Area III: SOC Engagements

A CPA is engaged to perform a SOC 1® engagement. Which of the following best describes the subject matter of this engagement?

A service organization's system description includes controls performed by a subservice organization (e.g., a data center). The service auditor decides to use the 'carve-out' method. What does this imply for the service auditor's report?

In a SOC 2® engagement, which of the following Trust Services Criteria is MANDATORY for every report?

A service auditor is issuing a SOC 2® Type II report. Testing identified that a key control for revoking terminated user access failed in 5 out of 25 instances sampled. The failure resulted in terminated employees retaining access for up to 2 weeks. What type of opinion should the auditor likely issue?

What is the primary difference between a SOC 2® Type I and a SOC 2® Type II report?

Which of the following is an example of a 'Complementary User Entity Control' (CUEC) that might be listed in a payroll service provider's SOC 1® report?

An auditor is testing a control that requires 'Quarterly access reviews'. The auditor selects a sample of one review from the year. Is this sample size appropriate?

A service organization provides a cloud-based data warehouse. A user entity auditor wants to know if the data in the warehouse is accurate and complete. Which Trust Services Criteria category is MOST relevant?

An auditor is reviewing the 'Management's Assertion' in a SOC 2® report. Which of the following statements must be included in the assertion?

An auditor is testing the 'Termination' process. They sample 10 employees who left the company. For one employee, the Active Directory account was disabled 3 days after their departure date. The policy states 'within 24 hours'. What is the auditor's next step?

A service organization's management refuses to provide a written assertion for a SOC 2® engagement. What action must the auditor take?

An auditor is reviewing the 'System Description' for a SOC 2® report. The description lists 'Google Cloud Platform' as a subservice organization. The auditor notes that the description does NOT include the specific controls performed by Google. This indicates:

An auditor is testing the 'Accuracy' of a report generated by an IT system. They trace a sample of items from the report back to the source documents (invoices). This test primarily provides evidence for:

An auditor is evaluating the 'Independence' of the personnel performing a SOC 2® engagement. Which of the following would impair independence?

A service organization has a control that states: 'Firewall rules are reviewed semi-annually.' The auditor tests this by requesting the minutes of the review meetings. The client provides minutes for a meeting in January and a meeting in July. Is this sufficient evidence for a Type II report covering Jan 1 to Dec 31?

Which of the following is a 'Substantive Procedure' in an IT audit context?

An auditor is reviewing the 'System Description' and notices it mentions 'The system is protected by a firewall'. However, the firewall is managed by a third-party MSP (Managed Service Provider) and is not included in the scope of the report (carve-out). What is the impact on the user entity?

Which of the following is a 'Privacy' control (as opposed to Security) in a SOC 2® engagement?

An auditor is reviewing the 'System Description' for a SOC 2® report. The description includes a flowchart of the order processing system. The auditor notices a step in the flowchart where 'Orders > $5000 require Manager Approval'. During the walkthrough, the auditor observes that the system actually requires approval for orders > $10,000. What is the auditor's conclusion?

A service auditor is engaged to perform a SOC 2® examination. The client requests that the report focus solely on the security of the system and not on availability, processing integrity, confidentiality, or privacy. Is this permissible?

In a SOC 2® engagement, management asserts that they use a subservice organization for data center hosting. Management's description of the system excludes the controls performed by the data center. Which method of reporting is being used?

An auditor is testing a control that states: 'All new employees must undergo background checks.' The auditor selects a sample of 25 new hires. 24 have documented background checks, but 1 file is missing the documentation. The HR manager states the check was done but the file was lost. What is the appropriate conclusion?

A service organization's management refuses to provide a written assertion for a SOC 2® engagement. What action should the service auditor take?

Which of the following is a key difference between SOC 1® and SOC 2® engagements?

In a SOC 2® report, which opinion type is issued when the auditor concludes that controls were not suitably designed or operating effectively to achieve the control objectives?

What is the primary purpose of a 'Walkthrough' in an IT audit?

A service organization provides a SOC 2® Type II report covering the period January 1 to December 31. A significant control failure occurred on December 28 and was corrected on January 2. How should this be reflected in the report?

An auditor is evaluating the 'Processing Integrity' criterion in a SOC 2® engagement. Which of the following is a key requirement?

In a SOC 2® engagement, what are 'Complementary User Entity Controls' (CUECs)?

An auditor is testing the 'Logical Access' domain. They find that a terminated employee's account remained active for 3 weeks after departure. The policy requires removal within 24 hours. This is an example of:

What is the primary difference between a 'Type I' and 'Type II' SOC report?

In a SOC 2® engagement, the 'System Description' is primarily the responsibility of:

Which document in a SOC engagement outlines the auditor's opinion, the scope of the engagement, and the responsibilities of management and the auditor?

A service organization uses a 'Bridge Letter' (Gap Letter). What is its purpose?

Which of the following is a requirement of the 'Privacy' Trust Services Criterion?

In a SOC 2® engagement, if the service organization uses the 'Inclusive Method' for a subservice organization, what is the auditor's responsibility?

A service organization is undergoing a SOC 2® Type II engagement. The auditor finds that for a sample of 25 new hires, 2 did not complete the required security awareness training within 30 days of hire as mandated by company policy. The control description states: 'All new hires complete security training within 30 days.' What is the MOST appropriate conclusion?

Which of the following scenarios BEST describes a 'Carve-out' method in a SOC 2® report involving a subservice organization?

