1

I'm studying for the CCSP exam and I'm confused with a test prep question in my study materials.

The question reads:

"Which kind of SSAE report comes with a seal of approval from a certified auditor?"

A. SOC 1
B. SOC 2
C. SOC 3
D. SOC 4

I chose B. SOC 2 because I figured that as one of the most detailed reports on controls at a service organization, it would certainly need to have some record ("seal") of a reputable auditor performing the study.

The test prep material says I'm wrong though:

C. SOC 2 deals with the CIA tria. SOC 1 is for financial reporting. SOC 3 is only an attestation by the auditor. There is no SOC 4

OK, fair enough. I can understand how SOC 3 would be an appropriate answer but why not SOC 2 as well? Is there no attestation on a SOC 2 report by the auditor?

Mike B
  • 3,336
  • 4
  • 29
  • 39

1 Answers1

2

SOC 2 report includes a description of the tests performed by the auditor and the results of those tests and the auditor’s opinion of the effectiveness of the individual controls and systems. SOC 3 does not contain test information and details on the controls in place, but just reports whether the systems meet the requirements of the criteria for the specific trust service.

SOC 3 is commonly used as a “seal of approval” and placed on service providers’ websites and marketing collateral.

The link below will give more detailed comparison between SOC 1 , SOC 2 and SOC 3 reports.

https://www.aicpa.org/INTERESTAREAS/FRC/ASSURANCEADVISORYSERVICES/DownloadableDocuments/Comparision-SOC-1-3.pdf

Hussain Mahfoodh
  • 169
  • 8