Exam CISSP topic 1 question 232 discussion

I think that this is soc2, the fact the app is used for finance transfer is trying to trick you into picking soc1

I agree with SOC2 as Cww1 says it is a bit of a trick question. SOC1 is for how well the organization maintains its book of accounts from my understanding. This is related to the availability of an application which is a SOC2

I initially choose C , still dont if its correct or not , but found this the AICPA considers disaster recovery and business continuity planning to be plans and not controls. Additionally, while disaster recovery and business continuity planning may be of interest to user entities, the AICPA does not consider business continuity to be relevant to internal controls over financial reporting, and therefore cannot be included in the description of controls or test of controls within a SOC 1. :https://www.schellman.com/blog/2015/09/disaster-recovery-controls-within-soc-1-test-of-controls-matrix/

SOC 1 reports are designed to provide assurance to users of a service organization's internal controls over financial reporting. In this case, the auditor has identified an issue with the business continuity disaster recovery policy and procedures for an application used for funds transfers, which is a significant financial risk. SOC 2 reports are designed to provide assurance to users of a service organization's controls over a specific trust service principle, such as security, availability, processing integrity, confidentiality, or privacy. While SOC 2 reports can be relevant for organizations that provide services to other organizations, they are not specifically designed for internal controls over financial reporting.

SOC 2 reports are also known as the Trust Services Criteria (TSC) reports. AICPA defines these to be: Security Availability Confidentiality Processing Integrity Privacy

The answer is D Although the application deal with financial transaction, notice that the finding was doing a security audit. only SOC2 deal with security controls.

Since the application involves funds transfers between an organization and a third-party, it likely falls under critical financial processes. Therefore, the appropriate report that the auditor should file with the organization would be the Service Organization Control (SOC) 1 report. This report focuses on controls relevant to financial reporting, including those related to the security, availability, processing integrity, confidentiality, and privacy of financial data.

SOC 1 reports are specifically designed for service organizations and cover controls relevant to financial reporting. They often include information about the effectiveness of controls related to business continuity and disaster recovery SOC 2 (option D) is more focused on security, availability, processing integrity, confidentiality, and privacy, and may not be as directly related to financial reporting controls as SOC 1.

C. Service Organization Control (SOC) 1 A SOC 1 (System and Organization Controls 1) report evaluates service organization controls that are applicable to a user entity's internal control over financial reporting. It focuses on the controls at a service organization that are likely to be relevant to an audit of a user entity's financial statements. The report includes the service organization's description of its system and the suitability of the design and operating effectiveness of the controls. There's no reason why ISACA would want to trick us. These exams are not written with the intent of failing you. They are written to test one's knowledge. The app is mentioned to give more context which makes SOC 1 the best answer to me.

The correct answer is SOC 1. Although issue was with the business continuity disaster recovery policy and procedures for this application, not necessarily with security, however, SOC 1 reports also cover controls related to business continuity and disaster recovery, in addition to controls related to financial reporting. SOC 1 reports are designed to provide assurance regarding the effectiveness of a service organization's controls related to financial reporting, including controls related to business continuity and disaster recovery. As such, a SOC 1 report would be appropriate for the auditor to file with the organization in this scenario.

D is correct

Answer D - SOC2 is correct keyword is "security audit" - there is no security audit within SOC1 Option A and B are outdated

D. Service Organization Control (SOC) 2

The correct answer is D. Service Organization Control (SOC) 2, because it is an auditing standard that deals specifically with the security, availability, processing integrity, confidentiality, and privacy of a service organization's systems and the controls used to protect customer data. SOC 2 reports are intended for use by an organization's management, as well as the customers and their auditors. SOC 2 provides a framework for evaluating the controls at a service organization that are relevant to security, availability, processing integrity, confidentiality, and/or privacy.

The issue is related to the application availability, and not financial statement control. So SOC 2 should be the answer.

I agree with the majority, the best answer is D.

C https://secureframe.com/hub/soc-2/soc-1-vs-soc-2-vs-soc-3 A SOC 1 report is for organizations whose internal security controls can impact a customer’s financial statements. Think payroll, claims, or payment processing companies. SOC 1 reports can assure customers that their financial information is being handled securely.