Types of Audits and Their Audiences

B.

SOC Type 1 reports are intended for restricted use, only to be seen by the actual service organization, its current clients, or its auditors.

These reports are not intended for wider or public distribution.SAS-70 audit reports have been deprecated and are no longer in use, and both the SOC Type 2 and 3 reports are designed to expand upon the SOC Type 1 reports and are for broader audiences.

Of the options provided, only SAS-70 is considered a "restricted use" audit.

SAS-70 (Statement on Auditing Standards No. 70) is a widely recognized auditing standard that was issued by the American Institute of Certified Public Accountants (AICPA) in 1992. It was replaced in 2011 by the Statement on Standards for Attestation Engagements (SSAE) No. 16. SAS-70 was primarily used to assess the internal controls of service organizations and was commonly used by auditors and regulators to evaluate the effectiveness of controls over financial reporting.

SAS-70 reports are considered "restricted use" because they are intended only for the service organization being audited and the auditor performing the audit. The reports cannot be distributed or shared with any other parties without the explicit permission of the service organization. This restriction was put in place to protect the confidentiality of the service organization's operations and internal controls.

In contrast, SOC (System and Organization Controls) reports are a newer standard that was introduced by the AICPA in 2011 to replace SAS-70. SOC reports are intended for a broader audience, including customers, regulators, and other stakeholders. There are three types of SOC reports: SOC 1, SOC 2, and SOC 3.

SOC 1 reports are used to evaluate the effectiveness of a service organization's internal controls over financial reporting, similar to the way that SAS-70 was used. SOC 2 reports are used to evaluate the effectiveness of a service organization's controls over security, availability, processing integrity, confidentiality, and privacy. SOC 3 reports are similar to SOC 2 reports, but they provide a more general overview of a service organization's controls and are intended for public distribution.

Of the options provided, SOC Type 1 and SOC Type 2 reports are both intended for a broad audience and are not considered "restricted use." SOC Type 1 reports provide an auditor's opinion on whether a service organization's controls are designed effectively to achieve the specified control objectives, while SOC Type 2 reports provide an auditor's opinion on the operating effectiveness of the controls over a period of time. SOC Type 3 reports are similar to SOC Type 2 reports, but they also include an evaluation of the effectiveness of the controls over a period of time.