Start your free trial today. Cancel anytime. --:--:--:--

Back to Blog

study tips

SOC 1 vs SOC 2 on the CPA Exam: Understanding Service Organization Reports

Think CPA Team-June 27, 2025

In today's business environment, companies routinely outsource functions such as payroll processing, cloud hosting, and transaction processing to service organizations. When an audit client uses a service organization, the auditor must consider how that outsourced activity affects the client's financial statements and internal controls. This is where SOC reports (System and Organization Controls reports) come into play, and they are a regularly tested topic on the AUD section of the CPA exam.

This article covers the differences between SOC 1 and SOC 2 reports, explains Type 1 versus Type 2 distinctions, discusses user auditor considerations, and provides exam-focused strategies for answering related questions.

What Are SOC Reports?

SOC reports are independent examination reports issued by a service auditor on the controls at a service organization. They provide user entities and their auditors with information about the controls at the service organization that may be relevant to the user entity's financial reporting or operations.

The AICPA defines three categories of SOC reports:

  • SOC 1 - Focuses on controls at a service organization relevant to user entities' internal control over financial reporting (ICFR). Governed by SSAE 18 (AT-C Section 320).
  • SOC 2 - Focuses on controls relevant to security, availability, processing integrity, confidentiality, and privacy (the Trust Services Criteria). These are operational controls, not specifically financial reporting controls.
  • SOC 3 - A general-use report similar in scope to SOC 2 but designed for a broad audience. It does not contain detailed testing results. This is rarely tested on the CPA exam.

SOC 1 Reports: The Financial Reporting Focus

A SOC 1 report is what matters most to a user auditor (the auditor of the entity that uses the service organization). When a client outsources a function that affects financial reporting, such as payroll processing, the user auditor needs to understand and evaluate the controls at the service organization. A SOC 1 report provides this information.

Key characteristics of SOC 1 reports:

  • They are restricted-use reports, available only to the service organization, user entities, and user auditors.
  • They address controls relevant to user entities' financial statement assertions.
  • They are the primary SOC report referenced in the context of a financial statement audit.
  • They include a description of the service organization's system and the service auditor's opinion.

SOC 2 Reports: The Operational Focus

A SOC 2 report addresses controls related to the Trust Services Criteria. While these reports are valuable for evaluating a service organization's operational controls, they are generally not directly relevant to a financial statement audit unless the criteria being evaluated happen to overlap with financial reporting controls.

Key characteristics of SOC 2 reports:

  • They are also restricted-use reports.
  • They focus on one or more of the five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
  • They are more commonly used by management, regulators, or others evaluating operational controls.
  • They are less commonly the focus of CPA exam questions compared to SOC 1, but candidates should understand the distinction.

Type 1 vs Type 2: The Critical Distinction

Both SOC 1 and SOC 2 reports come in two types, and this distinction is heavily tested:

Type 1 Report

  • Reports on the design of controls at a specific point in time (a specific date).
  • The service auditor opines on whether the controls are suitably designed to achieve the control objectives.
  • The service auditor does
  • not
  • test the operating effectiveness of controls.
  • Think of it as a snapshot.

Type 2 Report

  • Reports on the design and operating effectiveness of controls over a specified period of time (such as January 1 through December 31).
  • The service auditor not only evaluates the design but also tests whether the controls operated effectively throughout the period.
  • This report provides more useful information for the user auditor because it covers operating effectiveness.
  • Think of it as a video rather than a snapshot.

The exam will test whether you understand that a Type 2 report is more useful to a user auditor because it provides evidence about operating effectiveness over a period, not just design at a point in time.

User Auditor Considerations

When a user auditor's client uses a service organization, the user auditor has several responsibilities:

  1. Obtain an understanding of the nature and significance of the services provided and their effect on the user entity's internal controls relevant to the audit.
  2. Determine whether sufficient appropriate evidence is available at the user entity, or whether the user auditor needs to obtain evidence about controls at the service organization.
  3. Consider obtaining a SOC 1 report - If the user auditor plans to rely on controls at the service organization, a SOC 1 Type 2 report provides the most relevant evidence.
  4. Evaluate the SOC report - The user auditor must consider the time period covered, any exceptions noted, and the relevance of the controls tested.
  5. Assess complementary user entity controls - SOC reports often identify controls that the user entity is expected to implement. The user auditor must evaluate whether these are in place and operating effectively.

Complementary User Entity Controls (CUECs)

This is a concept that catches many candidates off guard. A SOC report typically identifies complementary user entity controls, which are controls that the service organization assumes the user entity has implemented. The service organization's controls are designed to be effective only in conjunction with these user entity controls.

For example, a payroll service organization might assume that the client properly authorizes all payroll changes before submitting them. If the client does not have adequate authorization controls, the overall control environment may be deficient even if the service organization's own controls are operating effectively.

The user auditor must evaluate whether these complementary controls are in place and functioning. This is a testable concept that connects the SOC report to the user entity's own internal control evaluation.

Subservice Organizations

Sometimes a service organization uses another service organization (a subservice organization). SOC reports can address this in two ways:

  • Inclusive method - The subservice organization's controls are included within the scope of the SOC report.
  • Carve-out method - The subservice organization's controls are excluded from the scope. The SOC report identifies the functions performed by the subservice organization but does not test its controls.

Under the carve-out method, the user auditor may need to obtain a separate SOC report for the subservice organization or perform additional procedures.

Exam Relevance and Question Patterns

On the AUD section, SOC report questions tend to fall into several patterns:

  • Identifying whether a SOC 1 or SOC 2 report is appropriate for a given scenario.
  • Distinguishing between Type 1 and Type 2 reports.
  • Understanding what the user auditor should do when a SOC report is available (or not available).
  • Recognizing the user auditor's responsibility regarding complementary user entity controls.
  • Knowing that the user auditor should not reference the service auditor's report in the user auditor's own audit report.

A common exam trap: the user auditor should not make reference to the service auditor's work in the audit report as a basis for the opinion. The user auditor takes sole responsibility for the opinion, even if a SOC report was used as audit evidence.

Study Recommendations

SOC reports sit at the intersection of auditing standards and practical business operations, making them a favorite topic for exam writers. To prepare effectively:

  • Memorize the SOC 1 vs SOC 2 distinction (financial reporting vs operational).
  • Know Type 1 vs Type 2 cold (design only vs design and operating effectiveness).
  • Understand the user auditor's responsibilities when the client uses a service organization.
  • Be familiar with complementary user entity controls and the carve-out vs inclusive methods.

Think CPA offers targeted AUD practice that includes SOC report scenarios and the related auditor considerations. Working through these questions in context will reinforce your understanding and help you spot the exam patterns quickly on test day.

Back to all articles