Area II: Risk Assessment — CPA Practice Question 16

How to approach this question

Distinguish SOC 1 Type 1 (Design only) vs Type 2 (Design + Operating Effectiveness). Only Type 2 allows reducing control risk.

Full Answer

B.The service auditor's opinion on the operating effectiveness of controls and the results of tests of controls.✓ Correct

The service auditor's opinion on the operating effectiveness of controls and the results of tests of controls.

A Type 2 report includes the service auditor's tests of controls and results. This allows the user auditor to rely on the operating effectiveness of those controls to reduce control risk. A Type 1 report only addresses design.

Common mistakes

Thinking Type 1 is sufficient for reliance.

An auditor is understanding the internal control of a client that uses a service organization for payroll processing. The auditor obtains a SOC 1 Type 2 report. Which of the following is the auditor PRIMARILY looking for in this report to support a lower assessment of control risk?

How to approach this question

Full Answer

Common mistakes

Practice the full CPA AUD Practice Exam 4

More questions from this exam