ExpertHard1 markMultiple Choice
CPA · Question 09 · Area III: SOC Engagements
A service organization is undergoing a SOC 2® Type II engagement. The auditor finds that for a sample of 25 new hires, 2 did not complete the required security awareness training within 30 days of hire as mandated by company policy. The control description states: 'All new hires complete security training within 30 days.' What is the MOST appropriate conclusion?
A service organization is undergoing a SOC 2® Type II engagement. The auditor finds that for a sample of 25 new hires, 2 did not complete the required security awareness training within 30 days of hire as mandated by company policy. The control description states: 'All new hires complete security training within 30 days.' What is the MOST appropriate conclusion?
Answer options:
A.
The control is effective because the majority (92%) complied.
B.
A deviation exists, and the auditor must evaluate if it represents a control deficiency.
C.
The auditor should expand the sample size to 50 to see if the error rate decreases.
D.
Issue an Adverse Opinion immediately.
How to approach this question
Recognize that any failure in a sample is a 'deviation'. The next step is evaluation, not immediate condemnation or ignoring it.
Full Answer
B.A deviation exists, and the auditor must evaluate if it represents a control deficiency.✓ Correct
B
When testing controls, any instance where the control did not operate as prescribed is a deviation. The auditor must evaluate whether this deviation represents a systematic control deficiency or an isolated incident, and whether it impacts the achievement of the control objective.
Common mistakes
Thinking 92% is 'passing' (controls are binary: effective or not effective based on tolerance) or jumping straight to an Adverse Opinion.
Practice the full CPA ISC Practice Exam 3
82 questions · hints · full answers · grading
More questions from this exam
Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud-based s...MediumQ02During a review of a client's cloud governance structure, an auditor notes that the client uses a...MediumQ03An auditor is evaluating the 'Processing Integrity' principle for a financial institution's loan ...HardQ04A company uses a batch processing system to update inventory records overnight. The 'Grandfather-...HardQ05During a walkthrough of the change management process, an auditor observes that the 'Developer' r...Medium