Explore fundamental terms and audit practices central to SOC 2 Type II compliance, focusing on controls, evidence, and best practices. This quiz will help you assess your understanding of terminology and core audit requirements.
What is a “control test” in a SOC 2 Type II audit?
Explanation: A control test involves the auditor examining samples of evidence to confirm that a control operated as intended during the audit period. The other options are not control tests; self-testing by the organization may help prepare, breach simulations are incident response activities, and employee training record reviews are specific to training controls, not control operation.
What does “population” mean in audit sampling for SOC 2?
Explanation: In auditing, the population defines all possible instances or occurrences that could be selected for sample testing, such as every access change or deployment in the period. Other options misinterpret population as groups of people or vendors rather than items involved in sample selection.
What is “evidence completeness” in a SOC 2 Type II audit?
Explanation: Evidence completeness refers to ensuring that all required evidence spans the entire audit period and nothing that should be included is missing. Collecting evidence only for a short timeframe, requiring management approval, or internal IT review are not definitions of evidence completeness.
Which is an example of “authentication control” evidence for a SOC 2 audit?
Explanation: Authentication control evidence includes documentation showing how login and access controls are enforced, such as SSO/MFA settings and screenshots of policies. The other options relate to separate controls, like vulnerability management, onboarding, and change management.
What is the purpose of “periodic policy review” in SOC 2 compliance?
Explanation: Periodic policy review ensures that security policies stay current with organizational needs and risks by requiring regular updates and approvals. Reducing audit frequency, eliminating consultants, or automating processes are unrelated to the purpose of reviewing policies periodically.
What does “evidence consistency” mean during a SOC 2 Type II audit?
Explanation: Evidence consistency indicates that the control was executed repeatedly in accordance with defined procedures, helping the auditor verify reliable operation. Changing formats, differing approvers, or distribution of storage do not reflect the concept of consistency.
What is “time-to-revoke access” and why do auditors care during a SOC 2 audit?
Explanation: Time-to-revoke measures the speed at which access is terminated when someone leaves or changes role; auditors care because delayed revocation increases exposure to unauthorized access. The other options misinterpret the term as password duration, review frequencies, or training length.
What is considered a “security incident” in the context of SOC 2 compliance?
Explanation: A security incident includes any event with the potential to impact system or data security in terms of confidentiality, integrity, or availability. Scheduled upgrades, maintenance, and employee onboarding are not classified as security incidents.
What does “availability SLA/SLO” relate to in SOC 2 audits?
Explanation: Availability SLA/SLOs represent the organization’s promises to customers about service uptime and performance. Encryption, background checks, and tax deadlines are unrelated to the definition of SLAs or SLOs in this context.
What is “configuration management” evidence usually about in SOC 2 Type II audits?
Explanation: Configuration management evidence focuses on maintaining secure, authorized settings and properly recording any configuration changes. This is distinct from documenting office locations, payroll, or customer surveys, which are not related to configuration controls.