Certified Information Systems Security Professional (CISSP) — Question 427
Which reporting type requires a service organization to describe its system and define its control objectives and controls that are relevant to users' internal control over financial reporting?
Answer options
- A. Statement on Auditing Standards (SAS) 70
- B. Service Organization Control 1 (SOC1)
- C. Service Organization Control 2 (SOC2)
- D. Service Organization Control 3 (SOC3)
Correct answer: B
Explanation
The correct answer is B, Service Organization Control 1 (SOC1), as it specifically focuses on the internal controls over financial reporting. Other options, like SOC2 and SOC3, pertain to broader operational and compliance controls, rather than specifically addressing financial reporting controls.