A service auditor is engaged to perform a SOC 2® examination. The client requests that the report focus solely on the security of the system and not on availability, processing integrity, confidentiality, or privacy. Is this permissible?

Answer options:

No, all five Trust Services Criteria must be included in a SOC 2® report.

Yes, Security is the only mandatory Trust Services Criterion.

No, Availability is also mandatory for all cloud service providers.

Yes, but the report must be titled SOC 3® instead.

How to approach this question

Recall the structure of Trust Services Criteria (TSC).

Full Answer

B.Yes, Security is the only mandatory Trust Services Criterion.✓ Correct

The Security criterion (Common Criteria) is the foundation of SOC 2. Availability, Processing Integrity, Confidentiality, and Privacy are optional categories added based on the system's commitments.

Common mistakes

Believing all 5 criteria are required.

Question 06 All questions Question 08

Practice the full CPA ISC Practice Exam 2

82 questions · hints · full answers · grading

More questions from this exam

Q01A service organization provides a cloud-based payroll platform where clients access the software ...Medium Q02An auditor is reviewing the backup strategy for a financial institution that requires a Recovery ...Hard Q03During a walkthrough of the change management process, an auditor observes that developers have w...Medium Q04An auditor is reviewing a SQL query used to generate a list of active customers for a marketing c...Hard Q05Which of the following entities is considered a 'Covered Entity' under the HIPAA Privacy Rule?Medium

View all 82 questions →