Which of the following best describes the primary purpose of a SOC 3® report compared to a SOC 2® report?

Answer options:

It focuses on financial reporting controls rather than security.

It includes detailed testing procedures and results for each control.

It is a general-use report intended for public distribution, providing a high-level summary without detailed testing results.

It is specifically designed for cybersecurity risk management across the supply chain.

How to approach this question

SOC 1 = Financial. SOC 2 = Detailed/Restricted Use. SOC 3 = Summary/General Use (Marketing).

Full Answer

C.It is a general-use report intended for public distribution, providing a high-level summary without detailed testing results.✓ Correct

It is a general-use report intended for public distribution, providing a high-level summary without detailed testing results.

SOC 3 is a general-use report. It contains the auditor's opinion and management's assertion but omits the detailed system description and the specific tests and results found in a SOC 2.

Common mistakes

Thinking SOC 3 has detailed testing (it doesn't).

Question 15 All questions Question 17

Practice the full CPA ISC Practice Exam 4

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environ...Hard Q02An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provi...Hard Q03A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor disco...Hard Q04An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its...Hard Q05During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can...Hard

View all 82 questions →