Free CPA ISC (Information Systems & Controls) Considerations for SOC Engagements Practice Questions
SOC engagement considerations on the CPA ISC exam cover SOC 1 (ICFR), SOC 2 (trust services criteria), and SOC 3 reports, control design and operating effectiveness testing, and reporting requirements under SSAE standards.
Sample Questions
Question 1
Easy
What is the PRIMARY difference between a SOC 2 report and a SOC 3 report?
Solution
D is correct.
The primary difference between SOC 2 and SOC 3 reports is their intended audience and level of detail. A SOC 2 report is a restricted-use report intended for the service organization, user entities, and their auditors. It contains detailed descriptions of the service organization's system, the controls in place, the tests performed by the service auditor, and the results of those tests. A SOC 3 report is a general-use report that can be freely distributed (including on the service organization's website). It contains the auditor's opinion on whether controls were effective but does not include detailed control descriptions, test procedures, or test results. Both use the Trust Services Criteria.
The primary difference between SOC 2 and SOC 3 reports is their intended audience and level of detail. A SOC 2 report is a restricted-use report intended for the service organization, user entities, and their auditors. It contains detailed descriptions of the service organization's system, the controls in place, the tests performed by the service auditor, and the results of those tests. A SOC 3 report is a general-use report that can be freely distributed (including on the service organization's website). It contains the auditor's opinion on whether controls were effective but does not include detailed control descriptions, test procedures, or test results. Both use the Trust Services Criteria.
Question 2
Medium
A SOC 2+ engagement differs from a standard SOC 2 engagement in that a SOC 2+ report:
Solution
A is correct.
A SOC 2+ engagement includes the standard Trust Services Criteria plus additional criteria from other frameworks such as HIPAA, NIST Cybersecurity Framework, ISO 27001, or the Cloud Security Alliance STAR framework. The additional criteria are mapped alongside the Trust Services Criteria, allowing the service organization to demonstrate compliance with multiple standards in a single report.
A SOC 2+ engagement includes the standard Trust Services Criteria plus additional criteria from other frameworks such as HIPAA, NIST Cybersecurity Framework, ISO 27001, or the Cloud Security Alliance STAR framework. The additional criteria are mapped alongside the Trust Services Criteria, allowing the service organization to demonstrate compliance with multiple standards in a single report.
Question 3
Hard
An organization is deciding between obtaining a SOC for Cybersecurity report and a SOC 2 report. The organization does not provide outsourced services to other entities but wants to demonstrate the maturity of its cybersecurity program to its board of directors, regulators, and potential investors. Which report type is MOST appropriate, and why?
Solution
A is correct.
A SOC for Cybersecurity examination is specifically designed for entity-level cybersecurity reporting. It evaluates the organization's cybersecurity risk management program, including its objectives, processes, and controls, and produces a report intended for a broad range of stakeholders including boards of directors, regulators, analysts, and investors. This matches the organization's needs. A SOC 2 report, by contrast, is designed for service organizations and evaluates controls relevant to the Trust Services Criteria in the context of services provided to user entities — it is not designed for entity-level cybersecurity reporting to boards and investors.
A SOC for Cybersecurity examination is specifically designed for entity-level cybersecurity reporting. It evaluates the organization's cybersecurity risk management program, including its objectives, processes, and controls, and produces a report intended for a broad range of stakeholders including boards of directors, regulators, analysts, and investors. This matches the organization's needs. A SOC 2 report, by contrast, is designed for service organizations and evaluates controls relevant to the Trust Services Criteria in the context of services provided to user entities — it is not designed for entity-level cybersecurity reporting to boards and investors.