessment
procedures.
(We do not complete Part III of this form, which we delete along with the appendices.)
We will use the type 2 SOC 1 report evaluated in completing Part II of this form to
provide audit evidence of the operating effectiveness of the relevant controls at the
service organization. Continue to Part III of this form.

11
Part III
If we plan to further use a type 2 SOC 1 report as audit evidence to support our understanding
of the design, implementation and operating effectiveness of controls at the service
organization, we read the report and evaluate whether:
• The evidence provided by the report is sufficient and appropriate for evaluating the
service organization's controls that are relevant to the audit.
• Complementary user entity controls (CUECs) identified by the service organization are
necessary to address the risks of material misstatement relating to the relevant
assertions in the user entity’s financial statements. If so, we evaluate whether there is
sufficient evidence to confirm user entity controls exist and are operating effectively to
address the CUECs (i.e., we evaluate the design and test the operating effectiveness of
the entity's controls that address the CUECs).
• Complementary subservice organization controls (CSOCs) identified by the service
organization are necessary to address the risks of material misstatement relating to the
relevant assertions in the user entity's financial statements. If so, we evaluate whether
there is sufficient evidence to confirm the subservice organization has designed and
implemented such controls. CSOCs apply only to reports issued under AICPA
attestation standards.
• The tests of controls performed by the service auditor and the results thereof, as
described in the service auditor's report, are relevant to the assertions in the user entity's
financial statements and provide sufficient appropriate audit evidence to support the user
auditor's risk assessment.

A. Service auditor’s report (opinion)

1 Report opinion is unqualified related to controls design, implementation, Yes
g and operating effectiveness No
a If no, explain the following:

i) Nature of the qualification

ii) Does the qualification relate to a Yes
deficiency in control relevant to the user No. Add explanation:
entity? If so, the deficiency is posted to
the SOCD or other issues list.
2 Report opinion contains an emphasis-of-matter paragraph related to the Yes
controls as designed, implemented and/or tested No
a If yes, explain the following:

i) Matter emphasized
ii) Effect of the emphasis-of-matter
paragraph on our understanding of the
service organization's processes relevant
to the audit

12
B. Design of controls
1 For service organizations that provide transaction processing services including the people
to process the transactions and/or that provide the IT applications:
We documented the association of the controls to our WCGWs for each SCOT using:
EY Canvas
Appendix A
Employee Benefit Plan (EBP) Appendix to Form 107GL (US and Canada only)
Equivalent documentation (workpaper reference: )
Scenario does not apply
a Transaction processing controls in the SOC 1 Yes
report plus the user entity's controls address No
the financial statement assertions and
relevant WCGWs for each SCOT that
involves services provided by the service
organization
b If no, indicate if the issue is a deficiency in Yes
controls? If so, the deficiency is posted to the No. Add explanation:
SOCD or other issues list.
2 For service organizations that provide the IT applications and/or the computing
environment (e.g., hardware, operating systems, database software, infrastructure,
computer operations services):
We documented the association of the controls to the risks within the IT processes
using:
EY Canvas
Appendix D
Equivalent documentation (workpaper reference: )
Scenario does not apply
a The IT controls in the SOC 1 report plus the Yes
user entity's controls address the risks within No
the IT processes that support each SCOT
that involves services provided by the service
organization.
b If no, indicate if this issue is a deficiency in Yes
controls? If so, the deficiency is posted to the No. Add explanation:
SOCD or other issues list.

C. Complementary user entity controls

1 We determine whether complementary user entity controls (CUECs) identified by the
a service organization are necessary to address the WCGWs in the related user entity
SCOTs and, if so, determine whether the user entity has designed and implemented such
controls (select one):
No CUECs are identified in the SOC 1 report
CUECs are identified in the SOC 1 report and are addressed at Appendix B or
equivalent documentation at workpaper reference:

13
D. Complementary subservice organization controls
1 We determine whether complementary subservice organization controls (CSOCs)
identified by the service organization are necessary to address the WCGWs in the related
user entity SCOTs and, if so, determine whether the subservice organization has designed
and implemented such controls (select one):
Not applicable – The report was not issued under AICPA attestation standards
No CSOCs are identified in the SOC 1 report
CSOCs are identified in the SOC 1 report and are addressed at Appendix E or
equivalent documentation at workpaper reference:

