CPA Exam Lab
All patterns
SOC engagements

The SOC Selector

Match scenario to report: SOC 1 for financial reporting, SOC 2 restricted, SOC 3 public, then pick the Type and trust services category.

How the exam words it

The playbook

  1. 1Pick SOC 1 when the service affects user financial reporting (ICFR), and SOC 2 when the concern is operational trust services; both are restricted-use.
  2. 2Choose SOC 3 for a public, general-use summary of the same SOC 2 subject matter, and SOC for Cybersecurity for an entity-wide risk-management report.
  3. 3Select Type 1 for control design at a point in time and Type 2 for operating effectiveness tested over a period; only Type 2 gives assurance on effectiveness.
  4. 4Map the concern to the trust services category: security (the common criteria) is always included, then add availability, processing integrity, confidentiality, or privacy as relevant.

The trap

Reaching for SOC 1 whenever controls are outsourced. SOC 1 is only for controls relevant to user financial reporting; operational concerns call for SOC 2 or a public SOC 3.

How the exam varies it

The same pattern, re-skinned along these axes:

Which report: SOC 1, SOC 2, SOC 3, or SOC for CybersecurityType 1 (design) versus Type 2 (operating effectiveness)Trust services category selection and general versus restricted use

Drill this pattern

8 questions of The SOC Selector from across the AUD topics. Clear it by getting 5 right with a streak of 3.

Shows up in 2 ISC topics