SOC engagement types and scope

Area 3: SOC Engagements (15-25%)

Your Progress

0 of 58 questions attempted

Topics

SOC 1, SOC 2, SOC 3 distinctions
Type I vs. Type II reports
Engagement planning and scoping

Lessons

SOC Engagements

Study Frameworks

SOC Engagement Types

System and Organization Controls (SOC) Reports

SOC 1

Focus: controls relevant to user entities' financial reporting (ICFR)

Governed by SSAE 18 / AT-C 320

Audience: user entities and their auditors

SOC 2

Focus: Trust Services Criteria (SAPCP)

Governed by AT-C 205

Audience: management, regulators, specified parties (restricted)

SOC 3

Focus: same as SOC 2 but general-use report

No detailed testing results — summary only

Audience: general public (marketing, website seal)

Type I vs. Type II

Type I — design of controls at a point in time

Type II — design and operating effectiveness over a period (typically 6-12 months)

Type II provides more assurance than Type I

Which SOC Report Type to Use

Are the controls relevant to user entities' internal control over financial reporting (ICFR)?

Yes

Do you need to evaluate operating effectiveness of controls over a period of time?

Yes

SOC 1 Type II — controls relevant to ICFR, tested over a period (6-12 months)

SOC 1 Type I — controls relevant to ICFR, design evaluated at a point in time

Is the report intended for a restricted audience (management, regulators, specified parties)?

Yes

Do you need to evaluate operating effectiveness of controls over a period of time?

Yes

SOC 2 Type II — Trust Services Criteria, tested over a period (highest assurance)

SOC 2 Type I — Trust Services Criteria, design evaluated at a point in time

SOC 3 — general-use summary report on Trust Services Criteria (suitable for public distribution)

SOC Report Comparison

Feature	SOC 1	SOC 2	SOC 3
Focus	Controls over financial reporting (ICFR)	Trust Services Criteria (SAPCP)	Trust Services Criteria (summary)
Standard	SSAE 18 / AT-C 320	AT-C 205	AT-C 205
Audience	User entities and their auditors	Management, regulators, specified parties	General public
Distribution	Restricted	Restricted	General use
Type I	Design at a point in time	Design at a point in time	N/A (Type II only)
Type II	Design + effectiveness over a period	Design + effectiveness over a period	Short-form report based on SOC 2 Type II
Typical period	6-12 months	6-12 months	Same period as companion SOC 2 Type II

Practice These Topics(58 questions)

SOC engagement types and scope

Area 3: SOC Engagements (15-25%)

Your Progress

0 of 58 questions attempted

Topics

SOC 1, SOC 2, SOC 3 distinctions
Type I vs. Type II reports
Engagement planning and scoping

Lessons

SOC Engagements

Study Frameworks

SOC Engagement Types

System and Organization Controls (SOC) Reports

SOC 1

Focus: controls relevant to user entities' financial reporting (ICFR)

Governed by SSAE 18 / AT-C 320

Audience: user entities and their auditors

SOC 2

Focus: Trust Services Criteria (SAPCP)

Governed by AT-C 205

Audience: management, regulators, specified parties (restricted)

SOC 3

Focus: same as SOC 2 but general-use report

No detailed testing results — summary only

Audience: general public (marketing, website seal)

Type I vs. Type II

Type I — design of controls at a point in time

Type II — design and operating effectiveness over a period (typically 6-12 months)

Type II provides more assurance than Type I

Which SOC Report Type to Use

Are the controls relevant to user entities' internal control over financial reporting (ICFR)?

Yes

Do you need to evaluate operating effectiveness of controls over a period of time?

Yes

SOC 1 Type II — controls relevant to ICFR, tested over a period (6-12 months)

SOC 1 Type I — controls relevant to ICFR, design evaluated at a point in time

Is the report intended for a restricted audience (management, regulators, specified parties)?

Yes

Do you need to evaluate operating effectiveness of controls over a period of time?

Yes

SOC 2 Type II — Trust Services Criteria, tested over a period (highest assurance)

SOC 2 Type I — Trust Services Criteria, design evaluated at a point in time

SOC 3 — general-use summary report on Trust Services Criteria (suitable for public distribution)

SOC Report Comparison

Feature	SOC 1	SOC 2	SOC 3
Focus	Controls over financial reporting (ICFR)	Trust Services Criteria (SAPCP)	Trust Services Criteria (summary)
Standard	SSAE 18 / AT-C 320	AT-C 205	AT-C 205
Audience	User entities and their auditors	Management, regulators, specified parties	General public
Distribution	Restricted	Restricted	General use
Type I	Design at a point in time	Design at a point in time	N/A (Type II only)
Type II	Design + effectiveness over a period	Design + effectiveness over a period	Short-form report based on SOC 2 Type II
Typical period	6-12 months	6-12 months	Same period as companion SOC 2 Type II

Practice These Topics(58 questions)