ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Area III: SOC EngagementsAudit SamplingSOC 2Area III

CPA · Question 14 · Area III: SOC Engagements

During a SOC 2® Type II engagement, the auditor discovers that for a sample of 25 new hires, 2 did not complete the required security awareness training within 30 days of hire as mandated by company policy. What is the most appropriate next step for the auditor?

Answer options:

A.

Issue an adverse opinion immediately

B.

Replace the 2 failed samples with 2 other random samples

C.

Expand the sample size to determine if the deviation is systematic or isolated

D.

Conclude the control is operating effectively since 92% passed

How to approach this question

Audit methodology: If you find an error, you don't ignore it, and you don't jump to the worst conclusion immediately. You investigate further (expand sample).

Full Answer

C.Expand the sample size to determine if the deviation is systematic or isolated✓ Correct
When deviations are discovered in sampling, the auditor should expand the sample to determine the deviation rate and whether the control can still be relied upon.

Common mistakes

Thinking 2 errors is acceptable (it usually isn't for key controls) or jumping straight to an adverse opinion.
13All questions15

Practice the full CPA ISC Practice Exam 4

82 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environ...HardQ02An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provi...HardQ03A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor disco...HardQ04An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its...HardQ05During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can...Hard
View all 82 questions →