What is the primary difference between a SOC 2® Type I and a SOC 2® Type II report?

Answer options:

Type I is for financial controls; Type II is for security.

Type I reports on design at a point in time; Type II reports on design and operating effectiveness over a period of time.

Type I is for management use only; Type II is for public use.

Type I covers 6 months; Type II covers 12 months.

How to approach this question

Type I = Design (Date). Type II = Operating Effectiveness (Period).

Full Answer

B.Type I reports on design at a point in time; Type II reports on design and operating effectiveness over a period of time.✓ Correct

A Type I report looks at the design of controls at a specific date. A Type II report looks at the design AND operating effectiveness (did they actually work?) over a specified period (e.g., 6 months).

Common mistakes

Confusing SOC 1/2 with Type I/II.

Question 48 All questions Question 50

Practice the full CPA ISC Practice Exam 4

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environ...Hard Q02An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provi...Hard Q03A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor disco...Hard Q04An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its...Hard Q05During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can...Hard

View all 82 questions →