A
AcadiFi
Audit and Attestationcpa

SOC Reports for CPA ISC: Scope, Report Type, and Subservice Organizations

AcadiFi Editorial·2026-05-21·14 min read

SOC Reports for CPA ISC: Scope, Report Type, and Subservice Organizations

Summary

SOC questions become manageable when you start with the report user's need. A service organization may process payroll, host customer data, run a claims platform, or provide a cloud application. The CPA exam question is usually asking which controls matter, who relies on them, and what period the report covers.

The core decision is simple:

  • SOC 1: controls relevant to user entities' internal control over financial reporting.
  • SOC 2: controls over systems measured against Trust Services Criteria.
  • SOC 3: a general-use report with less detailed control and testing information.

After that, classify the report as Type 1 or Type 2 and watch for user entity and subservice organization controls.

SOC Report Decision Map

flowchart TD A["Service organization report request"] --> B{"Primary user need?"} B -->|Financial reporting controls| C["SOC 1"] B -->|Security or Trust Services Criteria| D["SOC 2"] B -->|Broad general-use summary| E["SOC 3"] C --> F{"Timing of assurance?"} D --> F F -->|Design at a point in time| G["Type 1"] F -->|Design and operating effectiveness over a period| H["Type 2"] C --> I{"Controls outside service organization?"} D --> I I -->|User entity controls needed| J["Disclose CUECs"] I -->|Subservice organization controls needed| K["Choose carve-out or inclusive method"]

SOC 1, SOC 2, and SOC 3

SOC 1

A SOC 1 report is aimed at controls that are relevant to user entities' financial statement audits. If a service organization processes payroll, loan servicing, claims, billing, or transaction data that flows into a customer's financial statements, SOC 1 is usually the exam-safe direction.

Example: Lakeshore Payroll Services calculates gross pay, withholdings, employer taxes, and direct deposit files for client companies. User auditors may care whether Lakeshore's controls support the accuracy and completeness of payroll expense and payroll liabilities. That points to SOC 1.

SOC 2

A SOC 2 report addresses controls over a system using Trust Services Criteria such as security, availability, processing integrity, confidentiality, and privacy. The focus is not limited to user entities' financial reporting.

Example: Cobalt Cloud Vault stores encrypted customer documents for law firms and healthcare consultants. Customers want assurance over access controls, monitoring, incident response, and data confidentiality. That points to SOC 2.

SOC 3

A SOC 3 report is connected to the Trust Services Criteria but is intended for general use. It is shorter and does not provide the same detailed control descriptions and testing results that specified users receive in a SOC 2 report.

On exam questions, SOC 3 usually appears when the service organization wants a public-facing assurance signal rather than a restricted-use report with detailed procedures.

Type 1 Versus Type 2

The Type 1 and Type 2 distinction is about time and operating effectiveness.

Type 1

A Type 1 report addresses whether the system description is fairly presented and whether controls are suitably designed as of a specified date. It does not test whether controls operated effectively over a period.

Example: A new data-hosting platform went live on March 31. Management wants a report as of that date to show the control design. A Type 1 report may fit.

Type 2

A Type 2 report covers a period and includes operating effectiveness. The service auditor tests whether controls were in place and functioning during the period.

Example: A customer wants evidence that user access reviews were performed monthly from January through September. A Type 2 report is the better fit because it tests operation over time.

CUECs and CSOCs

Complementary User Entity Controls

Complementary user entity controls, or CUECs, are controls that the user entity must implement for the service organization's controls to achieve the stated objectives or criteria.

Example: A payroll processor may maintain strong system access controls, but the user entity may still need to approve new employees and review payroll exception reports. If the customer does not perform those user-side controls, the service organization's controls alone may not be enough.

The exam point: CUECs are not a flaw in the SOC report. They are a reminder that control responsibility is shared.

Complementary Subservice Organization Controls

Complementary subservice organization controls, or CSOCs, relate to vendors used by the service organization. A cloud application provider may rely on a separate hosting provider, payment processor, or identity-management platform.

When those vendor controls are necessary to meet the service organization's control objectives or Trust Services Criteria, the report must explain how they are handled.

Carve-Out Versus Inclusive Method

Carve-Out Method

Under the carve-out method, the subservice organization's controls are excluded from the service auditor's testing scope. The report describes the services performed by the subservice organization and identifies related CSOCs that are assumed to be in place.

Exam signal: the service auditor is not opining on the subservice organization's controls in the same report.

Inclusive Method

Under the inclusive method, the subservice organization's relevant controls are included in the description and in the service auditor's procedures. This creates a broader engagement scope because the report covers controls at both the service organization and the included subservice organization.

Exam signal: inclusive method means the subservice organization's controls are inside the report scope, not merely referenced as an assumption.

Worked Example

HarborLedger runs a subscription revenue platform for software companies. Its system calculates monthly usage fees, posts invoices, stores customer contract terms, and uses NovaHost for cloud infrastructure.

Management receives three customer requests:

  • Customer A's external auditor wants assurance over billing controls that feed revenue.
  • Customer B's security team wants assurance over access management and incident response.
  • HarborLedger's sales team wants a public-facing report for prospects.

The likely mapping is:

  • Customer A: SOC 1, because the controls affect financial reporting.
  • Customer B: SOC 2, because the request focuses on Trust Services Criteria.
  • Sales team: SOC 3, if a general-use report is appropriate.

If NovaHost controls are necessary for HarborLedger's commitments, management must decide whether to carve out NovaHost controls or include them. If carved out, users may need to evaluate NovaHost separately. If included, the service auditor's work extends to the relevant NovaHost controls.

Exam Framing

SOC questions reward classification discipline. First identify the subject matter. Then identify users and scope. Then handle timing and outside controls.

Use this order:

  1. Financial reporting relevance or Trust Services Criteria.
  2. Restricted/specified users or general-use audience.
  3. Type 1 design date or Type 2 operating period.
  4. CUECs at the user entity.
  5. CSOCs at subservice organizations.
  6. Carve-out or inclusive method.

The most common distractors confuse SOC 1 with SOC 2, treat Type 1 as operating effectiveness testing, ignore CUECs, or assume a service auditor always tests every vendor used by the service organization.

Ready to level up your exam prep?

Join 2,400+ finance professionals using AcadiFi to prepare for CFA, FRM, and other certification exams.

Start Free Trial — $19/moCompare Plans

Related Articles

CPA Exam Prep

Section 351 Corporate Formations: A CPA REG Decision Map for Basis, Boot, and Gain Recognition

22 min read

Audit and Attestation

Audit Transaction Cycles for CPA AUD: From Journal Entry to Assertion

6 min read

FAR

CPA FAR Bank Reconciliation TBS: Make the Bank Side and Book Side Tie

6 min read