nerdexam
(ISC)2

CISSP · Question #973

While reviewing the financial reporting risks of a third-party application, which of the following Service Organization Control (SOC) reports will be the MOST useful?

The correct answer is A. ISIsOC 1. ISIsOC 1 is the most useful Service Organization Control (SOC) report for reviewing the financial reporting risks of a third-party application, because it focuses on the internal controls over financial reporting (ICFR) of the service organization. ISIsOC 1 reports are based on t

Submitted by stefanr· Mar 5, 2026Security and Risk Management

Question

While reviewing the financial reporting risks of a third-party application, which of the following Service Organization Control (SOC) reports will be the MOST useful?

Options

  • AISIsOC 1
  • BSOC 2
  • CSOC 3
  • DSOC for cybersecurity

How the community answered

(29 responses)
  • A
    86% (25)
  • B
    3% (1)
  • C
    3% (1)
  • D
    7% (2)

Explanation

ISIsOC 1 is the most useful Service Organization Control (SOC) report for reviewing the financial reporting risks of a third-party application, because it focuses on the internal controls over financial reporting (ICFR) of the service organization. ISIsOC 1 reports are based on the Statement on Standards for Attestation Engagements (SSAE) No. 18, and can be either Type 1 or Type 2, depending on whether they provide a point-in-time or a period-of-time evaluation of the controls. SOC 2, SOC 3, and SOC for cybersecurity reports are based on the Trust Services Criteria, and cover different aspects of the service organization's security, availability, confidentiality, processing integrity, and privacy. They are not specifically designed for financial reporting risks.

Topics

#SOC reports#Third-party risk management#Financial reporting controls#Vendor assessment

Community Discussion

No community discussion yet for this question.

Full CISSP Practice