In evaluating a cloud service provider, an auditor finds the provider has SOC 2 Type I certification but no Type II certification. What is the PRIMARY limitation of Type I certification?

Home › MCQs › CISA › Question #6852

CISA QUESTION #6852

Question 1

Incomplete audit scope
Type I only evaluates control design at a point in time not operating effectiveness over time✔️
Lower assurance level
Shorter audit period

Correct Answer Explanation

SOC 2 Type I reports evaluate whether controls are suitably designed at a specific point in time. Type II reports test whether controls operated effectively over a period (usually 6-12 months). Type I provides significantly less assurance because well-designed controls might not be consistently implemented or effective in practice.

More Options