Domain 6: Legal, Risk & Compliance Module 66 of 70

Module 66: Audit Reports and Compliance (SOC, SSAE)

CCSP Domain 6 — Legal, Risk & Compliance Section B 7 min read
The CCSP exam expects you to evaluate audit reports, not just accept them. When the exam shows you a SOC report scenario, it is testing whether you understand the report type, the trust services criteria, the period covered, and the limitations — not just whether the report exists.

SOC Reports — The Cloud Standard

Service Organization Control reports are the dominant audit evidence mechanism in cloud computing. The CCSP exam heavily tests SOC report types and their appropriate use. Understanding the distinctions between SOC 1, SOC 2, and SOC 3 is essential for exam success.

SOC Report Types

SOC 1 (SSAE 18 / ISAE 3402)

SOC 1 reports focus on controls relevant to financial reporting. If you use a cloud service that processes financial transactions, SOC 1 reports verify that the provider's controls will not introduce errors into your financial statements. The exam tests when SOC 1 is appropriate: financial processing services, payroll services, and other services that directly impact financial reporting.

SOC 2

SOC 2 reports focus on trust services criteria: security, availability, processing integrity, confidentiality, and privacy. This is the most relevant report type for cloud security. The exam tests SOC 2 extensively:

  • Type I: Evaluates the design of controls at a specific point in time. The auditor verifies that controls are suitably designed but does not test whether they operated effectively over time.
  • Type II: Evaluates the design and operating effectiveness of controls over a period (typically 6-12 months). This provides stronger assurance because it demonstrates controls worked consistently, not just that they existed at one moment.
Exam trap: The exam frequently tests the distinction between Type I and Type II. If a question asks for assurance that controls operated effectively over time, Type II is the answer. If it asks only whether controls are designed appropriately, Type I suffices. Type II is almost always the preferred option for cloud provider evaluation.

SOC 3

SOC 3 is a general-use report based on the same criteria as SOC 2 but with less detail. It can be distributed publicly (on websites, marketing materials). The exam tests that SOC 3 provides less detail than SOC 2 and is insufficient for detailed security evaluation — it is useful for general assurance but not for audit or compliance purposes.

Trust Services Criteria

SOC 2 reports cover one or more trust services criteria. The exam tests what each criterion covers:

  • Security (Common Criteria): Protection against unauthorized access. Required in every SOC 2 report.
  • Availability: System accessibility as agreed in SLAs.
  • Processing Integrity: System processing is complete, valid, accurate, and timely.
  • Confidentiality: Information designated as confidential is protected.
  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of appropriately.

The exam tests whether you match the required trust services criteria to your use case. A healthcare company processing patient data should require security, availability, and privacy criteria at minimum.

SSAE and ISAE Standards

SOC reports are issued under attestation standards. In the US, SSAE 18 (Statement on Standards for Attestation Engagements) governs SOC engagements. Internationally, ISAE 3402 (International Standard on Assurance Engagements) serves the same purpose. The exam tests that these are the professional standards auditors follow, not the report types themselves.

Reading SOC Reports

The exam expects you to critically evaluate SOC reports:

  • Period coverage: What dates does the report cover? Is there a gap between the report end date and today?
  • Scope: Which services are covered? Your specific cloud service may or may not be in scope.
  • Exceptions: Were any control deficiencies noted? The exam tests whether you investigate exceptions rather than ignoring them.
  • Subservice organizations: Were subcontractors included or carved out?
  • Complementary user entity controls: What controls must the customer implement for the provider's controls to be effective?

Other Compliance Frameworks

  • CSA STAR: The Cloud Security Alliance Security Trust Assurance and Risk registry provides cloud-specific assessments at three levels: self-assessment, third-party audit, and continuous monitoring.
  • ISO 27001: The international information security management system standard with certification. The exam tests whether ISO 27001 certification covers the specific cloud services you use.
  • FedRAMP: US government cloud security authorization program. The exam tests that FedRAMP is required for cloud services used by US federal agencies.

Common Exam Traps

  • SOC 1 for security: SOC 1 covers financial reporting controls, not security. For cloud security assurance, SOC 2 is correct.
  • Type I as sufficient: Type I shows design at a point in time. The exam nearly always prefers Type II for cloud evaluation.
  • Ignoring complementary controls: SOC reports often require the customer to implement certain controls. If the customer does not implement them, the provider's controls alone may be insufficient.
  • Report age: A SOC 2 report from 18 months ago has a significant gap. Controls may have changed.

Key Takeaways for the Exam

SOC 2 Type II is the gold standard for cloud security audit evidence. SOC 1 covers financial reporting, not security. SOC 3 is public but lacks detail. Trust services criteria should match your use case. Always check the report period, scope, exceptions, and carve-outs. Complementary user entity controls are your responsibility to implement. CSA STAR, ISO 27001, and FedRAMP provide additional assurance layers.

Next Module Module 67: Enterprise Risk Management in the Cloud