A service auditor is issuing a SOC 2® Type II report. Testing identified that a key control for revoking terminated user access failed in 5 out of 25 instances sampled. The failure resulted in terminated employees retaining access for up to 2 weeks. What type of opinion should the auditor likely issue?

Answer options:

Unqualified opinion

Qualified opinion

Disclaimer of opinion

Adverse opinion

How to approach this question

Assess severity. Small error = Unqualified with exceptions. Material error = Qualified. Pervasive failure = Adverse. 20% failure on access control is material.

Full Answer

B.Qualified opinion✓ Correct

A qualified opinion states that the controls were effective 'except for' the specific matter identified. A 20% failure rate in a key security control is material enough to prevent an unqualified opinion but typically results in a qualification rather than an adverse opinion unless the breach was pervasive across all criteria.

Common mistakes

Thinking any error = Adverse.

Question 32 All questions Question 34

Practice the full CPA ISC Practice Exam

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is performing a risk assessment for a client that uses a public cloud provider for its core...Hard Q02During a walkthrough of a client's change management process, the auditor notes that developers h...Hard Q03A service organization provides a real-time transaction processing platform. The service level ag...Hard Q04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales tr...Hard Q05A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud dep...Hard

View all 82 questions →