CPA ISC: SOC Engagements and Report Scope

CPA means Certified Public Accountant. ISC means Information Systems and Controls. Use this focused page when your CPA ISC misses are about SOC engagement scope, report type, criteria, complementary controls, subservice organizations, or user-entity reliance. Drill this topic before returning to mixed practice.

Topic snapshot

What this topic tests

This topic tests whether you understand how system and organization controls engagements are scoped, reported, and used. Strong answers identify the service organization, user entity, complementary user-entity controls, report type, criteria, period covered, and intended use.

Common traps

• confusing SOC 1 and SOC 2 objectives
• treating Type 1 and Type 2 reports as if they cover the same evidence period
• ignoring complementary user-entity controls or subservice-organization facts
• assuming a report can be used for any purpose regardless of scope and criteria

How to reason through these questions

First decide who will rely on the report and why. Then identify the report type, subject matter, criteria, period, and controls covered. If an answer overstates what the report supports, it is usually wrong.

Sample questions

These questions are original Mastery Exam Prep practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.

Question 1

Topic: Considerations for System and Organization Controls Engagements

A cloud-based document management provider wants an attestation report to share with current and prospective business customers that need detailed information about controls supporting the provider’s security and confidentiality commitments. Which characterization is most appropriate?

• A. A SOC 2 report for management, user entities, and other specified parties who need detail about controls relevant to service commitments and Trust Services Criteria
• B. A SOC 3 report for management, user entities, and other specified parties who need detailed test results on controls over security and confidentiality
• C. A general-use SOC 2 report for the public to compare service organizations’ controls over security and confidentiality
• D. A SOC 1 report for current and prospective customers evaluating controls over security and confidentiality unrelated to financial reporting

Best answer: A

What this tests: Considerations for System and Organization Controls Engagements

Explanation: The best characterization is a SOC 2 report for management, user entities, and specified parties needing detailed information about controls tied to service commitments and the Trust Services Criteria. SOC 2 is restricted-use, unlike SOC 3, which is designed for general use and gives less detail.

SOC 2 reports address controls at a service organization that are relevant to one or more Trust Services Criteria, such as security, availability, processing integrity, confidentiality, and privacy. Their purpose is to provide detailed information about whether controls are suitably designed and, in a type 2 report, operated effectively to meet the service organization’s service commitments and system requirements. Because that detail can be misunderstood without context, SOC 2 reports are intended for management, user entities, and specified parties that have sufficient knowledge and understanding of the system. They are not general-use reports for the public.

• The SOC 3 choice is tempting because it also relates to the Trust Services Criteria, but SOC 3 is a general-use summary and does not provide detailed control descriptions and test results.
• The SOC 1 choice is wrong because SOC 1 focuses on controls relevant to user entities’ internal control over financial reporting, not broader security or confidentiality commitments.
• The general-use SOC 2 choice is incorrect because SOC 2 is restricted-use, even when customers and prospects may receive it as specified parties.
• The correct SOC 2 characterization fits a service organization seeking detailed assurance over security and confidentiality commitments for informed business users.

SOC 2 is a restricted-use report that provides detailed information about controls relevant to meeting service commitments and the Trust Services Criteria.

Question 2

Topic: Considerations for System and Organization Controls Engagements

A payroll processing company calculates employee pay, withholds taxes, remits payroll taxes, and sends clients a file used to post payroll expense and payroll liabilities to the general ledger. The company’s customers have asked for an independent report that their financial statement auditors can use. The auditors want assurance about management’s description of the system and about the suitability of design and operating effectiveness of the controls from January 1 through December 31, 20X5.

How should this report be characterized?

• A. A restricted-use SOC 1 Type 2 report on controls relevant to user entities’ internal control over financial reporting, with opinions on the system description, the suitability of design, and operating effectiveness over the period
• B. A general-use SOC 3 report on controls relevant to the Trust Services Criteria, with a short auditor’s report and no detailed description of tests
• C. A restricted-use SOC 1 Type 1 report on controls relevant to user entities’ internal control over financial reporting, with opinions on the system description and the suitability of design as of year-end
• D. A restricted-use SOC 2 Type 2 report on controls relevant to the Trust Services Criteria, with opinions on the system description, design, and operating effectiveness over the period

Best answer: A

What this tests: Considerations for System and Organization Controls Engagements

Explanation: The payroll processor’s controls affect clients’ financial statement amounts, so the appropriate framework is SOC 1, not SOC 2 or SOC 3. Because the users want assurance on operating effectiveness throughout the year, the report must be Type 2 rather than Type 1.

