Key Takeaways
1. SOC 2 reports demonstrate proper IT and business controls and evaluate your adherence to an industry-recognized framework from the AICPA.
2. Components of a SOC 2 report include the Independent Auditor’s Report, Management Assertion, System Description, and details about controls and results of tests.
3. IS Partners assists companies in achieving credible SOC 2 compliance and a comprehensive report.
What Is a SOC 2 Report?
A SOC 2 report is an attestation document that a company uses to show key stakeholders that they have proper IT and business controls in place to keep their services secure.
The SOC 2 compliance is based on the organization’s adherence to: 1) the System Description Criteria (DC), and 2) the Trust Services Criteria (TSC), both of which are established by the AICPA.
Typically, the auditor will give you the report only after carefully checking how well your organization manages one or more Trust Services Categories that you’ve selected. The report will be issued once your control design and operating effectiveness of related controls are assessed.
This SOC 2 report becomes your main document to share with customers or other users to discuss security and risks. Moreover, it can be your greatest selling point when you are dealing with a large enterprise that wants to know that you have an adequate control system in place.
Types of SOC 2 Report
In fact, having a thorough SOC report can eliminate the need for customers to ask you to fill out security questionnaires. If you anticipate what customers might ask in those questionnaires, you can include all those details in the SOC report for the auditor to review and confirm.
There are two types of SOC 2 reports:
SOC 2 Type I report gives a snapshot of your control system at a specific moment in time. It’s like asking, “Are you secure right now?” It’s useful for showing that your recent efforts to improve security meet industry standards.
SOC 2 Type II report is more significant because it demonstrates compliance over time, typically covering at least three months up to a year. The auditor evaluates your compliance for the entire duration of the reporting period.
How Long is the SOC 2 Report Valid?
SOC 2 reports technically do not have an expiration date. However, the standard industry pratice is that a SOC 2 report is typically valid for 12 months. Hence, if you’re pursuing SOC 2 for the long term, you need to get audited yearly for re-attestation.
This duration is variable as a SOC 2 report can be requested by a customer in case of major events, such as a significant update or a recent data breach. In such cases, a report must be produced.
If a SOC 2 report is not yet available after the audit period has ended, the service organization can issue a SOC 2 bridge letter.
What Does a SOC 2 Report Include? (SOC 2 Report Example Included)
You must know what the document includes to help you understand a SOC 2 report. We’ve broken down the components of a SOC 2 report example below:
- Independent Auditor’s Report
- Management Assertion
- System Description
- Other Relevant Aspects of the Control Environment, Risk Assessment Process, Information and Communication Systems, and Monitoring Controls
- Information on Subservice Organizations
- Complementary User Entity Controls
- Independent Service Auditor’s Description of Tests of Controls and Results
- Additional Information Provided by the Independent Service Auditor
1. Independent Auditor’s Report
The Auditor’s Report, also called an opinion letter, summarizes the auditor’s findings from the SOC 2 audit.
This is one of the SOC 2 report sections that tells you if there were any control deficiencies in the audit. It’s one of the most crucial parts of the report.
Here, the auditor gives their opinion on your SOC 2 compliance. It also explains the system boundaries that were in scope, your responsibilities, and the auditor’s responsibilities. It also mentions any limitations in the assessment, like human error or bypassing controls.
It usually includes one of four opinions:
- Unqualified Opinion: This means your controls meet SOC 2 standards
- Qualified Opinion: Indicates that some controls need improvement
- Adverse Opinion: This shows that your controls don’t meet SOC 2 standards
- Disclaimer of Opinion: Indicates the auditor didn’t have enough information to form an opinion.
For example, look at the image below:
The first passage outlines the examination of XYZ Company’s Cloud Solutions Systems. The examination assessed whether the company’s controls met service commitments and system requirements associated with security, availability, and confidentiality.
It also considered controls used by subservice organizations.
Below is an example of an Unqualified Opinion, which means your controls operated effectively and met SOC 2 standards.
2. Management Assertion
Basically, the management assertion in a SOC 2 report is a formal statement from the company’s management.
Think of it as the company affirming its system description and other components of the auditor’s report.
Below is an example of the assertion where client management confirms the control design and operating effectiveness from November 1st, 2022 to October 31st, 2023.
3. System Description
The system description gives a thorough look at the system being audited. It covers the system components in scope, processes and controls that support the system, and any incidents that happen within the system.
The system description will help anyone understand the internal controls you’ve set up.
For example, take a look at the image below to understand how the system description is presented and what types of controls are included in the system.
4. Other Relevant Aspects of the Control Environment, Risk Assessment Process, Information and Communication Systems, and Monitoring Controls
The service organization is ultimately in charge of describing its system, including what it does, how it’s set up, and how its controls work. Additionally, the service organization must describe the internal control framework (i.e., COSO, ISO 27001, HITRUST) that it follows for organizational integrity.
The auditor may provide input to this section, and then the organization checks to ensure that it is complete and accurate.
5. Information on Subservice Organizations
When a vendor’s services are important for understanding the service organization’s system, they are called subservice organizations.
The vendor’s and service organization’s controls should ensure that the system requirements and service commitments are met.
The SOC 2 report includes details about how the subservice organizations affect the trust services criteria and outlines the controls that are expected to be implemented at these organizations to meet those criteria.
6. Complementary User Entity Controls
Complementary User Entity Controls (CUECs) are controls implemented by customers that a service organization might need to rely on for customers to use the service organization’s services. If CUECs are deemed necessary, then they are mentioned in the description of the service organization’s system, as seen in the screenshot below.
7. Independent Service Auditor’s Description of Tests of Controls and Results
This part of the report outlines all of the tests conducted during the audit and their outcomes, making it a key section. It provides the details that support the auditor’s opinion discussed earlier.
In this section, you’ll find:
- The controls relevant to the TSCs
- Details about the tests performed by the auditor
- The results obtained from these tests
The independent service auditor’s report delineates the procedures undertaken to evaluate controls and their outcomes. It includes the testing protocols employed and the resultant findings, which may include any deviations or control deficiencies, as shown in the screenshot above.
8. Additional Information Provided by the Independent Service Auditor
This last section is optional at the client’s discretion and contains extra information that is not previously described in the report.
If control exceptions were noted by the auditor, this section will help explain how management responded to these exceptions. It also mentions other relevant information that users of the report should know, like details about a recent company takeover.
How to Share My SOC 2 Report?
The SOC 2 report is designed for limited use, meaning that it is not meant for public sharing. This is because it contains detailed information about your company’s systems and controls, which could be sensitive and proprietary.
Publishing this report could expose your organization to competitors or individuals with malicious intent. Therefore, keeping the report confidential is best to protect your company’s security and privacy.
When you want to share a SOC 2 report, you can share it with current and potential customers, business partners, regulators, and CPAs who serve these parties. However, always remember to do so under a Non-Disclosure Agreement (NDA).
If your Terms of Service include a confidentiality clause, existing customers might not need to sign another NDA. But it’s good to remind them that the report is confidential.
Get a SOC 2 Report with IS Partners
Now that you know the process behind what auditors do in SOC 2 audit, it may all seem daunting and unachievable. However, we at IS Partners are built for this and have successfully helped thousands of companies obtain SOC 2 compliance.
Simply put, IS Partners, LLC is a Certified Public Accounting firm registered with the AICPA and PCAOB (Public Company Accounting Oversight Board). Our experienced partners have wide expertise in conducting SOC audits.
Contact us today to learn more and begin your path to SOC 2 compliance!
FAQs
