During a SOC 2® Type II engagement, the auditor discovers that for a sample of 25 new hires, 2 did not complete the required security awareness training within 30 days of hire as mandated by company policy. What is the most appropriate next step for the auditor?

Answer options:

Issue an adverse opinion immediately

Replace the 2 failed samples with 2 other random samples

Expand the sample size to determine if the deviation is systematic or isolated

Conclude the control is operating effectively since 92% passed

How to approach this question

Audit methodology: If you find an error, you don't ignore it, and you don't jump to the worst conclusion immediately. You investigate further (expand sample).

Full Answer

C.Expand the sample size to determine if the deviation is systematic or isolated✓ Correct

Expand the sample size to determine if the deviation is systematic or isolated

When deviations are discovered in sampling, the auditor should expand the sample to determine the deviation rate and whether the control can still be relied upon.

Common mistakes

Thinking 2 errors is acceptable (it usually isn't for key controls) or jumping straight to an adverse opinion.

Question 13 All questions Question 15

Practice the full CPA ISC Practice Exam 4

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environ...Hard Q02An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provi...Hard Q03A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor disco...Hard Q04An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its...Hard Q05During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can...Hard

View all 82 questions →