Specifications include, but are not limited to: Specific Services to be Performed: 1. FIRM shall perform a Type II SOC 2 engagement at COT of controls placed in operation and tests of operating effectiveness. The engagement should include testing and other procedures to obtain reasonable assurance that: a. Description provided by COT of the service organization’s system is fairly presented. b. Controls included in the COT description were suitably designed to achieve the applicable trust services criteria if the controls operated effectively; and c. Such controls were placed in operation and, in all material respects, are operational and functioning effectively to meet the applicable trust service criteria. 2. If significant COT controls were designed with the assumption that certain agency controls can be relied upon by COT to achieve the control objective, these significant agency controls should be identified in the COT description of controls. 3. The trust service principles to be addressed in the engagement are as follows: f.a. Security. COT’s system must have controls in place to safeguard against unauthorized physical and logical access. b. Availability. COT’s system must be available for operation and must be used as agreed. c. Processing Integrity. COT’s system processing must be complete, accurate, well-timed, and authorized. d. Confidentiality. The information held by COT that is classified as “confidential” by a user must be protected. e. Privacy. All personal information that the organization collects, uses, retains, and discloses must be in accordance with their privacy notice and principles. These are specified by the American Institute of Certified Public Accountants.