SOC 1 reports address controls at a service organization that are relevant to user entities’ internal control over financial reporting. Here, the payroll company processes transactions and produces files used to record payroll expense and liabilities, so the controls are directly relevant to customers’ financial reporting. A Type 1 report covers the fairness of the system description and the suitability of design as of a specified date only. A Type 2 report adds an opinion on whether controls operated effectively throughout a specified period. Because the request is for user auditors and concerns ICFR over January 1 through December 31, 20X5, the correct characterization is a restricted-use SOC 1 Type 2 report.

• A SOC 1 Type 1 report is too limited because it addresses design as of a date, not operating effectiveness across the year.
• A SOC 2 Type 2 report is the wrong subject matter because it reports on Trust Services Criteria rather than controls relevant to user entities’ financial reporting.
• A SOC 3 report is also based on the Trust Services Criteria and is a general-use summary, so it does not provide the detailed ICFR-focused reporting user auditors need.

The service affects customers’ financial reporting, and the request covers operating effectiveness throughout a period, which is the hallmark of a restricted-use SOC 1 Type 2 report.

Question 3

Topic: Considerations for System and Organization Controls Engagements

A service auditor is completing a SOC 2 Type 2 examination for the period January 1-December 31, 20X5. The planned report date is February 20, 20X6.

On February 10, 20X6, the service organization discovers unauthorized access to a production server. Management’s investigation shows that, because of a configuration change made on November 18, 20X5, multi-factor authentication was disabled for privileged administrator accounts from November 18, 20X5, through February 10, 20X6. One control tested for the report states that all privileged administrator access requires multi-factor authentication throughout the period.

What should the service auditor do next?

• A. Treat the matter only as a post-period incident and add disclosure about the February intrusion without changing testing or conclusions.
• B. Exclude the matter from the current engagement because the unauthorized access was discovered after December 31 and address it in the next SOC 2 report.
• C. Expand testing to include January and February so the report covers the date the incident was discovered.
• D. Evaluate whether the February discovery provides evidence about a condition that existed during the examination period, perform additional procedures on the affected control, and revise the report if needed.

Best answer: D

What this tests: Considerations for System and Organization Controls Engagements

Explanation: The correct next step is to determine whether the event identified before the report date relates to conditions that existed during the period under examination. Here, MFA was disabled beginning in November, so the event may affect control design or operating effectiveness for the current SOC 2 Type 2 report.

In a SOC 1 or SOC 2 engagement, the service auditor considers subsequent events up to the report date to determine whether they could significantly affect the report. The key question is whether the event provides evidence about conditions that existed during the period covered by the report or instead arose only afterward. In this scenario, the unauthorized access was discovered after period end, but the underlying control failure began on November 18 and continued through year-end. That means the matter may affect current-period testing results and the service auditor’s conclusion. The service auditor should perform additional procedures, evaluate the effect on the control and report, and require changes to the description or opinion if necessary.

• Treating the matter only as a disclosure is premature because the facts indicate the control failure existed during the covered period and may affect the examination conclusion.
• Excluding the matter from the current engagement is incorrect because discovery after period end does not eliminate the need to evaluate conditions that existed before year-end.
• Expanding the report period into January and February addresses the wrong issue; the engagement period stays the same, and the focus is whether the later discovery changes conclusions about the stated period.

Because the control failure existed during the covered period and was identified before the report date, it may affect the current SOC 2 conclusions and requires further evaluation.

Question 4

Topic: Considerations for System and Organization Controls Engagements

A SaaS payroll processor is scoping a SOC 2 examination. Management defines the system boundary to include the payroll application, customer SFTP upload portal, production database, and backup environment. The examination will cover Security, Availability, and Confidentiality.

