SOC engagements
The SOC Selector
Match scenario to report: SOC 1 for financial reporting, SOC 2 restricted, SOC 3 public, then pick the Type and trust services category.
How the exam words it
- -The stem describes a user's need and asks which SOC report fits, contrasting SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity.
- -It asks whether a report should be a Type 1 (design at a point in time) or a Type 2 (design and operating effectiveness over a period).
- -It names a concern (security, availability, processing integrity, confidentiality, privacy) and asks which trust services category applies.
- -It describes who may read the report and asks whether general use (SOC 3) or restricted use (SOC 1 or 2) is appropriate.
The playbook
- 1Pick SOC 1 when the service affects user financial reporting (ICFR), and SOC 2 when the concern is operational trust services; both are restricted-use.
- 2Choose SOC 3 for a public, general-use summary of the same SOC 2 subject matter, and SOC for Cybersecurity for an entity-wide risk-management report.
- 3Select Type 1 for control design at a point in time and Type 2 for operating effectiveness tested over a period; only Type 2 gives assurance on effectiveness.
- 4Map the concern to the trust services category: security (the common criteria) is always included, then add availability, processing integrity, confidentiality, or privacy as relevant.
The trap
Reaching for SOC 1 whenever controls are outsourced. SOC 1 is only for controls relevant to user financial reporting; operational concerns call for SOC 2 or a public SOC 3.
How the exam varies it
The same pattern, re-skinned along these axes:
Which report: SOC 1, SOC 2, SOC 3, or SOC for CybersecurityType 1 (design) versus Type 2 (operating effectiveness)Trust services category selection and general versus restricted use
Drill this pattern
8 questions of The SOC Selector from across the AUD topics. Clear it by getting 5 right with a streak of 3.