Understanding Service Organization Controls: Which Document Holds the Key?

The correct answer is C The engagement letter between the service organization and the service auditor.

Here's why:

• Engagement Letter: This document outlines the scope of the auditor's work, including the specific services, processes, and controls to be assessed. It provides a roadmap for the audit and defines the responsibilities of both the service organization and the auditor.

Let's examine why the other options are not the primary source:

• A The service organization’s contract with the user entity: While this document outlines the services provided, it may not delve into the specific controls implemented. * B The Type 2 SOC 1 report for the subservice organization: This report focuses on the controls of a subservice organization used by the primary service organization, not the primary organization itself.* D The service organization’s management representation letter: This letter affirms management's assertions about the effectiveness of controls but doesn't provide the detailed understanding offered by the engagement letter.

In conclusion, the engagement letter serves as the cornerstone document for understanding the services, processes, and controls employed by a service organization on behalf of the user entity.