In a SOC 2 report, a registered CPA audits a company’s security systems and provides their professional opinion as to whether the business is SOC 2 compliant. The typical SOC 2 report contains five sections – the most important of which is the auditor’s summary, in which the auditor renders their judgement as to whether the company passed or failed the audit.
There are two types of SOC 2 reports. A type I report attests to a company’s security at a specific point in time. A type II report, on the other hand, is based on at least six months of auditing, and describes a company’s ongoing security practices. Though it takes longer to compile, the type II report offers stronger proof a business is secure.
Once completed, a SOC 2 report is valid for one year. It’s not a one-and-done kind of deal, but a compliance standard that a company must live up to on an ongoing basis.
The SOC 2 Report: 5 Sections
Most SOC 2 reports include five sections. Let’s go over each of those in term.
1. The Auditor’s Summary & Professional Opinion
The auditor begins by summarizing the scope of the report, outlining when the report was conducted and what systems they evaluated.
This summary is especially important because SOC 2 reports aren’t one-size-fits-all. Beyond the distinction between type I and type II reports, there are five trust services criteria a report might focus on:
- Security describes a company’s ability to protect data and systems from unauthorized access. It is the most commonly evaluated of all the trust services criteria.
- Availability entails how much of the time the service performs as intended. This means that the service is not only usable, but meets the expectations a company sets in contracts with clientele. If it takes ten minutes to load the service, for instance, that may be considered an unacceptable level of availability, even if it is still technically usable.
- Processing integrity refers to the company’s ability to keep data from being manipulated or tampered with, and the service’s ability to function without errors or other mishaps.
- Confidentiality refers to the company’s ability to restrict access to and protect sensitive data.
- Privacy describes a company’s ability to protect personally identifiable information pertaining to their customers.
Though many companies will choose to focus their audit exclusively on security, other will focus on different trust service criteria and many will audit for all five.
Alongside their summary, the auditor offers their professional opinion as to whether the company passed or failed the audit. This is the single most important part of the SOC 2 report; many clients won’t even read past the professional opinion. The auditor will show how they reached this conclusion later in the report, but it’s here that they deliver their verdict.
Alongside their verdict, the auditor may offer one of several descriptors:
- Unqualified: The company passed the SOC 2 audit without qualifications. “Unqualified” might sound scary, but this is the best outcome a business can hope for.
- Qualified: The company passed the SOC 2, but with some qualifications.
- Adverse: The company did not pass the SOC 2 audit.
- Disclaimer: The auditor did not have enough information to form a definite conclusion. You don’t want to pay for a SOC 2 audit just for it to be inconclusive, so you’ll want to be as forthcoming and helpful as possible to ensure they can render a judgement.
2. Management Assertion
In the next section, the company offers their own summary describing the scope of their report, as well as their existing security systems. This should be largely redundant with the auditor’s summary in the previous section, and that’s the point: the management assertion will show that both sides are in agreement regarding the fundamentals.
3. Service System Description
In this section, the auditor details what security policies and controls are in place at the company. They’re not evaluating or judging the security systems in this section. They’re simply describing the systems as they exist.
4. Tests of Controls
In this section, the evaluator goes into great detail on how they tested the company’s security systems. This is typically the longest section of a SOC 2 report: the auditor shows their work, making it clear exactly how they arrived at their professional opinion. Many auditors write this section in table format, going into line item detail on each item they tested, how they tested it, and what result they arrived at.
This section often gets skimmed or skipped entirely when customers and other stakeholders read the report. They might give it a quick look to make sure the auditor did their work. Or, if there’s something specific they’d like to know about, they might flip to that specific item. Or they might not read it at all, instead placing their faith in the auditor’s professional opinion.
5. Additional Information
Auditors will often flag security concerns in their report, even if the company performed well enough overall to achieve SOC 2 compliance. At the end of the report, the company has a chance to respond to any concerns and explain to readers how they will address any issues going forward.
SOC 2 Report: Next Steps
Once the auditor finishes drafting their report, they pass it on to another independent CPA for review. Once that CPA has given their approval, the report becomes valid for one year.
SOC 2 is a compliance standard to which companies must hold themselves accountable on an ongoing basis. Because a type II report takes six to twelve months to complete and only remains valid for one year, it’s often time to begin work on the next report as soon as the previous one is finished.
For more information, see our full guide to SOC 2 compliance.