E. Description of tests of controls performed and results

We determine whether the service auditor’s report provides sufficient appropriate audit
evidence about the effectiveness of the controls to support our conclusions by evaluating
whether the tests of controls performed by the service auditor and the results thereof, as
described in the service auditor's report, provide sufficient appropriate audit evidence to
support our conclusions. We conclude whether:
1 The descriptions of the tests of controls are sufficient for us to Yes
a understand the nature and extent of the procedures performed. No
a If no:

i) List the controls for which the

description of the tests of controls is
insufficient to understand the nature
and extent of the procedures
performed.
ii) Explain the additional procedures we
performed to address the insufficient
test description including
determination as to whether this issue
represents a deficiency in controls
that is documented on the SOCD or
other issues list.
2 The tests specified are adequate to provide sufficient, appropriate audit Yes
evidence that the control operated effectively throughout the period of No
reliance.
a If no:

i) List the controls for which the tests of

controls performed do not provide
sufficient, appropriate audit evidence.

14
 ii) Explain the additional procedures we
performed to address the inadequate
testing including determination as to
whether this issue represents a
deficiency in controls that is
documented on the SOCD or other
issues list.
3 Testing exceptions (sometimes referred to as "deviations" in SOC 1 reports) (select one):
There were no testing exceptions noted in the results of testing of controls.
An analysis of testing exceptions is included in Appendix C.

15
Service organization evaluation – Appendix A

WCGWs addressed by controls performed by the service organization

Unless documented in EY Canvas, complete the mapping of WCGWs within the SCOTs processed by the service organization in the table
provided or cross reference to equivalent documentation. (Add rows to table as necessary.)
(I) SCOT:
(V) Indicate controls tested
by the service auditor by
referencing the control
(III) Financial (IV) WCGWs addressed by controls at the service objective, controls or page
(II) Significant account statement assertions organization number in the report

16
Service organization evaluation – Appendix B

Effect of complementary user entity controls

In the table provided (or cross reference to equivalent documentation), identify all complementary user entity controls (CUECs) described in the
type 2 SOC 1 report, assess their necessity to address the risks of material misstatement (WCGWs) relating to relevant assertions in the user
entity’s financial statements and reference our evaluation and testing of such controls. (Add rows to table as necessary.)

If CUEC is relevant:
(V) WP
reference
where the
(I) Control operating
objective (III) Necessary in effectiveness of
and page mitigating a WCGW? (If (IV) Entity's control to address (If no the entity's
number CUEC is not necessary5, controls are present, post issue to control was
reference (II) CUEC document rationale.) SOCD.) tested
Yes
No. Provide rationale:

Yes
No. Provide rationale:

Yes
No. Provide rationale:

Yes
No. Provide rationale:

Yes
No. Provide rationale:

Yes

5
For example, the CUEC may not be necessary when other controls operate effectively and mitigate the WCGW(s) without the need to identify and test the entity control that addresses the CUEC.

17
Service organization evaluation – Appendix B

If CUEC is relevant:
(V) WP
reference
where the
(I) Control operating
objective (III) Necessary in effectiveness of
and page mitigating a WCGW? (If (IV) Entity's control to address (If no the entity's
number CUEC is not necessary, controls are present, post issue to control was
reference (II) CUEC document rationale.) SOCD.) tested
No. Provide rationale:

18
 Service organization evaluation – Appendix C

Effect of control exceptions

In the table provided or equivalent documentation, assess the effect of each exception described in the results of the service auditor’s testing.
(Add rows to table as necessary.)

