SOC 2 Type II Essentials: Easy Compliance Concepts Quiz

Discover key SOC 2 Type II compliance terms and practices, including controls, audit evidence, access management, and vendor due diligence. This quiz is designed for those seeking a simple yet thorough understanding of SOC 2 fundamentals.

1. Role of Control Owner

   What is a “control owner” responsible for during a SOC 2 Type II audit?

   1. Setting audit deadlines
   2. Drafting audit reports
   3. Interviewing all employees
   4. Ensuring the control is performed on time and evidence is available

   Explanation: A control owner is responsible for making sure the assigned control operates as designed and that supporting evidence is available for audit review. Drafting reports and interviewing employees are typically handled by auditors or managers. Setting audit deadlines is a project management activity, not the core responsibility of a control owner.

2. Audit Readiness

   What is “audit readiness” in simple terms?

   1. Delaying control performance until requested
   2. Having documented controls and consistent evidence prepared before the audit starts
   3. Delivering last-minute evidence to auditors
   4. Giving access to all files during the audit

   Explanation: Audit readiness means being fully prepared with documented controls and evidence ahead of time, making the audit process smoother. Delivering evidence late or delaying controls does not help readiness, while unrestricted file access may not be secure or necessary.

3. Audit Walkthroughs

   What is a “walkthrough” in an audit?

   1. Testing all systems for vulnerabilities
   2. Updating passwords during the audit
   3. Sending reminders to control owners
   4. Demonstrating a process step-by-step to show how a control works

   Explanation: An audit walkthrough involves showing the auditor each step of a process to prove a control is operating. It is not about system testing, password updates, or administrative reminders, which are unrelated to walkthroughs.

4. Understanding Audit Trail

   What is an “audit trail” in SOC 2 compliance?

   1. A list of completed audits
   2. A report of financial transactions
   3. A record showing who did what, when, and what changed
   4. A schedule of planned audits

   Explanation: An audit trail tracks system or process activity to provide transparency and accountability. Completed audits and audit schedules are documentation, not audit trails, and financial reports serve a different purpose.

5. Approval Evidence in Controls

   Why do auditors ask for “approval evidence” in access and change controls?

   1. To monitor user productivity
   2. To identify data entry errors
   3. To ensure passwords are strong
   4. To confirm actions were authorized before being executed

   Explanation: Auditors review approval evidence to verify that changes or access were properly authorized to prevent unauthorized activity. Productivity, password strength, and data accuracy are not the main reasons approval evidence is collected.

6. Joiner-Mover-Leaver (JML)

   What is “joiner-mover-leaver (JML)” related to in SOC 2 compliance?

   1. Managing access when employees join, change roles, or leave
   2. Reviewing external vendors
   3. Conducting security training
   4. Calculating payroll

   Explanation: JML ensures user access is appropriately provisioned and deprovisioned during employee lifecycle changes. Payroll, training, and vendor evaluation are separate compliance activities not covered by JML processes.

7. Centralized Identity

   What does “centralized identity” mean, and why is it useful?

   1. Allowing users to pick any authentication method they prefer
   2. One system to manage users/login (like SSO), improving consistent access control
   3. Storing all employee data on one laptop
   4. Using passwords that never expire

   Explanation: Centralized identity, such as Single Sign-On, allows user management from one platform, making access consistent and more secure. Password policies and data storage are different topics, and letting users pick any method can undermine consistency.

8. Key Rotation

   What is “key rotation” and why is it relevant for SOC 2?

   1. Renaming user accounts each month
   2. Regularly changing encryption keys/secrets to reduce risk if a key is exposed
   3. Deleting old emails regularly
   4. Moving files to external drives after six months

   Explanation: Key rotation is about shifting to new cryptographic keys to minimize risks if older keys are compromised. Account renaming, email deletion, and data storage practices are not related to key rotation.

9. Data Classification Basics

   What is “data classification” in the context of SOC 2 compliance?

   1. Storing files in alphabetical order
   2. Analyzing customer data to predict sales
   3. Encoding files before sending them
   4. Labeling data types (public, internal, confidential) to apply correct protections

   Explanation: Data classification involves assigning sensitivity labels to data to ensure suitable controls are used. Prediction, encoding, and organizational methods are different from data classification’s intent.

10. Vendor Due Diligence

    What is the goal of “vendor due diligence” for SOC 2 compliance?

    1. To evaluate employee satisfaction
    2. To reduce office expenses
    3. To automate billing with vendors
    4. To verify third-party providers meet security expectations before using them

    Explanation: Vendor due diligence is performed to ensure outside providers follow security requirements before relying on their services. Expense reduction, employee morale, and billing are unrelated to the compliance goals of vendor assessment.