Certificate of Cloud Auditing Knowledge (CCAK) — Question 31

Which best describes the difference between a type 1 and a type 2 SOC report?

Answer options

• A. A type 2 SOC report validates the operating effectiveness of controls whereas a type 1 SOC report validates the suitability of the design of the controls.
• B. A type 2 SOC report validates the suitability of the design of the controls whereas a type 1 SOC report validates the operating effectiveness of controls.
• C. A type 1 SOC report provides an attestation whereas a type 2 SOC report offers a certification.
• D. There is no difference between a type 2 and type 1 SOC report.

Correct answer: A

Explanation

A type 2 SOC report assesses the operating effectiveness of controls over a specified period, while a type 1 SOC report only evaluates the design of those controls at a specific point in time. Options B, C, and D are incorrect because they misstate the definitions or suggest that no differences exist between the two types of reports.