In a SOC 2 report, a registered CPA audits a company’s security systems and provides their professional opinion as to whether the business is SOC 2 compliant. The typical SOC 2 report contains five sections – the most important of which is the auditor’s summary, in which the auditor renders their judgement as to whether the company passed or failed the audit.
There are two types of SOC 2 reports. A type I report attests to a company’s security at a specific point in time. A type II report, on the other hand, is based on at least six months of auditing, and describes a company’s ongoing security practices. Though it takes longer to compile, the type II report offers stronger proof a business is secure.
Once completed, a SOC 2 report is valid for one year. It’s not a one-and-done kind of deal, but a compliance standard that a company must live up to on an ongoing basis.
The SOC 2 Report: 5 Sections
Most SOC 2 reports include five sections. Let’s go over each of those in term.
1. The Auditor’s Summary & Professional Opinion
The auditor begins by summarizing the scope of the report, outlining when the report was conducted and what systems they evaluated.
This summary is especially important because SOC 2 reports aren’t one-size-fits-all. Beyond the distinction between type I and type II reports, there are five trust services criteria a report might focus on:
- Security describes a company’s ability to protect data and systems from unauthorized access. It is the most commonly evaluated of all the trust services criteria.
- Availability entails how much of the time the service performs as intended. This means that the service is not only usable, but meets the expectations a company sets in contracts with clientele. If it takes ten minutes to load the service, for instance, that may be considered an unacceptable level of availability, even if it is still technically usable.
- Processing integrity refers to the company’s ability to keep data from being manipulated or tampered with, and the service’s ability to function without errors or other mishaps.
- Confidentiality refers to the company’s ability to restrict access to and protect sensitive data.
- Privacy describes a company’s ability to protect personally identifiable information pertaining to their customers.
Though many companies will choose to focus their audit exclusively on security, other will focus on different trust service criteria and many will audit for all five.
Alongside their summary, the auditor offers their professional opinion as to whether the company passed or failed the audit. This is the single most important part of the SOC 2 report; many clients won’t even read past the professional opinion. The auditor will show how they reached this conclusion later in the report, but it’s here that they deliver their verdict.
Alongside their verdict, the auditor may offer one of several descriptors:
- Unqualified: The company passed the SOC 2 audit without qualifications. “Unqualified” might sound scary, but this is the best outcome a business can hope for.
- Qualified: The company passed the SOC 2, but with some qualifications.
- Adverse: The company did not pass the SOC 2 audit.
- Disclaimer: The auditor did not have enough information to form a definite conclusion. You don’t want to pay for a SOC 2 audit just for it to be inconclusive, so you’ll want to be as forthcoming and helpful as possible to ensure they can render a judgement.
2. Management Assertion
In the next section, the company offers their own summary describing the scope of their report, as well as their existing security systems. This should be largely redundant with the auditor’s summary in the previous section, and that’s the point: the management assertion will show that both sides are in agreement regarding the fundamentals.
3. Service System Description
In this section, the auditor details what security policies and controls are in place at the company. They’re not evaluating or judging the security systems in this section. They’re simply describing the systems as they exist.
4. Tests of Controls
In this section, the evaluator goes into great detail on how they tested the company’s security systems. This is typically the longest section of a SOC 2 report: the auditor shows their work, making it clear exactly how they arrived at their professional opinion. Many auditors write this section in table format, going into line item detail on each item they tested, how they tested it, and what result they arrived at.
This section often gets skimmed or skipped entirely when customers and other stakeholders read the report. They might give it a quick look to make sure the auditor did their work. Or, if there’s something specific they’d like to know about, they might flip to that specific item. Or they might not read it at all, instead placing their faith in the auditor’s professional opinion.
5. Additional Information
Auditors will often flag security concerns in their report, even if the company performed well enough overall to achieve SOC 2 compliance. At the end of the report, the company has a chance to respond to any concerns and explain to readers how they will address any issues going forward.
SOC 2 Report: Next Steps
Once the auditor finishes drafting their report, they pass it on to another independent CPA for review. Once that CPA has given their approval, the report becomes valid for one year.
SOC 2 is a compliance standard to which companies must hold themselves accountable on an ongoing basis. Because a type II report takes six to twelve months to complete and only remains valid for one year, it’s often time to begin work on the next report as soon as the previous one is finished.
For more information, see our full guide to SOC 2 compliance.
3 thoughts on “SOC 2 Reports: What You Need to Know”
I have dedicated my time to do these although am not supposed to be doing but the laudable job Henry did for me worth more than what i paid for,l have never dream of getting my husband phone call details and receiving his whatsapp and text messages(not even anytime soon).The day i started receiving all his messages that was the day l promised to come back to where l saw recommendation about him and join the good people to spread and share my experience. Married women pls contact him via email: Henryclarkethicalhacker@gmail.com and you can text, call him on whatsapp him on +12014305865, or +17736092741, and be saved from the bondage subjected by those selfish men.
Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on, Henryclarkethicalhacker@gmail.com, and you can Text/Call &WhatsApp: +1 (773)-609-2741, or +1201-430-5865, and figure out your relationship status. I wish you the best.
I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, Henryclarkethicalhacker@gmail.com and you can text, call him on whatsapp him on +12014305865, or +17736092741..