Relevant facts:

• Customer contracts promise 99.9% monthly uptime for the payroll application.
• Contracts state customer payroll files are confidential and encrypted at rest.
• The company’s public recruiting website, which is outside the defined system boundary, allows job applicants to request deletion of resumes under the site’s privacy notice.
• The payroll application uses tax rates entered by each customer. Management has made no commitment that customer-entered rates are accurate.

Which statement is the best interpretation of relevance to the SOC 2 subject matter?

• A. The absence of a commitment about customer-entered tax rates means Processing Integrity becomes part of the SOC 2 subject matter.
• B. The confidentiality promise is not relevant because Security already makes a separate Confidentiality subject matter unnecessary.
• C. The recruiting-site deletion promise is relevant because any organizational privacy commitment belongs in a SOC 2 regardless of system boundary.
• D. The 99.9% uptime promise is relevant because it is a service commitment tied to Availability, which is in scope.

Best answer: D

What this tests: Considerations for System and Organization Controls Engagements

Explanation: Relevance in a SOC 2 engagement depends on the defined system boundary and the trust services categories included in scope. A contractual uptime promise clearly relates to Availability for the payroll system, so it is relevant subject matter for this engagement.

In SOC 2, relevant commitments and system requirements are evaluated in relation to the defined system and the trust services categories management chooses to cover. Here, the system boundary includes the payroll application and related infrastructure, and the engagement includes Availability. A contractual promise of 99.9% uptime is therefore directly relevant because it expresses how available the system must be for customers.

The confidentiality commitment is also relevant in this scenario, but the statement claiming it is not relevant is incorrect because Confidentiality is separately in scope and is not replaced by Security. The recruiting website’s resume-deletion promise is not automatically relevant because that website is outside the defined system boundary and Privacy is not in scope. Processing Integrity is a separate optional category; it does not become part of the subject matter merely because the system processes data or lacks a specific accuracy commitment.

• The uptime promise is the best answer because it maps directly to Availability for the in-scope system.
• Treating Security as a substitute for Confidentiality is incorrect; Confidentiality remains separately relevant when that category is in scope.
• The recruiting-site deletion promise is not automatically relevant because it concerns an out-of-boundary system and a Privacy matter not included here.
• Processing Integrity does not become in scope by default just because the application processes customer data or lacks an accuracy commitment.

An uptime commitment directly relates to the Availability subject matter for the defined system and is therefore relevant to the SOC 2 engagement.

Question 5

Topic: Considerations for System and Organization Controls Engagements

An outsourced payroll processor tells user entities’ external auditors that the processor’s SOC 3 report should be used to evaluate controls over payroll processing that affect the user entities’ financial statements. What is the best correction to this reporting approach?

• A. Continue using the SOC 3 report because general-use reports are sufficient when payroll controls are operated by a service organization.
• B. Provide a restricted-use SOC 1 report for management of the service organization, user entities, and user auditors because it addresses controls relevant to user entities’ internal control over financial reporting.
• C. Provide a SOC 2 report because trust services criteria reports are the primary reports for user auditors assessing financial statement impact.
• D. Provide a SOC for Cybersecurity report because enterprise cybersecurity reporting replaces SOC 1 when payroll data are sensitive.

Best answer: B

What this tests: Considerations for System and Organization Controls Engagements

Explanation: The issue is that the wrong SOC report is being used for a financial-reporting purpose. When a service organization’s controls are relevant to user entities’ financial reporting, the appropriate report is SOC 1, intended for management of the service organization, user entities, and user auditors rather than the general public.

SOC 1 reports are used when a service organization’s controls may affect a user entity’s internal control over financial reporting. Typical intended users are management of the service organization, user entities, and user auditors, so the report is not designed for unrestricted public distribution. In this scenario, payroll processing affects amounts and disclosures in user entities’ financial statements, so a SOC 1 report is the appropriate report. A SOC 2 report addresses controls relevant to trust services criteria such as security, availability, processing integrity, confidentiality, or privacy, not specifically controls relevant to user entities’ financial reporting. A SOC 3 report is a general-use summary of a SOC 2 examination and is not the right report for user auditors evaluating financial-reporting effects.

