A CPA is performing a SOC 2® engagement. The service organization uses a third-party data center for physical hosting. The service organization's management asserts that physical security is the responsibility of the data center and excludes it from their system description. Which reporting method is being used?

Answer options:

Carve-out Method

Inclusive Method

Blended Method

Type 1 Method

How to approach this question

Identify that the third party is excluded from the description.

Full Answer

A.Carve-out Method✓ Correct

When a service organization relies on a subservice organization (like a data center) and excludes the subservice organization's controls from the system description and the auditor's testing, it is using the Carve-out method. The report will list the subservice organization and the services provided but will not opine on their controls.

Common mistakes

Confusing the method (Carve-out) with the report type (Type 1/2).

Question 14 All questions Question 16

Practice the full CPA ISC Practice Exam 3

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud-based s...Medium Q02During a review of a client's cloud governance structure, an auditor notes that the client uses a...Medium Q03An auditor is evaluating the 'Processing Integrity' principle for a financial institution's loan ...Hard Q04A company uses a batch processing system to update inventory records overnight. The 'Grandfather-...Hard Q05During a walkthrough of the change management process, an auditor observes that the 'Developer' r...Medium

View all 82 questions →