I'm studying for the CCSP exam and I'm confused with a test prep question in my study materials.
The question reads:
"Which kind of SSAE report comes with a seal of approval from a certified auditor?"
A. SOC 1
B. SOC 2
C. SOC 3
D. SOC 4
I chose B. SOC 2 because I figured that as one of the most detailed reports on controls at a service organization, it would certainly need to have some record ("seal") of a reputable auditor performing the study.
The test prep material says I'm wrong though:
C. SOC 2 deals with the CIA tria. SOC 1 is for financial reporting. SOC 3 is only an attestation by the auditor. There is no SOC 4
OK, fair enough. I can understand how SOC 3 would be an appropriate answer but why not SOC 2 as well? Is there no attestation on a SOC 2 report by the auditor?