CPA Exam Lab
Section 3: 15–25%I11

Types of SOC Engagements (SOC 1, 2, and 3)

Exam Insight

Service organizations (payroll processors, SaaS providers, data centers) handle data and processes that affect their customers, and the ISC section heavily tests which SOC report fits which need. Knowing the purpose, subject matter, and intended users of each SOC report is foundational to nearly every other ISC topic.

CPA Exam Lab is an independent study resource and is not affiliated with, endorsed by, or sponsored by the AICPA® or NASBA. Practice questions are original content created for study purposes. “CPA” is a registered trademark of the AICPA.

What AICPA Wants You to Know

  • 1Distinguish SOC 1, SOC 2, and SOC 3 engagements by subject matter and intended users.
  • 2Explain the difference between a Type 1 report (design only) and a Type 2 report (design and operating effectiveness).
  • 3Define service organization, user entity, subservice organization, and complementary user entity controls.
  • 4Compare the carve-out method and the inclusive method for handling subservice organizations.
  • 5Identify SOC for Cybersecurity and SOC for Supply Chain and how they differ from the core SOC reports.
  • 6Match a real-world scenario to the appropriate SOC report and report type.