SOC It To Me!
True or False - Dual inquiry is required when a test also references a policy
FALSE. Dual inquiry is only required when there is nothing else included in the test result.
True or False - SOC 1 and SOC 2 reports can include a penetration test control if the test is performed by Wolf & Company.
FALSE - SOC reports cannot include controls that test other audits performed by Wolf.
This is the only Trust Services Criterion required for every SOC 2 audit.
Security
SOC 2 Type 2 period June 1, 2024 to December 30, 2024
Control states: Logical access to the technologies supporting the system is restricted to appropriate personnel who require access to perform their job functions.
The following document was provided for the user list. Is this appropriate?
No. The screenshot is not complete.
This is the formal term for describing control failures that have a material effect but still allow a report to be issued, though not without reservation.
What is a qualified opinion?
Controls that are checked by auditors to confirm they are functioning consistently over time are being tested for this.
What is operating effectiveness?
Password policies, firewalls, and background checks are all examples of this kind of control category.
What are preventative controls?
This criterion focuses on whether a system is accessible for operation and use as committed.
Availability
SOC 2 Type 2 with audit period January 1, 2024 to December 31, 2024.
Control states: Subservice organizations are reviewed on an annual basis.
Are the screenshots appropriate?
No. The screenshots do not show evidence of the SOC review.
In a SOC 2 Type II report, this specific section must list any deviations or exceptions identified during control testing.
What is the test of controls section or results of tests section?
This document — signed by client leadership — basically says, “We believe our description and controls are accurate.
What is the Management Assertion?
True or False - SOC 2 reports must contain the following control:
The Company has defined a network diagram that outlines the boundaries of the system.
True. The updated AICPA Trust Services Criteria now requires SOC 2 reports to contain a control testing the Company has formally documented the boundaries of the system.
This criterion ensures that sensitive business or personal information is protected from unauthorized access or disclosure.
Confidentiality
SOC 2 type 2 with a period June 1, 2024 to December 31, 2024
Control states: Product developments are documented in tickets that include design specifications, risks, back-out plans, and approval.
The following evidence was provided for the list of product developments. Is this appropriate? Provide a reasoning for why/why not.
No. The evidence provided looks manual, does not include any useful info (change #s), there is a typo (44/2024), and the dates are not all in the audit period.
If a service organization's control environment heavily relies on the users’ implementation of specific controls, this must be disclosed under this part of the SOC 2 report.
What are the complementary user entity controls (CUECs) section?
To properly SOC it to your customers, this document must clearly explain what your systems do and how your controls are set up.
What is the system description?
True or False: The Trust Services Criteria for availability ensure that an organization's system is always up and running with no downtime.
What is FALSE — availability addresses reliable system operation, not 100% uptime.
This Trust Services Criterion involves the protection of personal information in accordance with organization commitments and regulatory requirements.
Privacy
SOC 2 Type 1 as of March 31, 2025
Control states: Employees are required to acknowledge a confidentiality agreement, Employee Manual, and IT Security Policy upon hire and when they are updated.
Evidence of the signed Employee Manual and IT Security Policy were provided for a new hire. The attached doc was provided for the confidentiality agreement. Is this appropriate?
No. The confidentiality agreement is included within the Employee Manual. The control should be updated to state:
Employees are required to acknowledge the Employee Manual and IT Security Manual upon their hire. The Employee Manual includes a confidentiality agreement.
When a service organization includes controls from a third-party subservice provider within the scope of their SOC 2 examination, it is using this reporting method.
What is the inclusive method?
It’s the name of the third-party firm that has to conduct the SOC 2 audit — and it must meet this professional licensing requirement.
What is a licensed CPA firm?
This SOC 2 common criteria demands that all system changes be formally documented, tested, and approved before implementation to production environments.
What common criteria does this relate to AND what 2 types of changes are included?
CC8.0 - Change Management
Infrastructure related changes AND developments
This criterion ensures that systems process data accurately, completely, and in a timely manner.
Processing Integrity
SOC 2 Type 1 as of April 30, 2025
Control states:
A SIEM is in place to monitor access to the production environment. The SIEM is configured to generate a JIRA ticket when defined security events are detected.
Is the provided screenshot appropriate?
No. The screenshot provided is for performance and capacity monitoring.
The SOC 2 Trust Services Criteria include "Common Criteria" (CC) numbered from CC1.0 to CC9.2. The CC7.1 criteria specifically address what aspect of cybersecurity management?
What is system operations or monitoring for security events?