Certificate of Cloud Auditing Knowledge (CCAK) — Question 218

Which of the following is MOST important for an external auditor to review to verify that a cloud service provider's controls are designed and operating effectively?

Answer options

• A. TSP Criteria
• B. Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) evaluation
• C. SOC 2 Type 2 report
• D. SOC 2 Type 1 report

Correct answer: C

Explanation

The SOC 2 Type 2 report is crucial because it provides a detailed assessment of the operational effectiveness of a cloud service provider's controls over a period, confirming that they are functioning as intended. In contrast, the SOC 2 Type 1 report only verifies the design of controls at a specific point in time, which does not assure their ongoing effectiveness. While the TSP Criteria and CSA CCM evaluation are important frameworks, they do not provide direct evidence of operational effectiveness like the SOC 2 Type 2 report does.