Question 31
UnclassifiedAn auditor wants to get information about the operating effectiveness of controls addressing privacy, availability, and confidentiality of a service organization. Which of the following can BEST help to gain the required information?
Correct answer: D
Explanation
A SOC 2 Type 2 report evaluates a service organization’s controls over the Trust Services Criteria, including "privacy, availability, and confidentiality," and tests their "operating effectiveness" over a period of time. That makes it the best source for information on whether those controls were designed and operated effectively.
Why each option is right or wrong
A. ISAE 3402 report
B. ISO/IEC 27001 certification
C. SOC1 Type 1 report
D. SOC2 Type 2 report
Under the AICPA attestation framework, a SOC 2 report is issued under AT-C 205 and is built around the Trust Services Criteria, which include security, availability, processing integrity, confidentiality, and privacy. A Type 2 report covers both the description of controls and the auditor’s tests of operating effectiveness over a specified period, typically at least 6 months, so it directly addresses whether those controls actually worked during the period examined.