• The restricted-use SOC 1 response is correct because payroll controls can affect user entities’ financial reporting.
• The SOC 2 response is tempting because payroll systems involve security and processing controls, but SOC 2 is not the report focused on user entities’ ICFR.
• The SOC 3 response fails because SOC 3 is a general-use report and lacks the purpose and audience needed for user auditors assessing financial-reporting controls.
• The SOC for Cybersecurity response overstates the issue; that report covers the entity’s cybersecurity risk management program, not service-organization controls relevant to user entities’ financial reporting.

SOC 1 is the report designed for service-organization controls relevant to user entities’ financial reporting and is intended for management, user entities, and user auditors.

Question 6

Topic: Considerations for System and Organization Controls Engagements

ArborHR is preparing a SOC 2 report for its hosted HR records platform.

Draft scope and facts:

• Trust services categories: Security and Confidentiality
• Service provided: host, store, and transmit employee data for customers
• Contract responsibility: customers, not ArborHR, obtain any required employee consent for data collection and use

Draft “relevant commitment and system requirement”:

• “Obtain each employee’s consent before collecting, using, and disclosing personal information.”

What is the best correction to the draft?

• A. Retain the statement but present it as a complementary user entity control in the current report.
• B. Remove the consent statement from the listed relevant commitments and system requirements unless the engagement is expanded to include Privacy.
• C. Expand the report to all trust services categories because personal information is in scope.
• D. Retain the statement and add more testing of encryption, access, and logging controls.

Best answer: B

What this tests: Considerations for System and Organization Controls Engagements

Explanation: The best correction is to remove the consent requirement from the relevant SOC 2 subject matter unless Privacy is added to scope. This report covers only Security and Confidentiality, and the facts say customers—not the service organization—are responsible for obtaining consent.

In a SOC 2 engagement, management should identify only those commitments, system requirements, and criteria that are relevant to the subject matter being reported on. Security and Confidentiality focus on protecting systems and information from unauthorized access, use, or disclosure. Privacy is different: it addresses commitments and system requirements related to the collection, use, retention, disclosure, and disposal of personal information. Here, the draft statement is about obtaining employee consent before collecting and using personal information, which is a Privacy matter. The facts also say that customers, not ArborHR, have that responsibility. Therefore, the statement should not be presented as a relevant commitment or system requirement for this Security-and-Confidentiality-only SOC 2 unless management chooses to include Privacy in scope.

• Adding encryption, access, and logging tests addresses protection controls, but it does not make a consent obligation relevant to the scoped subject matter.
• Presenting consent collection as a complementary user entity control is inappropriate because it is not a user control needed to satisfy the scoped Security and Confidentiality criteria.
• Expanding to all trust services categories is an overreaction; a SOC 2 may cover only selected categories, and the presence of personal information does not automatically require Privacy scope.

Consent for collecting, using, and disclosing personal information is a Privacy subject-matter commitment, not automatically relevant to a SOC 2 limited to Security and Confidentiality.

Question 7

Topic: Considerations for System and Organization Controls Engagements

A CPA is helping a SaaS payroll provider prepare for a SOC 2 examination. Management wants the report to cover the trust services categories of security and availability only, not privacy. A staff associate says the control matrix should exclude the common criteria because those apply only to security. Which response is correct?

• A. The matrix should include only the availability-specific supplemental criteria because category-specific criteria replace the common criteria when that category is examined.
• B. The Trust Services Criteria evaluate controls for the scoped categories, so the matrix should include the COSO-aligned common criteria and the availability-specific supplemental criteria.
• C. The matrix should include only the common criteria because once security is in scope, no supplemental criteria are added for other selected categories.
• D. The matrix should include the common criteria and the privacy-specific criteria because any SOC 2 engagement involving customer data must cover privacy.

Best answer: B

What this tests: Considerations for System and Organization Controls Engagements

Explanation: The correct response is to use the common criteria plus the availability-specific supplemental criteria. The common criteria are organized around COSO concepts and serve as the foundation across scoped trust services categories, while availability adds its own criteria when that category is included.

