Core idea
SOC 1 reports focus on controls relevant to user entities' internal control over financial reporting. SOC 2 reports focus on trust services criteria such as security, availability, processing integrity, confidentiality, or privacy.
ISC topic guide
SOC 1 vs SOC 2 for ISC CPA candidates.
SOC 1 and SOC 2 questions are mostly about purpose. The right report depends on the risk, user, control objective, and what the report is meant to support.
Last reviewed June 5, 2026. World of Accountants is independent and not affiliated with the AICPA, NASBA, Becker, NINJA, UWorld, Gleim, or other CPA review providers.
What ISC likes to test
Expect report purpose, intended users, complementary user entity controls, Type 1 versus Type 2, scope, period covered, and whether the report fits the question's risk.
Common miss
Candidates often choose SOC 2 because it sounds more technical, even when the question is about financial reporting controls.
How to practice
Ask what the user needs evidence about: financial reporting controls point toward SOC 1; broader trust services criteria point toward SOC 2.
ISC topic guides
Keep going with related ISC topics.
Practice loop
Use the topic, then answer questions while the idea is fresh.
Short practice sets are enough to expose whether the rule is sticking.