(I) Control (V)

objective Control (VI) If control is relevant to
and page relevant the audit, deficiency posted
number (IV) Management's response to the to SOCD8 or other issues
reference (II) Affected control (III) Description of exception (if applicable)6,7 audit? list?
Yes Yes
No No. Provide rationale:
Response is:
Audited Unaudited
Yes Yes
No No. Provide rationale:
Response is:
Audited Unaudited
Yes Yes
No No. Provide rationale:
Response is:
Audited Unaudited
Yes Yes
No No. Provide rationale:
Response is:
Audited Unaudited
Yes Yes

6
When management's response is unaudited, we place limited reliance on it when evaluating the effect of the testing deviation.
7
Responses included in the testing section of a SOC 1 report are presumed to be audited. Responses included in the ‘Other information’ section of a SOC 1 report are
unaudited.
8
For integrated audits, if exceptions represent control deficiencies and the related controls are relevant to our opinion, we record the exceptions on the Summary of control
deficiencies – Integrated audit (SOCD-IA). These exceptions are further evaluated as to whether they individually, or when aggregated with other deficiencies, represent a
significant deficiency or a material weakness.

19
 Service organization evaluation – Appendix C

(I) Control (V)

objective Control (VI) If control is relevant to
and page relevant the audit, deficiency posted
number (IV) Management's response to the to SOCD or other issues
reference (II) Affected control (III) Description of exception (if applicable), audit? list?
Response is: No No. Provide rationale:
Audited Unaudited
Yes Yes
No No. Provide rationale:
Response is:
Audited Unaudited

20
Service organization evaluation – Appendix D

IT process risks arising from in-scope IT processes at the service organization and related controls
Unless documented in EY Canvas, complete the mapping of IT process risks arising from the relevant IT processes at the service organization
and identify relevant controls in the table provided or equivalent documentation. (Add rows to table as necessary.)

(VI) Indicate
(IV) Applies controls tested by
to the service the service auditor
(II) Relevant IT organization by referencing the
applications, if a (III) The Description based on (V) Risks arising from the process(es) control, control
subset of those of the System reading the used by service organization to objective or page
(I) IT listed at Part II, includes information process perform functions related to the in number in the
process A.4 related to:9 information scope IT applications9 report
Manage Changing existing Yes New IT application programs (including
change programs or adding No10 report programs) or changes to existing
new IT applications10 Carved out programs do not function as described or
Not requested because they are not
applicable11 adequately tested.
New IT application programs (including
report programs) or changes to existing
programs are not appropriate for the
business or IT environment because
they are not appropriately approved.

9
The pre-listed activities and risks are those IT activities and risks that are typical of most IT processes; however, they may need to be customized. In addition, activities and
risks may need to be added by the audit team using the blank rows provided to include all relevant activities performed by the service organization based on the audit team's
reading of the Description of the System.
10
The bolded activities in column III are expected to be included in the Description of the System, when not carved out. Responses of 'No' in column IV related to bolded activities
in column III should be considered unusual. Describe additional procedures performed to confirm the lack of applicability or to address the omitted discussion in the space
provided in the line below the bolded activity.
11
Typically applies only for limited reports such as for subservice organizations (e.g., data hosting centers)

21
Service organization evaluation – Appendix D

(VI) Indicate
(IV) Applies controls tested by
to the service the service auditor
(II) Relevant IT organization by referencing the
applications, if a (III) The Description based on (V) Risks arising from the process(es) control, control
subset of those of the System reading the used by service organization to objective or page
(I) IT listed at Part II, includes information process perform functions related to the in number in the
process A.4 related to: information scope IT applications9 report
Programs in production are not secured
permitting developers to move
unauthorized or untested changes into
the production environment, or such
activities are permitted but are not
monitored.
Describe additional procedures
(if needed)9
Manage Changing Yes Changes to configurations for key
change configurations of No application controls made by IT
existing IT applications Carved out personnel are inappropriate or
Not unauthorized.
applicable11
Manage Yes
change9 ✘ No
Carved out
Manage Yes
change9 No
Carved out
Manage The use of security Yes Users of the IT environment are not the
access settings10 No10 intended users due to inadequate
Carved out authentication and security settings.
Not
applicable11