The Trust Services Criteria provide the benchmark for evaluating whether controls address the trust services categories included in a SOC 2 engagement. The common criteria are the foundational set and are organized in alignment with COSO components and principles, so they are not limited to security alone. When additional categories such as availability, confidentiality, or processing integrity are in scope, their category-specific supplemental criteria are added to the common criteria. Privacy is also a separate category with its own additional criteria, but it is included only when privacy is part of the engagement scope. In this scenario, because the report covers security and availability only, the control matrix should include the common criteria and the availability-specific criteria, but not privacy-specific criteria.

• Using only the availability-specific criteria is incorrect because supplemental criteria add to the common criteria; they do not replace them.
• Using only the common criteria is incorrect because availability in scope requires the additional availability criteria.
• Adding privacy-specific criteria is incorrect because privacy is a separate scoped category, not an automatic part of every SOC 2 engagement involving customer data.

Common criteria are the COSO-aligned foundation for scoped categories, and availability adds supplemental criteria rather than replacing them.

Question 8

Topic: Considerations for System and Organization Controls Engagements

A CPA is evaluating a SOC 1 Type 2 report for a payroll processor. The CPA concludes that the complementary user entity controls identified by service organization management in the system description are intended to tell user entities which controls they must perform because the payroll processor’s controls assume those controls are in place. Which source best supports that conclusion?

• A. A vulnerability assessment summary showing that the payroll processor remediated all critical internet-facing weaknesses.
• B. A year-end privileged-access listing showing the payroll processor’s internal administrators and their assigned system roles.
• C. A system description excerpt stating that user entities must approve employee master-file changes, restrict payroll portal access to authorized personnel, and review payroll exception reports for the control objectives to be achieved.
• D. A change-management record documenting a tax-table software update, testing results, and production approval.

Best answer: C

What this tests: Considerations for System and Organization Controls Engagements

Explanation: The system description excerpt is best because it explicitly ties user-entity actions to the achievement of the service organization’s control objectives. That is the purpose of complementary user entity controls: to communicate assumed customer responsibilities that must work with the service organization’s controls.

Complementary user entity controls are not controls performed by the service organization. They are controls that management expects user entities to have in place so the service organization’s controls can operate effectively and the stated control objectives can be achieved. Therefore, the best supporting source is one that explicitly identifies responsibilities at the user entity level and links them to the service organization’s objectives, such as approving master-file changes, limiting access, or reviewing exception reports. Internal evidence about the service organization’s own access, software changes, or vulnerability status may support other conclusions about security or operations, but it does not explain why CUECs appear in the system description.

• A privileged-access listing shows the service organization’s own access structure, not controls expected at user entities.
• A change-management record supports a conclusion about program change controls, not the purpose of communicating user-entity responsibilities.
• A vulnerability assessment summary supports a conclusion about security condition at the service organization, not about complementary controls that customers must perform.

This source directly identifies controls to be performed by user entities and shows that the service organization’s control objectives depend on those controls.

Question 9

Topic: Considerations for System and Organization Controls Engagements

A service organization is preparing for a SOC 2 examination covering security, availability, and confidentiality. Management asks why some Trust Services Criteria are called common criteria and others are called additional criteria. Which statement best explains the distinction?

• A. Common criteria apply only to security, while additional criteria are used instead of common criteria for any other category in scope.
• B. Common criteria are selected by management, while additional criteria are selected by the practitioner after control testing begins.
• C. Common criteria apply to every category in scope, while additional criteria supplement them for any included category such as availability, processing integrity, confidentiality, or privacy.
• D. Common criteria are limited to broad entity-level controls, while additional criteria are the only criteria evaluated for application and data controls.

Best answer: C

What this tests: Considerations for System and Organization Controls Engagements

Explanation: The best distinction is that common criteria are the baseline criteria used across the categories in scope, and additional criteria are added only when reporting on subject matters such as availability or confidentiality. They work together rather than replacing one another.

