An auditor is reviewing a SOC 2® Type II report. The testing period covers January 1 to December 31. The auditor notices that a significant control failure occurred on December 28 and was not remediated by year-end. How should this be handled?

Answer options:

Ignore it since it happened at the very end of the period.

Report it as an exception/deviation in the testing results.

Extend the period to January 31 to allow for remediation.

Issue a disclaimer of opinion.

How to approach this question

If it happened in the period, it goes in the report.

Full Answer

B.Report it as an exception/deviation in the testing results.✓ Correct

A Type II report covers a period of time. Any control failure occurring within that period must be noted as an exception in the description of tests and results. The auditor then evaluates if this exception warrants a modification to the opinion.

Common mistakes

Thinking the auditor can 'fix' the report by extending the date.

Question 58 All questions Question 60

Practice the full CPA ISC Practice Exam 3

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud-based s...Medium Q02During a review of a client's cloud governance structure, an auditor notes that the client uses a...Medium Q03An auditor is evaluating the 'Processing Integrity' principle for a financial institution's loan ...Hard Q04A company uses a batch processing system to update inventory records overnight. The 'Grandfather-...Hard Q05During a walkthrough of the change management process, an auditor observes that the 'Developer' r...Medium

View all 82 questions →