Which of the following can BEST help to gain the required information?

An auditor wants to get information about the operating effectiveness of controls addressing privacy, availability, and confidentiality of a service organization.

Which of the following can BEST help to gain the required information?
A . ISAE 3402 report
B . ISO/IEC 27001 certification
C . SOC1 Type 1 report
D . SOC2 Type 2 report

View Answer

Answer: D

Explanation:

A SOC2 Type 2 report can best help an auditor to get information about the operating effectiveness of controls addressing privacy, availability, and confidentiality of a service organization. A SOC2 Type 2 report is an internal control report that examines the security, availability, processing integrity, confidentiality, and privacy of a service organization’s system and data over a specified period of time, typically 3-12 months. A SOC2 Type 2 report is based on the AICPA Trust Services Criteria and provides an independent auditor’s opinion on the design and operating effectiveness of the service organization’s controls. A SOC2 Type 2 report can help an auditor to assess the risks and challenges associated with outsourcing services to a cloud provider and to verify that the provider meets the relevant compliance requirements and industry standards.12

Reference: CCAK Study Guide, Chapter 5: Cloud Auditing, page 971; SOC 2 Type II Compliance: Definition, Requirements, and Why You Need It2