nerdexam
(ISC)2

CISSP · Question #548

Which of the following is true of Service Organization Control (SOC) reports?

The correct answer is B. SOC 2 Type 2 reports include information of interest to the service organization's management. SOC reports are auditing standards developed by the AICPA to evaluate and report on internal controls at service organizations. Understanding the differences between SOC 1, SOC 2, and SOC 3 report types is essential for IT and security professionals.

Submitted by the_admin· Mar 5, 2026Security and Risk Management

Question

Which of the following is true of Service Organization Control (SOC) reports?

Options

  • ASOC 1 Type 2 reports assess the security, confidentiality, integrity, and availability of an
  • BSOC 2 Type 2 reports include information of interest to the service organization's management
  • CSOC 2 Type 2 reports assess internal controls for financial reporting
  • DSOC 3 Type 2 reports assess internal controls for financial reporting

How the community answered

(33 responses)
  • A
    3% (1)
  • B
    91% (30)
  • C
    6% (2)

Why each option

SOC reports are auditing standards developed by the AICPA to evaluate and report on internal controls at service organizations. Understanding the differences between SOC 1, SOC 2, and SOC 3 report types is essential for IT and security professionals.

ASOC 1 Type 2 reports assess the security, confidentiality, integrity, and availability of an

SOC 1 reports specifically assess internal controls over financial reporting (ICFR), not security, confidentiality, integrity, and availability - those Trust Services Criteria are evaluated under SOC 2 reports.

BSOC 2 Type 2 reports include information of interest to the service organization's managementCorrect

SOC 2 Type 2 reports evaluate the operating effectiveness of controls related to security, availability, processing integrity, confidentiality, and privacy over a defined period of time. These reports are intended for a broad audience including management, customers, and business partners who need detailed information about the service organization's controls, making it accurate that they include information of interest to the service organization's management and its user entities.

CSOC 2 Type 2 reports assess internal controls for financial reporting

SOC 2 reports assess controls related to the AICPA Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy), not internal controls for financial reporting, which is the scope of SOC 1 reports.

DSOC 3 Type 2 reports assess internal controls for financial reporting

There is no 'SOC 3 Type 2' classification - SOC 3 reports are general-use summary reports based on the same Trust Services Criteria as SOC 2 but do not contain the detailed control descriptions, and they do not assess internal controls for financial reporting.

Concept tested: Differences between SOC 1, SOC 2, and SOC 3 reports

Source: https://www.aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services

Topics

#SOC reports#third-party risk#auditing standards#service organizations

Community Discussion

No community discussion yet for this question.

Full CISSP Practice