CPA Exam · ISC — Information Systems & Controls (Discipline)
Soc Engagements
ISC — SOC Engagements Exam: CPA — ISC (Information Systems & Controls Discipline) Last Updated: June 2026 --- ## Overview of SOC Reports SOC = System and Organization Controls. Attestation engagements performed by CPAs to evaluate controls at service organizations. Service organizations provide services to other entities (user entities) that affect the user entity's financial reporting or operations. ### Three Types of SOC Reports | Report | Audience | Subject Matter | |---|---|---| | SOC 1 | User entities and their auditors | Controls relevant to user entity's financial reporting | | SOC 2 | Management, customers, business partners | Controls over Trust Services Criteria (security, availability, etc.) | | SOC 3 | General public | Same as SOC 2, but general use report (no detailed testing) | > Exam Tip: SOC 1 = financial reporting controls. SOC 2 = trust services. SOC 3 = public-facing summary of SOC 2. --- ## SOC 1 — Service Organization Controls for Financial Reporting ### Governed by SSAE 18 (AT-C Section 320) User entities: Entities using the service organization's services (e.g., a company whose payroll is processed by ADP). User auditors: Auditors of the user entity who need to understand controls at the service organization. ### Type 1 vs. Type 2 | Feature | SOC 1 Type 1 | SOC 1 Type 2 | |---|---|---| | Period covered | Point in time (single date) | Period of time (typically 6–12 months) | | What is tested | Design of controls only | Design AND operating effectiveness | | Level of assurance | Lower | Higher | SOC 1 Type 2 is what user auditors need — tests whether controls operated effectively over…
Keep reading: Soc Engagements
Unlock the full CPA Exam course — every lesson, the AI tutor, and full mock exams.