What is the primary difference between a SOC 2® Type I and a SOC 2® Type II report?

Answer options:

Type I covers Security only; Type II covers all criteria.

Type I is for public use; Type II is restricted use.

Type I reports on the design of controls at a point in time; Type II reports on design and operating effectiveness over a period of time.

Type I is performed by internal audit; Type II is performed by external CPA.

How to approach this question

Type I = One date (Design). Type II = Period (Design + Operation).

Full Answer

C.Type I reports on the design of controls at a point in time; Type II reports on design and operating effectiveness over a period of time.✓ Correct

A Type I report opines on the fairness of the description and the suitability of the design of controls as of a specific date. A Type II report adds an opinion on the operating effectiveness of those controls throughout a specified period (usually 6-12 months).

Common mistakes

Confusing SOC 1/2/3 with Type I/II.

Question 33 All questions Question 35

Practice the full CPA ISC Practice Exam

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is performing a risk assessment for a client that uses a public cloud provider for its core...Hard Q02During a walkthrough of a client's change management process, the auditor notes that developers h...Hard Q03A service organization provides a real-time transaction processing platform. The service level ag...Hard Q04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales tr...Hard Q05A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud dep...Hard

View all 82 questions →