Free CPA ISC (Information Systems & Controls) Considerations for SOC Engagements Practice Questions

A is correct. The primary difference between SOC 2 and SOC 3 reports is their intended audience and level of detail. A SOC 2 report is a restricted-use report intended for the service organization, user entities, and their auditors. It contains detailed descriptions of the service organization's system, the controls in place, the tests performed by the service auditor, and the results of those tests. A SOC 3 report is a general-use report that can be freely distributed (including on the service organization's website). It contains the auditor's opinion on whether controls were effective but does not include detailed control descriptions, test procedures, or test results. Both use the Trust Services Criteria.
B is incorrect because both SOC 2 and SOC 3 reports use the Trust Services Criteria, not different frameworks.
C is incorrect because SOC 3 reports are based on SOC 2 Type II engagements — there is no SOC 3 Type I.
D is incorrect because the scope distinction between service organization and subservice organization controls exists in both SOC 2 and SOC 3 engagements through the inclusive and carve-out methods.

A is correct. A SOC 2+ engagement includes the standard Trust Services Criteria plus additional criteria from other frameworks such as HIPAA, NIST Cybersecurity Framework, ISO 27001, or the Cloud Security Alliance STAR framework. The additional criteria are mapped alongside the Trust Services Criteria, allowing the service organization to demonstrate compliance with multiple standards in a single report.
B is incorrect because SOC 2+ does not replace the Trust Services Criteria; it supplements them with additional frameworks.
B is incorrect because the system description remains a required element in SOC 2+ engagements.
C is incorrect because SOC 2+ is not restricted to any specific industry; any service organization can elect to include additional criteria relevant to its operations.

C is correct. A SOC for Cybersecurity examination is specifically designed for entity-level cybersecurity reporting. It evaluates the organization's cybersecurity risk management program, including its objectives, processes, and controls, and produces a report intended for a broad range of stakeholders including boards of directors, regulators, analysts, and investors. This matches the organization's needs. A SOC 2 report, by contrast, is designed for service organizations and evaluates controls relevant to the Trust Services Criteria in the context of services provided to user entities — it is not designed for entity-level cybersecurity reporting to boards and investors.
A is incorrect because SOC 2 reports are designed for service organization contexts and would not be the natural fit for an organization that does not provide outsourced services and wants to report to its board and investors.
B is incorrect because the SOC for Cybersecurity framework is specifically designed for entities regardless of whether they provide outsourced services — it is an entity-level examination.
A is incorrect because the two reports serve different purposes and audiences; obtaining both simultaneously is unnecessary and they do not provide identical assurance.