ExpertMedium1 markMultiple Choice
CPA · Question 07 · Area III: SOC Engagements
A service auditor is engaged to perform a SOC 2® examination. The client requests that the report focus solely on the security of the system and not on availability, processing integrity, confidentiality, or privacy. Is this permissible?
A service auditor is engaged to perform a SOC 2® examination. The client requests that the report focus solely on the security of the system and not on availability, processing integrity, confidentiality, or privacy. Is this permissible?
Answer options:
A.
No, all five Trust Services Criteria must be included in a SOC 2® report.
B.
Yes, Security is the only mandatory Trust Services Criterion.
C.
No, Availability is also mandatory for all cloud service providers.
D.
Yes, but the report must be titled SOC 3® instead.
How to approach this question
Recall the structure of Trust Services Criteria (TSC).
Full Answer
B.Yes, Security is the only mandatory Trust Services Criterion.✓ Correct
Yes, Security is the only mandatory Trust Services Criterion.
The Security criterion (Common Criteria) is the foundation of SOC 2. Availability, Processing Integrity, Confidentiality, and Privacy are optional categories added based on the system's commitments.
Common mistakes
Believing all 5 criteria are required.
Practice the full CPA ISC Practice Exam 2
82 questions · hints · full answers · grading
More questions from this exam
Q01A service organization provides a cloud-based payroll platform where clients access the software ...MediumQ02An auditor is reviewing the backup strategy for a financial institution that requires a Recovery ...HardQ03During a walkthrough of the change management process, an auditor observes that developers have w...MediumQ04An auditor is reviewing a SQL query used to generate a list of active customers for a marketing c...HardQ05Which of the following entities is considered a 'Covered Entity' under the HIPAA Privacy Rule?Medium