AUD CPA Practice Questions: Using a SOC 1 Type 2 Report in an Audit

In this video, we walk through 5 AUD practice questions teaching about using a SOC 1 Type 2 Report in an audit. These questions are from AUD content area 2 on the AICPA CPA exam blueprints: Assessing Risk and Developing a Planned Response.

The best way to use this video is to pause each time we get to a new question in the video, and then make your own attempt at the question before watching us go through it.

Also be sure to watch one of our free webinars on the 6 “key ingredients” to an extremely effective & efficient CPA study process here…

Using a SOC 1 Type 2 Report in an Audit

Many companies outsource critical functions such as payroll processing, data management, or transaction handling to third-party service providers. While outsourcing can improve efficiency, it also introduces risks related to financial reporting. Auditors must evaluate how the service organization’s controls impact the accuracy, completeness, and reliability of the company’s financial statements.

A key tool for this evaluation is a SOC 1 Type 2 report, which provides independent assurance about the effectiveness of the service organization’s internal controls. However, relying on the report has limitations, and auditors must know when and how to use it appropriately.

What Is a SOC 1 Report and Why Does It Matter?

A SOC 1 report (System and Organization Controls Report for Service Organizations) is an independent examination of a service organization’s internal controls relevant to financial reporting. These reports are prepared by a service auditor and help the user auditor determine whether the service organization’s controls can be relied upon.

Types of SOC 1 Reports

1. SOC 1 Type 1 – Evaluates the design of controls at a specific point in time.
2. SOC 1 Type 2 – Assesses both the design and operating effectiveness of controls over a period of time (typically 6-12 months).

For example, if XYZ Corp. outsources its payroll processing to PayrollPro, its auditors need assurance that PayrollPro’s controls prevent errors such as duplicate payments or unauthorized changes. A SOC 1 Type 2 report provides a detailed review of PayrollPro’s controls over an extended period, making it more useful than a Type 1 report for assessing ongoing reliability.

How Does a User Auditor Use a SOC 1 Type 2 Report?

A user auditor (the auditor of the company that uses the service organization) reviews a SOC 1 Type 2 report to:

• Assess control risk – Determine whether the service organization’s controls are effective.
• Identify potential weaknesses – Understand where deficiencies may exist in areas such as transaction processing, IT security, and fraud prevention.
• Adjust audit procedures – Decide whether reliance on the service organization’s controls is possible, which may reduce substantive testing.

Example: Evaluating a Payroll Service Provider

Imagine a company, ABC Manufacturing, outsources payroll processing to PayMaster Inc. If PayMaster has effective internal controls over payroll accuracy, ABC Manufacturing’s auditor may decide to reduce control risk and adjust the audit procedures accordingly.

However, if the SOC 1 Type 2 report reveals control deficiencies—such as unauthorized payroll adjustments or weak IT security—the user auditor may need to increase substantive testing on payroll expense and related accounts.

What a SOC 1 Type 2 Report Does Not Do

While SOC 1 reports provide useful insights, they should not be misused in an audit. Common misconceptions include:

• Replacing substantive testing – Even if the service organization’s controls are effective, the user auditor must still perform substantive procedures on affected financial statement areas.
• Determining materiality – The SOC 1 report only assesses control effectiveness, not materiality thresholds for financial statements.
• Eliminating the need for professional skepticism – The user auditor should not assume that all controls operate as described; they must evaluate the service auditor’s work and conclusions.
• Referencing the SOC 1 report in an unmodified audit opinion – If reliance on the report is significant, the audit opinion may need modification rather than direct mention of the service auditor’s work.

Example: Incorrect Use of a SOC 1 Report

A user auditor reviewing a SOC 1 Type 2 report for an IT service provider sees that controls over data integrity are effective. However, this does not mean the auditor can skip substantive testing of transactions processed through the IT system.

When Is It Most Efficient to Review a SOC 1 Report?

Timing matters. Reviewing a SOC 1 Type 2 report is most efficient during audit planning, allowing auditors to:

• Determine whether reliance on service organization controls is appropriate.
• Plan the nature, timing, and extent of audit procedures early.
• Identify any control deficiencies before year-end testing.

Example: Timing Considerations

If GreenBank Corp. relies on DataSecure Inc. for transaction processing, its auditors should obtain DataSecure’s SOC 1 Type 2 report early in the audit cycle. This allows them to adjust control risk assessments before substantive testing begins.

What Must Be Satisfied to Use a SOC 1 Type 2 Report to Reduce Assessed Risk?

To rely on a SOC 1 Type 2 report, the user auditor must confirm:

• The service auditor is competent and independent – The service auditor should be a qualified, independent CPA firm.
• The testing procedures are appropriate – The report must detail testing methods and results relevant to financial reporting.
• The report covers an appropriate period – If the report does not align with the company’s fiscal year, additional procedures may be needed.
• Complementary user entity controls are in place – Some controls rely on the user entity’s actions (e.g., reviewing payroll reports).

If these conditions are not met, the auditor may need to perform additional testing.

Responsibilities of the Service Auditor vs. the User Auditor

Service Auditor Responsibilities

The service auditor, who prepares the SOC 1 report, is responsible for:

• Evaluating the design and effectiveness of service organization controls.
• Performing tests such as walkthroughs, inquiries, and substantive procedures.
• Obtaining a management representation letter from the service organization.
• Considering subsequent events that may impact control effectiveness.

User Auditor Responsibilities

The user auditor, who audits the company relying on the service organization, must:

• Evaluate whether the SOC 1 report provides sufficient evidence to assess control risk.
• Assess the competence of the service auditor and the relevance of testing procedures.
• Determine whether the service organization’s controls align with the user entity’s financial reporting needs.
• Perform additional audit procedures when necessary.

Example: Differentiating Responsibilities

If CloudTech Inc. provides cloud-based accounting software to clients, its service auditor evaluates CloudTech’s IT security and transaction processing controls. The user auditor (e.g., an audit firm reviewing CloudTech’s clients) must then assess whether the SOC 1 report is reliable for use in their audits.

Key Takeaways for Auditors

• A SOC 1 Type 2 report helps assess a service organization’s controls over financial reporting.
• It does not replace substantive testing or determine materiality.
• User auditors must evaluate the service auditor’s competence and testing procedures.
• Reviewing the report early in the audit process improves efficiency.