SOC 1 Type 2 Report: Which Control Deficiencies Should User Auditors Include?

The correct answer is C Only those control deficiencies that are related to relevant subservice organization controls.

Here's why:

• User auditors focus on how control deficiencies at the service organization impact the user entity's financial reporting. * Relevant subservice organization controls are those that directly relate to the services provided to the user entity and impact the user entity's financial statements.

Therefore, user auditors should only include control deficiencies in their summary that are both:

1. Identified in the SOC 1 Type 2 report as related to subservice organization controls.2. Deemed relevant to the user entity's audit and financial reporting.