Certificate of Cloud Auditing Knowledge (CCAK) — Question 14

Your company is purchasing an application from a vendor. They do not allow you to perform an on-site audit on their information system. However, they say, they will provide the third-party audit attestation on the adequate control design within their environment. Which report is the vendor providing you?

Answer options

• A. SOC 3
• B. SOC 2, TYPE 2
• C. SOC 1
• D. SOC 2, TYPE 1

Correct answer: D

Explanation

The vendor is providing a SOC 2, TYPE 1 report, which focuses on the design of controls at a specific point in time. In contrast, SOC 2, TYPE 2 evaluates the operational effectiveness of those controls over a period, while SOC 1 is related to financial reporting controls and SOC 3 is a general-use report that provides less detail about controls.