What is the primary difference between a 'Type I' and 'Type II' SOC report?

Answer options:

Type I is for financial controls; Type II is for security controls.

Type I reports on the design of controls at a point in time; Type II reports on design and operating effectiveness over a period of time.

Type I includes an auditor's opinion; Type II does not.

Type I is mandatory; Type II is optional.

How to approach this question

Memorize: Type I = Design/Point. Type II = Effectiveness/Period.

Full Answer

B.Type I reports on the design of controls at a point in time; Type II reports on design and operating effectiveness over a period of time.✓ Correct

Type II is more comprehensive because it tests if the controls actually worked over a period (usually 6-12 months), whereas Type I only checks if they were designed correctly on a specific date.

Common mistakes

Confusing SOC 1/2 with Type I/II.

Question 45 All questions Question 47

Practice the full CPA ISC Practice Exam 2

82 questions · hints · full answers · grading

More questions from this exam

Q01A service organization provides a cloud-based payroll platform where clients access the software ...Medium Q02An auditor is reviewing the backup strategy for a financial institution that requires a Recovery ...Hard Q03During a walkthrough of the change management process, an auditor observes that developers have w...Medium Q04An auditor is reviewing a SQL query used to generate a list of active customers for a marketing c...Hard Q05Which of the following entities is considered a 'Covered Entity' under the HIPAA Privacy Rule?Medium

View all 82 questions →