GGoCPA us
Sign inStart free
Home / CPAUS-ISC · ISC: Information Systems and Controls / Unit 3: System and Organisation Controls (SOC) Engagements

CPAUS-ISC · ISC: Information Systems and Controls·UnitCPAUS-ISC · Unit 03Access: Premium

Unit 3: System and Organisation Controls (SOC) Engagements

Prepare for Unit 3: System and Organisation Controls (SOC) Engagements with practice questions covering 6 topics. Part of ISC: Information Systems and Controls — build your knowledge and track your progress with GoCPAus.

Questions
271
Topics
6
Access
Premium

What’s in it.

6 topics
  • Topic 01

    SOC 1 Engagements

    45 questions
  • Topic 02

    SOC 2 Engagements

    49 questions
  • Topic 03

    SOC 3 Engagements

    45 questions
  • Topic 04

    Complementary User Entity Controls (CUECs)

    42 questions
  • Topic 05

    Subservice Organisations

    45 questions
  • Topic 06

    Reporting on SOC Engagements

    45 questions

Sample questions

3 of many

A few questions from this unit, with the answer and a full explanation. The complete bank is available when you start practising.

  1. What does a SOC 3 report contain that distinguishes it from a SOC 2 report in terms of content?

    • A SOC 3 contains only management's assertion; the service auditor does not issue any report for SOC 3 engagements
    • A SOC 3 contains only the practitioner's short-form conclusion and a brief description of the service organisation; a SOC 2 includes a detailed system description, tests of controls, and test results
      Correct answer
    • A SOC 3 contains only the list of CUECs and the service auditor's independence letter
    • A SOC 3 contains the same content as a SOC 2 but in a more readable format without technical jargon
    Explanation

    The distinguishing characteristic of SOC 3 is its minimal content. A SOC 3 report contains: (1) the practitioner's short-form conclusion stating that controls were effective for the covered TSC categories throughout the period; and (2) a brief description of the service organisation and the categories covered. It does not contain: management's detailed assertion, system description, control lists, test procedures, test results, or exception details. The SOC 2 contains all of these elements in full detail.

  2. An enterprise customer's vendor risk programme requires annual SOC 2 coverage for all Tier 1 vendors. A SaaS vendor provides a SOC 2 Type 2 covering July 1 through December 31 (six months) and notes that the prior year's report covered January 1 through December 31. The customer's IT auditor claims the two reports together cover the full current calendar year. Is this claim accurate?

    • Partially — the combination of the prior-year January-December report and the current-year July-December report does not provide continuous current-year evidence; the current-year January-June period has no Type 2 coverage and the prior-year report's evidence applies to a different year
      Correct answer
    • Yes; the auditor can use the prior-year January-June evidence to cover the current-year January-June gap
    • No; but the prior-year report is always completely irrelevant to the current year's evaluation
    • Yes; combining two consecutive SOC 2 reports always provides annual assurance for the current year
    Explanation

    The two reports together cover January-December of the prior year and July-December of the current year. The current-year January-June period has no Type 2 coverage. The prior-year evidence cannot substitute for current-year evidence because controls may have changed. The customer has a six-month gap (January-June of the current year) that requires supplemental assurance — bridge letter, inquiry, or additional procedures. The auditor's claim that two overlapping reports cover the full current year is incorrect.

  3. A user entity auditor needs evidence that a service organisation's controls over payroll processing operated effectively during the year. Which SOC 1 report type satisfies this need?

    • SOC 1 Type 2
      Correct answer
    • Either Type 1 or Type 2, depending on the user entity's risk tolerance
    • A bridge letter from the service organisation covering the year
    • SOC 3, which covers all operating effectiveness requirements
    Explanation

    Only a SOC 1 Type 2 report includes tests of controls and evidence of operating effectiveness over a period. Type 1 covers only design suitability as of a date. SOC 2 covers operational and security controls, not ICFR controls. SOC 3 provides only a short-form conclusion without detail. A bridge letter is not a substitute for independent operating effectiveness evidence.