CPA Exam Information Security and SOC Engagements

Last updated: May 2, 2026

Information Security and SOC Engagements questions are one of the highest-leverage areas to study for the CPA Exam. This guide breaks down the rule, the elements you need to recognize, the named traps that catch most students, and a memory aid that scales to test day. Read it once, then practice the same sub-topic adaptively in the app.

The rule

A SOC 1 report (SSAE No. 18, AT-C §320) addresses controls at a service organization that are relevant to user entities' internal control over financial reporting (ICFR). A SOC 2 report (AT-C §105 and §205, with the AICPA Trust Services Criteria) addresses controls relevant to one or more of the five Trust Services Categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 3 is a general-use, short-form version of a SOC 2 — same criteria, but no detailed description of tests or results. Within SOC 1 and SOC 2 you must also distinguish a Type 1 (design of controls at a point in time) from a Type 2 (design AND operating effectiveness over a period).

Elements breakdown

SOC 1 Engagement

Examination of a service organization's controls relevant to user entities' ICFR, performed under SSAE No. 18 (AT-C §320).

  • Restricted-use report (management, user entities, user auditors)
  • Subject matter is ICFR-relevant controls only
  • Control objectives written by service organization management
  • Tests carve-out vs. inclusive method for subservice organizations
  • Includes a written assertion by service organization management

Common examples:

  • Payroll processor used by hundreds of employer-clients
  • Loan-servicing platform whose data feeds client G/Ls

SOC 2 Engagement

Examination of controls over one or more Trust Services Categories using the AICPA Trust Services Criteria (TSC).

  • Security category is mandatory; others optional
  • Restricted use (management, regulators, knowledgeable parties)
  • Criteria are predefined by the AICPA, not by management
  • Reports on suitability of design and (Type 2) operating effectiveness
  • Common Criteria (CC1-CC9) plus category-specific criteria

Common examples:

  • SaaS platform reporting on Security and Availability
  • Cloud data-processing vendor reporting on Confidentiality

SOC 3 Engagement

General-use report covering the same TSC subject matter as a SOC 2, but without detailed control descriptions, tests, or results.

  • General use — may be freely distributed and posted publicly
  • No detailed test procedures or results disclosed
  • Auditor's opinion plus management's assertion only
  • Often used for marketing or website seal
  • Always Type 2 in nature (period of time)

Type 1 vs. Type 2

Distinguishes a point-in-time design opinion from a period-of-time design and operating effectiveness opinion.

  • Type 1: design and implementation as of a specified date
  • Type 2: design AND operating effectiveness over a period (usually 6-12 months)
  • Type 2 includes detailed tests of controls and results
  • Type 1 provides limited assurance about ongoing operation
  • User auditors typically require Type 2 for reliance

Carve-out vs. Inclusive Method

How a service organization presents subservice organizations (third parties it relies on) in its description of the system.

  • Carve-out: subservice org's controls excluded from description and scope
  • Inclusive: subservice org's controls included in description and tested
  • Carve-out requires user entity to obtain separate assurance
  • Most SOC reports use carve-out method
  • Method choice must be disclosed in the description

Common patterns and traps

The Wrong-Report-for-the-Wrong-Purpose Trap

The question describes a user need (often financial-statement audit reliance, or alternatively cybersecurity due diligence) and offers all four SOC report types as choices. The trap is matching report to industry stereotype (e.g., 'cloud company = SOC 2') instead of to the actual purpose stated in the stem. Read the stem to find WHO is using the report and WHY — that drives the answer.

A wrong choice will offer a SOC 2 Type 2 when the stem clearly says the user auditor needs to rely on controls affecting the client's revenue cycle — a SOC 1 question dressed up as a SOC 2 question.

The Type-1-Masquerading-as-Operating-Effectiveness Trap

The stem describes a user who needs assurance that controls operated effectively over a period (e.g., the audit period, or the past fiscal year). A wrong choice offers a Type 1 report, which only addresses design and implementation at a point in time. Type 1 reports give zero evidence about whether controls actually functioned across days, weeks, or months.

A choice reading 'SOC 1 Type 1 covering the year ended December 31' is internally inconsistent — Type 1 is a point-in-time opinion, not a period-of-time opinion.

The Carve-Out Blind Spot

A service organization uses a subservice organization (e.g., its own cloud-hosting vendor) and issues a report using the carve-out method. The trap is concluding that the service organization's SOC report covers the subservice org's controls. It does not — the user entity must obtain separate assurance over the carved-out subservice organization, often via that subservice org's own SOC report.

A choice that says 'no further procedures needed because the SOC 2 covers the cloud hosting provider' even though the report's description says the hosting provider is carved out.

