ExpertEasy1 markMultiple Choice
CPA · Question 15 · Area III: SOC Engagements
A CPA is performing a SOC 2® engagement. The service organization uses a third-party data center for physical hosting. The service organization's management asserts that physical security is the responsibility of the data center and excludes it from their system description. Which reporting method is being used?
A CPA is performing a SOC 2® engagement. The service organization uses a third-party data center for physical hosting. The service organization's management asserts that physical security is the responsibility of the data center and excludes it from their system description. Which reporting method is being used?
Answer options:
A.
Carve-out Method
B.
Inclusive Method
C.
Blended Method
D.
Type 1 Method
How to approach this question
Identify that the third party is excluded from the description.
Full Answer
A.Carve-out Method✓ Correct
A
When a service organization relies on a subservice organization (like a data center) and excludes the subservice organization's controls from the system description and the auditor's testing, it is using the Carve-out method. The report will list the subservice organization and the services provided but will not opine on their controls.
Common mistakes
Confusing the method (Carve-out) with the report type (Type 1/2).
Practice the full CPA ISC Practice Exam 3
82 questions · hints · full answers · grading
More questions from this exam
Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud-based s...MediumQ02During a review of a client's cloud governance structure, an auditor notes that the client uses a...MediumQ03An auditor is evaluating the 'Processing Integrity' principle for a financial institution's loan ...HardQ04A company uses a batch processing system to update inventory records overnight. The 'Grandfather-...HardQ05During a walkthrough of the change management process, an auditor observes that the 'Developer' r...Medium