CPA Exam Lab
All patterns
SOC engagements

The SOC Mechanics

Know the roles and ownership: the service organization writes the description and assertion, the auditor opines, and CUECs sit with the user.

How the exam words it

The playbook

  1. 1Assign the roles: management of the service organization owns the system description and the written assertion, and the service auditor examines them and issues the opinion.
  2. 2Handle subservice organizations by method: carve-out excludes their controls from the description and scope, while the inclusive method folds them in.
  3. 3Treat CUECs as controls the report assumes the user entity operates; without them the service organization's controls may not achieve the objectives.
  4. 4Remember that only a Type 2 report includes tests of controls and their results over a period, and that points of focus are illustrative, not a checklist to test one by one.

The trap

Thinking the service auditor writes the description, or that a carved-out subservice is still tested. Management owns the description, and a carve-out is excluded from the auditor's scope.

How the exam varies it

The same pattern, re-skinned along these axes:

Role and ownership: description and assertion versus opinionCarve-out versus inclusive method for subservice organizationsCUECs, points of focus, and Type 2-only tests of controls

Drill this pattern

8 questions of The SOC Mechanics from across the AUD topics. Clear it by getting 5 right with a streak of 3.

Shows up in 3 ISC topics