22
Service organization evaluation – Appendix D

(VI) Indicate
(IV) Applies controls tested by
to the service the service auditor
(II) Relevant IT organization by referencing the
applications, if a (III) The Description based on (V) Risks arising from the process(es) control, control
subset of those of the System reading the used by service organization to objective or page
(I) IT listed at Part II, includes information process perform functions related to the in number in the
process A.4 related to: information scope IT applications9 report
Describe additional procedures
(if needed)9
Manage Adding, updating and Yes The access rights of IT application users
access terminating access of No10 and IT environment privileged users are
IT application users Carved out not authorized.
and IT environment Not
privileged users10 applicable11
Describe additional procedures
(if needed)9
Manage Maintaining the Yes The access rights of IT application users
access ongoing No9 and IT environment privileged users do
appropriateness of Carved out not remain appropriate for the users' job
access rights of IT Not responsibilities.
application users and applicable11
IT environment
privileged users10
Describe additional procedures
(if needed)9
Manage Use of roles to group Yes The access rights within roles contain
access access rights No segregation of duties issues.
Carved out
Not
applicable11
Direct data changes Direct data changes are not authorized.

23
Service organization evaluation – Appendix D

(VI) Indicate
(IV) Applies controls tested by
to the service the service auditor
(II) Relevant IT organization by referencing the
applications, if a (III) The Description based on (V) Risks arising from the process(es) control, control
subset of those of the System reading the used by service organization to objective or page
(I) IT listed at Part II, includes information process perform functions related to the in number in the
process A.4 related to: information scope IT applications9 report
Manage Yes Direct data changes are not made
access No accurately.
Carved out
Not
applicable11
Manage Yes
access9 No
Carved out
Manage Yes
access9 No
Carved out
Manage IT Backup processes Yes Hardware or software issues result in
operations No9 loss of data or the ability to accurately
Carved out process data.
Not
applicable11
Describe additional procedures
(if needed)9
Manage IT The use of a job Yes Jobs are scheduled inaccurately.
operations scheduler and batch No
Access to the job scheduler is
processing Carved out
inappropriate.
Not
applicable11

24
Service organization evaluation – Appendix D

(VI) Indicate
(IV) Applies controls tested by
to the service the service auditor
(II) Relevant IT organization by referencing the
applications, if a (III) The Description based on (V) Risks arising from the process(es) control, control
subset of those of the System reading the used by service organization to objective or page
(I) IT listed at Part II, includes information process perform functions related to the in number in the
process A.4 related to: information scope IT applications9 report
Manage IT Monitoring of IT Yes Issues with programs (including
operations processing No scheduled and unscheduled jobs and
Carved out interfaces) that do not process to
Not completion are not addressed or are
applicable11 addressed inappropriately.
Manage IT Yes
operations9 No
Carved out
Manage IT Yes
operations9 No
Carved out

Additional considerations:
 If there is any part of the manage change process handled by the entity that addresses a relevant risk to the service organization's IT
process that isn't included as a CUEC, add a process to Canvas, include the risk and define the control(s).
 If there is any part of the manage access process handled by the entity that is not included as a CUEC such as those listed below, add an
IT process to Canvas, include the risk(s) and define the control(s).
o Approving access rights and changes
o Implementing access rights
o Periodically verifying the appropriateness of user access rights

25
Service organization evaluation – Appendix E

Effect of complementary subservice organization controls

In the table provided (or cross reference to equivalent documentation), identify all complementary subservice organization controls (CSOCs)
described in the type 2 SOC 1 report, assess their necessity to address the risks of material misstatement (WCGWs) relating to relevant
assertions in the user entity’s financial statements and reference our evaluation and testing of such controls. (Add rows to table as necessary.)

(V) If CSOC is necessary:

 Identify the control in the
subservice organization SOC 1
report that was tested for an
appropriate period; or
 Identify service organization
(I) controls that address the risk
Service (IV) Is the CSOC necessary in related to the CSOC; or
org addressing the risks of material  Identify entity controls that
control misstatement related to the address the risk related to the
objective (III) Complementary relevant assertions in the user CSOC
and page (II) subservice entity's financial statements?12 (If (If no controls exist and we are
number Subservice organization control CSOC is not necessary, document performing an integrated audit, post W/P
reference organization (CSOC) rationale.) an issue to the SOCD.) reference
Yes
No. Provide rationale:
Yes
No. Provide rationale:
Yes
No. Provide rationale:
Yes
No. Provide rationale:

12
Complementary subservice organization controls are controls that management of the service organization assumes, in the design of the service organization's system, will be
implemented by the subservice organization and are necessary to achieve the control objectives stated in management's description of the service organization's system.

26