The General-Use Confusion

Candidates forget that SOC 1 and SOC 2 are restricted-use reports — distribution is limited to management, user entities, regulators, and similarly knowledgeable parties. SOC 3 is the only general-use SOC report. Posting a SOC 1 or detailed SOC 2 report on a public website violates the use restriction.

A choice recommending the company post 'the SOC 2 Type 2 report on the marketing site for prospects to download' — that's a SOC 3 use case.

The Management-Wrote-the-Criteria Mistake

In a SOC 1 engagement, management writes the control objectives; the practitioner evaluates whether they're suitable. In a SOC 2 engagement, the criteria are predefined by the AICPA Trust Services Criteria — management does NOT get to write them. Confusing who sets criteria leads to wrong answers about scope and suitability evaluations.

A wrong choice claiming a SOC 2 was deficient because 'management did not establish the security criteria in advance' — the criteria are AICPA-defined, not management-defined.

How it works

Start by asking what the user of the report needs to do with it. If a user entity's external auditor needs to rely on the service organization's controls to opine on the user entity's financial statements — payroll processed offsite, custody of investments, claims processing that feeds the general ledger — you need a SOC 1. If the user instead cares about whether the service organization adequately protects data, keeps systems available, or safeguards privacy, you need a SOC 2. Then ask: do they need detail (control descriptions, tests, results) or just a clean opinion they can publish? Detail = SOC 2; clean opinion they can post on their website = SOC 3. Finally, decide Type 1 vs. Type 2: if the user auditor needs evidence of operating effectiveness across the audit period, only a Type 2 will do. A Type 1 only tells you the controls were designed appropriately on the date of the report — it says nothing about whether they actually worked the rest of the year.

Worked examples

Worked Example 1

Which engagement should Calderon commission to meet the user auditor's needs?

  • A A SOC 1 Type 2 examination covering the period the user auditor needs to rely on the controls ✓ Correct
  • B A SOC 2 Type 2 examination expanded to include the Processing Integrity category
  • C A SOC 3 report covering all five Trust Services Categories
  • D A SOC 1 Type 1 examination as of December 31

Why A is correct: Pham & Ortiz needs assurance over controls relevant to Vandermeer's ICFR — specifically, controls over revenue and receivables processed by Calderon. That is the textbook use case for a SOC 1 (SSAE No. 18, AT-C §320). Because the user auditor needs evidence of operating effectiveness across the audit period, a Type 2 is required. SOC 2 reports — even with Processing Integrity added — are not designed to address the user entity's ICFR assertions and are not a substitute for SOC 1 reliance.

Why each wrong choice fails:

  • B: SOC 2 reports address the Trust Services Criteria, not user-entity ICFR. Even with the Processing Integrity category included, the report is structured around AICPA-defined criteria for system processing — not the financial-statement assertions the user auditor must support. (The Wrong-Report-for-the-Wrong-Purpose Trap)
  • C: SOC 3 is a general-use, short-form report with no detail on controls tested or test results. A user auditor cannot rely on it for substantive evidence about specific controls relevant to the user entity's financial statements. (The General-Use Confusion)
  • D: A Type 1 report opines only on the design and implementation of controls as of a single date. The user auditor needs operating-effectiveness evidence across the entire audit period, which only a Type 2 can provide. (The Type-1-Masquerading-as-Operating-Effectiveness Trap)
Worked Example 2

What is the most appropriate response from the prospect's security team?

  • A No further procedures are needed; the SOC 2 covers Otieno's controls and, by extension, those of its hosting provider
  • B Obtain a separate SOC report (or equivalent assurance) for the carved-out hosting provider's relevant controls ✓ Correct
  • C Require Otieno to reissue its report using the inclusive method before signing the contract
  • D Request that Otieno obtain a SOC 1 Type 2 report covering the hosting provider

Why B is correct: Under the carve-out method, the subservice organization's controls are excluded from the scope of Otieno's SOC 2 examination and are not tested by Otieno's service auditor. The prospect's security team must obtain separate assurance — typically the hosting provider's own SOC 2 report — to evaluate the controls operating at the subservice level. This is a fundamental implication of carve-out presentation under AT-C §205.

Why each wrong choice fails:

  • A: Carve-out explicitly excludes the subservice organization's controls from the scope of the report. Concluding the SOC 2 covers the hosting provider's controls misreads the carve-out disclosure. (The Carve-Out Blind Spot)
  • C: The prospect cannot dictate a service organization's presentation method; the choice between carve-out and inclusive is made by the service organization in conjunction with its service auditor and is influenced by access and cooperation from the subservice organization. Demanding a reissue is not the standard response.
  • D: A SOC 1 addresses controls relevant to user entities' ICFR. The prospect is evaluating cybersecurity, not financial-statement reliance, so a SOC 2 (or equivalent) over the hosting provider — not a SOC 1 — is what is needed. (The Wrong-Report-for-the-Wrong-Purpose Trap)
Worked Example 3

What is the engagement partner's most appropriate response?

