SOC Engagements, Service Auditor Reporting, and Cybersecurity Assurance

ISC SOC coverage for engagement types, SOC 1, SOC 2, planning, reporting, and cybersecurity examinations.

This part is the most assurance-specific segment of ISC. The chapters explain how SOC engagements are scoped, performed, and reported, and how the different report types serve different user needs.

SOC questions should begin with report purpose and user need. SOC 1, SOC 2, SOC for Cybersecurity, and engagement-planning questions differ because they address different subject matter, criteria, controls, and report users.

In This Part

Chapter 22: Overview of SOC Engagements introduces the SOC landscape and the major engagement families.
Chapter 23: SOC 1 Examinations focuses on controls relevant to user-entity financial reporting.
Chapter 24: SOC 2 Examinations covers the trust services framework and broader system controls.
Chapter 25: Planning and Performing a SOC Engagement explains scoping, evidence, and execution.
Chapter 26: Reporting and Opinions in SOC Engagements shows how conclusions are communicated.
Chapter 27: SOC for Cybersecurity addresses cybersecurity-specific reporting and assurance.

SOC Selection Lens

SOC area	First question	Common ISC trap
SOC overview	What subject matter and user need is driving the report?	Choosing a SOC report by name rather than purpose.
SOC 1	Are controls relevant to user-entity financial reporting?	Using SOC 1 for broad system-security assurance.
SOC 2	Which trust services criteria and system boundaries are in scope?	Assuming every trust services category is automatically included.
Planning and performing	What evidence, responsibilities, CUECs, and scope decisions support the engagement?	Treating SOC work as report drafting rather than assurance execution.
Reporting and opinions	How do deviations, limitations, and criteria affect the report conclusion?	Ignoring how exceptions change the opinion or user interpretation.
SOC for Cybersecurity	Is the engagement about the entity’s cybersecurity risk management program?	Confusing SOC for Cybersecurity with SOC 2 security.

SOC Report Selection Sequence

Step	What to do	Why it matters on ISC
1. Identify user need	Determine whether users need financial-reporting assurance, trust-services assurance, cybersecurity program assurance, or execution guidance.	SOC report choice should follow the decision users need to make.
2. Match subject matter to report type	Select SOC 1, SOC 2, SOC for Cybersecurity, or planning/reporting guidance based on the facts.	Similar control language can belong to different report families.
3. Define scope and criteria	Identify systems, control objectives, trust services criteria, description criteria, period, and boundaries.	Scope determines what the report can and cannot support.
4. Consider dependencies and CUECs	Evaluate subservice organizations, user-entity controls, carve-out methods, and inclusive methods.	SOC conclusions often rely on controls outside the service organization.
5. Interpret opinion consequences	Link exceptions, limitations, deviations, and report type to user reliance.	The final opinion changes how users can rely on the report.

How to Use This Part

Read this part after Parts I through IV so the system and control background is already in place.
Pay attention to the purpose, users, and reporting consequences of each engagement type.
Return here whenever an ISC question turns on which SOC framework or report is appropriate.

In this section

SOC Report Families, Report Structure, and Shared Control Responsibilities
SOC report families, report structure, and user-versus-subservice control responsibilities.
- SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity: Purpose, Users, and Use Cases
  SOC report families, intended users, and practical use cases.
- Required Sections, Structure, and Core Content of SOC Reports
  Required sections, structure, and core content of SOC reports.
- User Entity Controls, Subservice Controls, and Shared Responsibility Boundaries
  User entity controls, subservice controls, and shared responsibility boundaries.
SOC 1 Scope, Assertions, Materiality, and Subservice Organization Treatment
SOC 1 scope, assertions, materiality, and subservice organization methods.
- When SOC 1 Applies: Objectives, Scope, and Financial Reporting Relevance
  When SOC 1 applies, what it covers, and why it matters to financial reporting.
- Management Assertions, System Description Criteria, and SOC 1 Representation Requirements
  Management assertions, description criteria, and SOC 1 representation requirements.
- Materiality in SOC 1 Engagements and How Significance Is Judged
  Materiality in SOC 1 engagements and how significance is judged.
- Why IT Materiality Differs from Financial Statement Audit Materiality
  Why IT materiality differs from financial statement audit materiality.
- Inclusive and Carve-Out Methods for Subservice Organizations in SOC 1
  Inclusive and carve-out methods for subservice organizations in SOC 1.
SOC 2 Criteria Selection, System Boundaries, and Opinion Formation
Trust services criteria, system boundaries, testing, deviations, and opinion formation.
- Trust Services Criteria and How SOC 2 Engagements Select Them
  Trust services criteria and how SOC 2 engagements select them.
- SOC 2 Description Criteria, System Boundaries, and Scope Definition
  SOC 2 description criteria, system boundaries, and scope definition.
- Risk Assessment, Control Testing, and Evidence Design in SOC 2
  Risk assessment, control testing, and evidence design in SOC 2.
- Evaluating Exceptions and Forming the Final SOC 2 Opinion
  Evaluating exceptions and forming the final SOC 2 opinion.
SOC Engagement Acceptance, Fieldwork, and Evidence Gathering
Engagement acceptance, independence, CUECs, fieldwork, and evidence gathering.
- Accepting a SOC Engagement: Preconditions, Ethics, and Engagement Risk
  Preconditions, ethics, and engagement risk when accepting SOC work.
- Service Auditor Independence and Management Responsibilities in SOC Work
  Service auditor independence and management responsibilities in SOC work.
- Complementary User Entity Controls and Why They Matter to the Report
  Complementary user entity controls and why they matter to the report.
- Fieldwork Execution and Communication with Management and Stakeholders
  Fieldwork execution and communication with management and stakeholders.
- Gathering Evidence in SOC Engagements: Testing Tools and Techniques
  Evidence gathering, testing tools, and techniques in SOC engagements.
SOC Report Opinions, Modifications, and Issuance Judgments
Opinion types, modifications, subsequent events, specialists, and reporting pitfalls.
- SOC Opinion Types, Report Modifications, and When Wording Changes
  SOC opinion types, report modifications, and when wording changes.
- Subsequent Events and Post-Period Information in SOC Engagements
  Subsequent events and post-period information in SOC engagements.
- Using Other Auditors and Specialists in SOC Engagements
  Using other auditors and specialists in SOC engagements.
- Common SOC Reporting Pitfalls and Better Reporting Practices
  Common SOC reporting pitfalls and better reporting practices.
Cybersecurity Assurance Reporting Beyond SOC 2 Security
SOC for Cybersecurity scope, criteria, complex environments, and external communication.
- How SOC 2 Security Differs from SOC for Cybersecurity
  How SOC 2 Security differs from SOC for Cybersecurity.
- Description Criteria for Cybersecurity Risk Management Programs
  Description criteria for cybersecurity risk management programs.
- Complex IT Environments, Incident Response, and SOC for Cybersecurity Scope
  Complex IT environments, incident response, and SOC for Cybersecurity scope.
- Presenting Cybersecurity Findings to External Stakeholders
  Presenting cybersecurity findings to external stakeholders.

Revised on Monday, June 15, 2026

4. Security, Confidentiality & Privacy

6. Advanced Topics & Future Trends

Browse Information Systems and Controls (ISC)