Comprehensive Guide to SOC Reports: Types, Parties, and Key
Controls Exam #1 Questions with Correct Answers
Why do SOC reports exist — what problem do they solve? - ✔✔When a company
outsources a critical function to a third-party, the company and its auditors need
assurance that the service provider's internal controls are sound. Instead of every
user entity auditing the service org independently, the service organization hires
one audit firm to produce a SOC report that all clients and their auditors can rely
on.
Who are the three parties in a SOC engagement? Give an example of each. -
✔✔User Entity: the company that outsourced the function (e.g., Molson Coors,
Restaurant Supply Depot). Service Organization: the third-party provider (e.g.,
ADP, Mountain PayTime). Service Auditor: the independent audit firm that
examines the service organization and issues the SOC report (e.g., Deloitte, The
Carlile LLP).
What functions are commonly outsourced to service organizations? - ✔✔Payroll,
cloud services, credit card processing, IT services, customer support, and financial
technology (fintech) platforms.
What is the difference between a Type I and Type II SOC report? - ✔✔Type I:
Describes and evaluates design of controls at a single point in time — does NOT
test whether controls actually operated. | Type II: Describes controls AND tests
their operating effectiveness over a period of time. Type II is the gold standard
and the ONLY type accepted for SOX 404 purposes.
Why is Type II the only acceptable SOC report for SOX 404 purposes? - ✔✔SOX
404 requires evidence that controls are actually operating effectively over time —
not just well-designed on paper. Type I only evaluates design at a point in time.
Type II tests actual operation over a full period, which is what SOX 404 demands.
, What is a SOC 1 report and when is it used? - ✔✔A SOC 1 focuses on Internal
Controls over Financial Reporting (ICFR). Used when the service organization
performs functions that could affect the accuracy of the user entity's financial
statements — for example, a payroll processor. It supports the financial
statement audit of the user entity.
What is a SOC 2 report and when is it used? - ✔✔A SOC 2 focuses on the Trust
Services Criteria (TSCs) — security, availability, processing integrity,
confidentiality, and privacy. Used for data centers, cloud services, and IT providers
where the primary concern is security and reliability rather than financial
reporting. Intended for a limited audience.
What is a SOC 3 report and how does it differ from SOC 2? - ✔✔SOC 3 covers the
same Trust Services Criteria as SOC 2 but the report is generic and publicly
available. It does not disclose detailed control descriptions or test results — it
only says 'we passed' without revealing how the controls work. Think of it as a
marketing version of a SOC 2.
What are the 5 Trust Services Criteria (TSCs) covered in a SOC 2? - ✔✔1) Security:
system protected against unauthorized access. 2) Availability: system available for
use as agreed. 3) Processing Integrity: processing is complete, valid, accurate,
timely, and authorized. 4) Confidentiality: confidential information is protected as
agreed. 5) Privacy: personal information is handled in accordance with privacy
commitments.
What is an unmodified (unqualified) SOC opinion? - ✔✔The best outcome. In all
material respects: management's description fairly presents the system, controls
are suitably designed, and (for Type II) controls operated effectively during the
period. Means user entities can rely on the service organization's controls.
Controls Exam #1 Questions with Correct Answers
Why do SOC reports exist — what problem do they solve? - ✔✔When a company
outsources a critical function to a third-party, the company and its auditors need
assurance that the service provider's internal controls are sound. Instead of every
user entity auditing the service org independently, the service organization hires
one audit firm to produce a SOC report that all clients and their auditors can rely
on.
Who are the three parties in a SOC engagement? Give an example of each. -
✔✔User Entity: the company that outsourced the function (e.g., Molson Coors,
Restaurant Supply Depot). Service Organization: the third-party provider (e.g.,
ADP, Mountain PayTime). Service Auditor: the independent audit firm that
examines the service organization and issues the SOC report (e.g., Deloitte, The
Carlile LLP).
What functions are commonly outsourced to service organizations? - ✔✔Payroll,
cloud services, credit card processing, IT services, customer support, and financial
technology (fintech) platforms.
What is the difference between a Type I and Type II SOC report? - ✔✔Type I:
Describes and evaluates design of controls at a single point in time — does NOT
test whether controls actually operated. | Type II: Describes controls AND tests
their operating effectiveness over a period of time. Type II is the gold standard
and the ONLY type accepted for SOX 404 purposes.
Why is Type II the only acceptable SOC report for SOX 404 purposes? - ✔✔SOX
404 requires evidence that controls are actually operating effectively over time —
not just well-designed on paper. Type I only evaluates design at a point in time.
Type II tests actual operation over a full period, which is what SOX 404 demands.
, What is a SOC 1 report and when is it used? - ✔✔A SOC 1 focuses on Internal
Controls over Financial Reporting (ICFR). Used when the service organization
performs functions that could affect the accuracy of the user entity's financial
statements — for example, a payroll processor. It supports the financial
statement audit of the user entity.
What is a SOC 2 report and when is it used? - ✔✔A SOC 2 focuses on the Trust
Services Criteria (TSCs) — security, availability, processing integrity,
confidentiality, and privacy. Used for data centers, cloud services, and IT providers
where the primary concern is security and reliability rather than financial
reporting. Intended for a limited audience.
What is a SOC 3 report and how does it differ from SOC 2? - ✔✔SOC 3 covers the
same Trust Services Criteria as SOC 2 but the report is generic and publicly
available. It does not disclose detailed control descriptions or test results — it
only says 'we passed' without revealing how the controls work. Think of it as a
marketing version of a SOC 2.
What are the 5 Trust Services Criteria (TSCs) covered in a SOC 2? - ✔✔1) Security:
system protected against unauthorized access. 2) Availability: system available for
use as agreed. 3) Processing Integrity: processing is complete, valid, accurate,
timely, and authorized. 4) Confidentiality: confidential information is protected as
agreed. 5) Privacy: personal information is handled in accordance with privacy
commitments.
What is an unmodified (unqualified) SOC opinion? - ✔✔The best outcome. In all
material respects: management's description fairly presents the system, controls
are suitably designed, and (for Type II) controls operated effectively during the
period. Means user entities can rely on the service organization's controls.