A CPA is performing a SOC 2® engagement. The service organization uses a third-party data center for physical hosting. The service organization's management asserts that physical security is the responsibility of the data center and excludes it from their system description. Which reporting method is being used?

Which of the following is a 'Complementary User Entity Control' (CUEC) likely to be found in a payroll service provider's SOC 1® report?

An auditor is reviewing a SOC 2® report and notices the opinion is 'Qualified'. What does this indicate?

In a SOC 2® engagement, which Trust Services Criteria category is MANDATORY for every report?

A service organization provides a cloud-based accounting platform. They want to assure their customers that the system is available and confidential. However, they do not want to reveal the detailed results of their control testing to the general public. Which report is MOST appropriate?

A company is using the 'Inclusive Method' for a subservice organization in their SOC 2® report. What does this imply for the service auditor?

What is the primary purpose of a 'Management Assertion' in a SOC engagement?

An auditor is reviewing a SOC 2® Type II report. The testing period covers January 1 to December 31. The auditor notices that a significant control failure occurred on December 28 and was not remediated by year-end. How should this be handled?

Which of the following is a 'Type 1' SOC report?

An auditor is assessing 'Independence' for a SOC engagement. Which of the following would impair independence?

An auditor is reviewing the 'System Description' in a SOC 2® report. Which of the following MUST be included?

Which of the following is a 'Subsequent Event' in a SOC engagement?

An auditor is reviewing the 'System Boundaries' in a SOC 2® engagement. The client has excluded their 'Customer Support Chatbot' from the system description. The chatbot collects customer names and account numbers. Is this exclusion appropriate?

A service organization is preparing for a SOC 2® engagement. They have identified a risk that unauthorized changes to the production database could result in data integrity issues. Which of the following is a 'preventive' control addressing this risk?

During a SOC 2® Type II engagement, the auditor discovers that for a sample of 25 new hires, 2 did not complete the required security awareness training within 30 days of hire as mandated by company policy. What is the most appropriate next step for the auditor?

A service organization uses the 'Carve-out' method for a subservice organization that provides data center hosting. In the SOC 2® report, how are the controls of the data center presented?

Which of the following best describes the primary purpose of a SOC 3® report compared to a SOC 2® report?

In the context of a SOC 2® engagement, what is the definition of a 'deviation'?

An auditor is reviewing the 'System Description' for a SOC 2® report. Which of the following is a REQUIRED element of the system description?

A service organization provides payroll processing services. They outsource the printing and mailing of checks to a third-party vendor. In the context of the service organization's SOC 1® report, what is the printing vendor considered?

A company is using a 'SaaS' CRM application. The auditor wants to verify that the SaaS provider backs up the data. Since the auditor cannot physically visit the SaaS provider, what is the most appropriate evidence to obtain?

In a SOC 2® engagement, which of the following is a 'Trust Services Criterion' related to Privacy?

What is the primary difference between a SOC 2® Type I and a SOC 2® Type II report?

Which of the following is a 'Management Assertion' required in a SOC 2® report?

An auditor is reviewing the 'System Boundaries' in a SOC 2® engagement. Which of the following should be included in the system boundary definition?

Which of the following is a 'Risk Response' strategy where the company decides to stop the activity that causes the risk?

In a SOC 2® report, if the service auditor identifies a material weakness in the design of controls, what type of opinion should be issued?

An auditor is reviewing the 'Complementary User Entity Controls' (CUECs) in a SOC 2® report. Who is responsible for implementing these controls?

A service organization's management refuses to provide a written assertion for a SOC 2® engagement. What should the service auditor do?

Which of the following is a 'Subsequent Event' in a SOC 2® engagement?

A service organization's clients need assurance regarding the controls over financial reporting. Which SOC report is most appropriate?

Which of the following is NOT one of the five Trust Services Criteria categories used in SOC 2 engagements?

A service organization wants a report to display on their website for potential customers to prove they are secure. The report should not contain sensitive technical details. Which report should they choose?

What is the primary difference between a Type I and a Type II SOC report?

In a SOC 2 engagement, which criteria is MANDATORY for every report?

A service organization uses a subservice organization for data center hosting. The service organization's auditor decides to use the 'Carve-Out' method. What does this mean for the report?

When using the 'Inclusive' method for a subservice organization, what is the service auditor's responsibility?

What are 'Complementary User Entity Controls' (CUECs)?

In planning a SOC 2 engagement, the auditor must assess 'Materiality'. How is materiality typically viewed in a SOC 2 compared to a financial audit?

Which section of a SOC 2 report contains the Management's Assertion?

During a SOC 2 Type II engagement, an auditor finds that a daily backup failed 3 times out of 365 days. The backups were successfully retried the next day. How should the auditor handle this?

Which testing procedure provides the highest level of assurance for operating effectiveness?

An auditor is testing a control that states 'All new hires must undergo a background check'. The auditor selects a sample of 25 new hires and finds 2 missing background checks. What is the deviation rate?

In a SOC engagement, what is the purpose of the 'System Description'?

If an auditor discovers a 'Subsequent Event' (after the period end but before the report date) that significantly affects the system's security, what should they do?

Which opinion type is issued when the system description is fairly presented and controls are effective, EXCEPT for one or more significant deficiencies?

What constitutes an 'Adverse Opinion' in a SOC report?

In a SOC 2 report, where would a user find the auditor's detailed tests and the results of those tests?

A service organization refuses to provide a written assertion (Section II). What must the auditor do?

Which of the following statements is TRUE regarding the use of a SOC 2 report?