  • A Yes, because in any SOC engagement management defines the criteria and the practitioner evaluates suitability
  • B Yes, but only for the Privacy category; Security must use the AICPA Trust Services Criteria
  • C No, because the AICPA Trust Services Criteria are predefined by the AICPA and must be used as the criteria in a SOC 2 examination ✓ Correct
  • D No, because only the SEC may establish criteria for any AICPA attestation engagement involving information security

Why C is correct: In a SOC 2 examination, the criteria are the AICPA Trust Services Criteria (the Common Criteria plus category-specific criteria for Availability, Processing Integrity, Confidentiality, and Privacy). Management does not draft these criteria — they are predefined and suitable by AICPA designation. Management does, however, provide a written assertion and a description of the system, and may define service commitments and system requirements within the framework of those criteria.

Why each wrong choice fails:

  • A: This conflates SOC 1 (where management writes control objectives) with SOC 2 (where the AICPA defines the criteria). It is not true that management defines the criteria 'in any SOC engagement.' (The Management-Wrote-the-Criteria Mistake)
  • B: Privacy is a category within the Trust Services Criteria with its own predefined criteria — management cannot write them. The split between Security and Privacy is fabricated; both use AICPA-defined criteria. (The Management-Wrote-the-Criteria Mistake)
  • D: The SEC does not establish criteria for AICPA attestation engagements. The criteria for SOC 2 engagements are established by the AICPA Assurance Services Executive Committee, not the SEC.

Memory aid

"1-2-3, F-T-G": SOC 1 = Financial reporting, SOC 2 = Trust criteria, SOC 3 = General use. For the type: "Type 1 is a snapshot, Type 2 is a movie."

Key distinction

SOC 1 is about the user entity's financial statements; SOC 2/3 is about the service organization's operations under the Trust Services Criteria. The user's purpose drives the engagement choice — never the service organization's preference.

Summary

Pick SOC 1 when the user auditor needs ICFR assurance, SOC 2 when stakeholders need Trust Services assurance with detail, SOC 3 when only a public-facing opinion is needed — and require Type 2 whenever operating effectiveness across a period matters.

Practice information security and soc engagements adaptively

Reading the rule is the start. Working CPA Exam-format questions on this sub-topic with adaptive selection, watching your mastery score climb in real time, and seeing the items you missed return on a spaced-repetition schedule — that's where score lift actually happens. Free for seven days. No credit card required.

Start your free 7-day trial

Frequently asked questions

What is information security and soc engagements on the CPA Exam?

A SOC 1 report (SSAE No. 18, AT-C §320) addresses controls at a service organization that are relevant to user entities' internal control over financial reporting (ICFR). A SOC 2 report (AT-C §105 and §205, with the AICPA Trust Services Criteria) addresses controls relevant to one or more of the five Trust Services Categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 3 is a general-use, short-form version of a SOC 2 — same criteria, but no detailed description of tests or results. Within SOC 1 and SOC 2 you must also distinguish a Type 1 (design of controls at a point in time) from a Type 2 (design AND operating effectiveness over a period).

How do I practice information security and soc engagements questions?

The fastest way to improve on information security and soc engagements is targeted, adaptive practice — working questions that focus on your specific weak spots within this sub-topic, getting immediate feedback, and revisiting items you missed on a spaced-repetition schedule. Neureto's adaptive engine does this automatically across the CPA Exam; start a free 7-day trial to see your sub-topic mastery climb in real time.

What's the most important distinction to remember for information security and soc engagements?

SOC 1 is about the user entity's financial statements; SOC 2/3 is about the service organization's operations under the Trust Services Criteria. The user's purpose drives the engagement choice — never the service organization's preference.

Is there a memory aid for information security and soc engagements questions?

"1-2-3, F-T-G": SOC 1 = Financial reporting, SOC 2 = Trust criteria, SOC 3 = General use. For the type: "Type 1 is a snapshot, Type 2 is a movie."

What's a common trap on information security and soc engagements questions?

Confusing SOC 2 (operations/security) with SOC 1 (financial reporting)

What's a common trap on information security and soc engagements questions?

Treating Type 1 as evidence of operating effectiveness

Related CPA Exam sub-topics

Ready to drill these patterns?

Take a free CPA Exam assessment — about 25 minutes and Neureto will route more information security and soc engagements questions your way until your sub-topic mastery score reflects real improvement, not luck. Free for seven days. No credit card required.

Start your free 7-day trial