A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud deployment model hosted in their own data center. Which of the following statements accurately describes the auditor's responsibility regarding the infrastructure in this scenario?

Answer options:

The auditor can rely on the cloud provider's SOC 2 report for physical security controls.

The auditor must test the physical security controls of the data center as part of the engagement.

Physical security is outside the scope of SOC 2 engagements focused on Security and Availability.

The auditor should apply the carve-out method for the infrastructure components.

How to approach this question

Determine who owns the infrastructure. Private cloud on-premise = Entity owns it. Therefore, Auditor tests it.

Full Answer

B.The auditor must test the physical security controls of the data center as part of the engagement.✓ Correct

In a private cloud hosted on-premise, the organization retains full control and responsibility for the hardware and physical environment. Therefore, the auditor cannot rely on a third-party report and must test these controls directly.

Common mistakes

Assuming 'Cloud' always implies a third-party vendor (AWS/Azure).

Question 04 All questions Question 06

Practice the full CPA ISC Practice Exam

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is performing a risk assessment for a client that uses a public cloud provider for its core...Hard Q02During a walkthrough of a client's change management process, the auditor notes that developers h...Hard Q03A service organization provides a real-time transaction processing platform. The service level ag...Hard Q04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales tr...Hard Q06An auditor is evaluating the design of a disaster recovery plan (DRP). The organization uses a 'd...Hard

View all 82 questions →