Today, we’re going to break down a SOC 2 report example, so you know what to look for when yours arrives.
Service organizations and service auditors may organize and present information in a variety of formats, but this is a great snapshot of what to expect.
While this example report contains Trust Service Criteria (TSC) and Cloud Controls Matrix (CCM), most SOC 2 reports only contain TSC, and that’s what this blog will focus on.
What is a SOC 2 report?
Systems and Organization Controls 2 (SOC 2) is an attestation that evaluates your company’s ability to securely manage the data you collect from your customers and use during business operations. A certified public accountant (CPA) that you hire performs the audit. When it’s completed you’ll receive the SOC 2 report.
When the audit is over, the report you receive feels slightly like a choose your own adventure book written in a foreign language. It’s full of technical jargon. The content is constantly referencing other passages that involve page flipping to jog your memory. But if you understand the structure, it’s a little less intimidating.
Let’s start at the beginning.
SOC 2 section 1: Assertion of the management
The assertion provides the reader the facts and assertions, or statements, made by the service organization’s management related to the system(s) under audit. This section is produced by your company as the service organization. It’s a summary of your product, services, structure and lightly covers your IT systems, teams and controls.
SOC 2 section 2: Independent service auditor’s report
If you’re one of those people who like to flip to the good parts in a book or read spoilers, this is the section that you’re looking for. Your auditor divulges what they did over the stated time period and explains the scope. They also explain if you passed or failed your audit.
Kinds of opinions presented by the auditor in this section and what they mean:
While this does refer to the CCM, the SOC 2 Report Example above is an unqualified opinion. The auditor didn’t report any concerns and this is what you hope to see! It would be worded in a similar manner for TSC.
But often, there’s room for improvement. Qualified or adverse opinions may look like:
[Source: Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting Guide]
SOC 2 section 3: Description of your system
This is one of the most comprehensive and detailed sections in the report, written by your company as the service organization. This section is an overview of the company being assessed and builds upon the items mentioned in section one. It encompasses the detail of the system(s) being reported on, boundaries, infrastructure, controls, sub-service organizations, user entity controls, and other systems information. Lists, charts, and graphics add another layer of data for readers to immerse themselves in. The risk assessment and Trust Service Criteria are also referenced and described in detail. Anything included in this section must be capable of being audited to meet the control objectives and receive a passing report.
Like section one, you may have already seen this content while you were putting information together to submit to your auditor.
SOC 2 section 4: Applicable trust service categories, criteria, related controls, tests of controls and results of tests
Section four is a great deal longer than section two but just as exciting because it shows the why behind your auditor’s opinion. For a SOC 2 Type 2, the objective of testing is to determine the operating effectiveness of the controls you specified in section 3 throughout your examination period. Testing provides reasonable, but not absolute, assurance that the specified controls were achieved throughout the examination period.
This section includes:
The SOC 2 report example states, “The system is protected against unauthorized access (both physical and logical). The system is available for operation and use as committed or agreed.”
The statement reaffirms the auditor’s unqualified opinion from section two before breaking everything down into a detailed chart of tests and verifications completed by the auditor. The charts will vary from auditor to auditor. You’ll notice that the AICPA example report referenced above is pretty simple, but that’s not always the case. For instance, in our SOC 2 report, this section is broken out into six columns, and our chart spans 23 pages.
SOC 2 section 5: Organization information not covered by service auditor’s report
Remember those projects you could do for extra credit in school? Section five is optional and not tested by your auditor, but it looks good if you chose to include it.
It provides additional information about your organization’s future plans for new systems or key aspects of your control environment that is not covered by section three but you would like to communicate to your customers. It won’t be subjected to the procedures applied in the examination. The SOC 2 report example omits section five for brevity, but it looks similar to the other sections chock-full of text, charts and tables.
Learn more about gaining compliance by downloading this eBook about the ISO 27001 journey. To request a demo for OneTrust’s Certification Automation tool, go here.