An auditor is understanding the internal control of a client that uses a service organization for payroll processing. The auditor obtains a SOC 1 Type 2 report. Which of the following is the auditor PRIMARILY looking for in this report to support a lower assessment of control risk?

Answer options:

The service auditor's opinion on the fairness of the presentation of the service organization's system description.

The service auditor's opinion on the operating effectiveness of controls and the results of tests of controls.

A list of user control considerations (UCCs) that the client must implement.

Confirmation that the service organization has a disaster recovery plan.

How to approach this question

Distinguish SOC 1 Type 1 (Design only) vs Type 2 (Design + Operating Effectiveness). Only Type 2 allows reducing control risk.

Full Answer

B.The service auditor's opinion on the operating effectiveness of controls and the results of tests of controls.✓ Correct

A Type 2 report includes the service auditor's tests of controls and results. This allows the user auditor to rely on the operating effectiveness of those controls to reduce control risk. A Type 1 report only addresses design.

Common mistakes

Thinking Type 1 is sufficient for reliance.

Question 15 All questions Question 17

Practice the full CPA AUD Practice Exam 4

78 questions · hints · full answers · grading

More questions from this exam

Q01A CPA firm is performing an audit of a nonissuer, TechInnovate Inc. The engagement partner's spou...Hard Q02An auditor is performing an audit of an issuer, Global Corp, in accordance with PCAOB standards. ...Hard Q03A CPA is performing an audit of a county government entity that receives federal financial assist...Hard Q04During the audit of an employee benefit plan subject to ERISA, the auditor discovers that the pla...Hard Q05An auditor is evaluating the 'integrity' principle of the AICPA Code of Professional Conduct. Whi...Medium

View all 78 questions →