ExpertMedium1 markMultiple Choice
CPA · Question 59 · Area III: SOC Engagements
An auditor is reviewing a SOC 2® Type II report. The testing period covers January 1 to December 31. The auditor notices that a significant control failure occurred on December 28 and was not remediated by year-end. How should this be handled?
An auditor is reviewing a SOC 2® Type II report. The testing period covers January 1 to December 31. The auditor notices that a significant control failure occurred on December 28 and was not remediated by year-end. How should this be handled?
Answer options:
A.
Ignore it since it happened at the very end of the period.
B.
Report it as an exception/deviation in the testing results.
C.
Extend the period to January 31 to allow for remediation.
D.
Issue a disclaimer of opinion.
How to approach this question
If it happened in the period, it goes in the report.
Full Answer
B.Report it as an exception/deviation in the testing results.✓ Correct
B
A Type II report covers a period of time. Any control failure occurring within that period must be noted as an exception in the description of tests and results. The auditor then evaluates if this exception warrants a modification to the opinion.
Common mistakes
Thinking the auditor can 'fix' the report by extending the date.
Practice the full CPA ISC Practice Exam 3
82 questions · hints · full answers · grading
More questions from this exam
Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud-based s...MediumQ02During a review of a client's cloud governance structure, an auditor notes that the client uses a...MediumQ03An auditor is evaluating the 'Processing Integrity' principle for a financial institution's loan ...HardQ04A company uses a batch processing system to update inventory records overnight. The 'Grandfather-...HardQ05During a walkthrough of the change management process, an auditor observes that the 'Developer' r...Medium