In a SOC 2 engagement, the common criteria are the cross-cutting Trust Services Criteria that support the security category and are also relevant when other categories are included. If the engagement also covers availability, processing integrity, confidentiality, or privacy, the practitioner evaluates the common criteria plus the additional criteria for those specific categories. The key distinction is therefore scope: common criteria are broadly applicable, while additional criteria are subject-matter-specific supplements. They are not optional choices made after testing, and they do not replace the common criteria when another category is added.

• The statement that common criteria apply only to security is wrong because those criteria still apply when other categories are included; they are supplemented, not replaced.
• The statement that common criteria are only entity-level is too narrow; common criteria can relate to multiple layers of controls, not just broad governance controls.
• The statement that management or the practitioner selects the criteria after testing is incorrect; the applicable criteria are determined by the categories included in the engagement scope.

Common criteria are cross-cutting criteria used across categories, and additional criteria are added only for the specific subject matters included beyond the common criteria.

Question 10

Topic: Considerations for System and Organization Controls Engagements

A user entity’s external financial statement auditor is assessing a payroll processor. The auditor wants source material that best supports this conclusion:

“The report is relevant to controls affecting user entities’ internal control over financial reporting, is intended for user auditors rather than the general public, identifies an exception in the service organization’s quarterly user-access review control, and does not cover the cloud hosting provider’s controls because that subservice organization was carved out.”

Which excerpt best supports that conclusion?

• A. SOC 3 report for the period January 1 through December 31. General use report stating the system achieved the applicable trust services criteria. The report does not provide detailed test results or disclose the subservice organization method.
• B. Independent service auditor’s report: SOC 1, Type 2, for the period January 1 through December 31. Restricted use by management of the service organization, user entities, and user auditors. The cloud hosting provider is a carved-out subservice organization. Tests of controls found 1 of 4 quarterly user-access reviews was completed late.
• C. Independent service auditor’s report: SOC 2, Type 2, for the period January 1 through December 31, on security and confidentiality. Restricted use by management, customers, and business partners. The cloud hosting provider is included using the inclusive method. No logical-access exceptions were noted.
• D. Independent service auditor’s report: SOC 1, Type 1, as of December 31. Restricted use by management of the service organization, user entities, and user auditors. The cloud hosting provider is a carved-out subservice organization. The description states quarterly user-access reviews are designed and implemented.

Best answer: B

What this tests: Considerations for System and Organization Controls Engagements

Explanation: The best support is the SOC 1 Type 2 excerpt with restricted use, a carve-out subservice organization, and a documented access-review deviation. Those facts directly support the conclusion about ICFR relevance, intended user, the control exception, and exclusion of the hosting provider’s controls.

For a user entity’s financial statement auditor, the relevant report is SOC 1 because it addresses controls that may affect user entities’ internal control over financial reporting. Type 2 is necessary when the conclusion depends on operating effectiveness over a period and on an identified control deviation, because Type 1 covers design at a point in time only. The carve-out method means the subservice organization’s controls are excluded from the scope of the service auditor’s testing, so the cloud hosting provider’s controls are not covered by the report. Restricted-use language also matters: SOC 1 reports are intended for management of the service organization, user entities, and user auditors, not for the general public.

• The SOC 2 Type 2 excerpt is about trust services criteria, not ICFR, and it says the hosting provider is included under the inclusive method with no exception noted.
• The SOC 1 Type 1 excerpt has the right report family and carve-out method, but it does not provide operating-effectiveness testing or a tested exception over a period.
• The SOC 3 excerpt is general use and too high level; it does not give the detailed testing results or subservice-method disclosure needed for this conclusion.

This excerpt matches ICFR relevance, restricted intended users, a reported control exception, and carve-out treatment of the subservice organization.

Continue with full practice

Use the CPA ISC Practice Test page for the full practice route, mixed-topic practice, timed mock exams, and explanations.

Related focused pages

• Free CPA ISC Full-Length Practice Exam
• CPA ISC: Information Systems and Data Management
• CPA ISC: Security, Confidentiality and Privacy

Free review resource

Read the CPA ISC guide on CPAExamsMastery.com, then return to Mastery Exam Prep for timed practice.