SOC report families, report structure, and user-versus-subservice control responsibilities.
This chapter introduces the SOC reporting landscape and the basic distinctions among engagement types. ISC uses this material to test whether you can match user needs to the correct report and understand the structure of that report.
SOC questions usually turn on purpose, audience, and responsibility. A user auditor, user entity, regulator, customer, or general public reader may need a different report, and complementary controls can shift part of the control burden outside the service organization.
| SOC issue | What to identify first | Common ISC trap |
|---|---|---|
| Report family | Whether the user needs controls over financial reporting, trust services criteria, cybersecurity, or general-use assurance. | Choosing SOC 2 because the topic sounds technical without checking user need. |
| Report structure | Scope, period, management assertion, service auditor opinion, tests, and results. | Reading only the opinion and ignoring scope or exceptions. |
| User entity controls | Which controls the user organization must operate for the service controls to be effective. | Assuming the service organization owns every related control. |
| Subservice organizations | Whether carve-out or inclusive presentation changes the evidence available. | Ignoring a provider nested inside the service organization’s process. |
| Step | ISC question to ask | Reporting implication |
|---|---|---|
| 1. Identify the user need | Is the report needed for financial reporting, trust services criteria, cybersecurity, or general assurance? | User purpose determines the appropriate SOC family. |
| 2. Define subject matter and period | What system, controls, criteria, and time period are covered? | Scope and period determine what the report can support. |
| 3. Determine Type 1 or Type 2 focus | Is the question about design at a point in time or operating effectiveness over a period? | The report type changes the evidence available to users. |
| 4. Map complementary responsibilities | Which user-entity or subservice controls are necessary for the service controls to work? | SOC reports often depend on controls outside the service organization. |
| 5. Read opinion and exceptions together | Do scope, tests, results, and exceptions support the intended reliance? | A report should not be used beyond what its wording and evidence support. |
| Checkpoint | Exam use | What to avoid |
|---|---|---|
| Report type | Match SOC 1, SOC 2, SOC 3, or SOC for Cybersecurity to the user’s purpose. | Selecting a report because the subject sounds technical rather than because the user need fits. |
| Intended users | Decide whether the report is restricted-use, general-use, or aimed at a specific reliance group. | Assuming all SOC reports can be distributed or relied on in the same way. |
| System boundary | Identify the system, service commitments, controls, period, and included locations or functions. | Treating the report as assurance over every activity performed by the service organization. |
| Criteria and scope | Connect the report to financial-reporting controls, trust services criteria, cybersecurity criteria, or another stated basis. | Ignoring criteria and reading the opinion as a broad quality certification. |
| Outside responsibilities | Separate service organization controls from user entity controls and subservice organization controls. | Missing carve-out or complementary-control language that limits what the report supports. |