Understanding the structure of a SOC 2 report is essential for both businesses and service providers who are thinking ahead to their audit and attestation. It will serve as the “story” of an organization’s SOC 2 journey, covering the evaluation of their adherence to the Trust Services Criteria (TSC)–security, availability, processing integrity, confidentiality, and privacy.
In this blog post, we will provide an overview of the standard structure of a SOC 2 report, encompassing its various sections and the information included in each of these segments.
What Is the SOC 2 Report?
A SOC 2 report provides a demonstration of an organization’s adherence to one or more of the Trust Services Criteria outlined by the American Institute of Certified Public Accountants (AICPA) :
- Security: This principle asserts that the organization must protect its system against unauthorized access. This criterion is always required, no matter what other measures are included.
- Availability: This criterion requires that the organization’s system and data are available for operation and use as committed or agreed to by the service organization.
- Processing Integrity: This criterion requires that the system processing is “complete, accurate, timely, and authorized.” The system does not corrupt, damage, or provide out-of-date information.
- Confidentiality: This criterion requires organizations to maintain the confidentiality of users’ data and identities as it is used for the organization’s commitments.
- Privacy: This criterion requires that Personal Identifiable Information (PII) remains private.
Additionally, there are two types of reports in the SOC 2 standard:
- Type I: A Type I report evaluates the design of an organization’s controls at a specific point in time.
- Type II: A Type II report evaluates an organization’s controls over a period of time, typically six to twelve months.
While this delineation between the two reports may impact how the auditor assesses these controls, it does not change the core function of the report itself.
What Are the Five Sections of a SOC 2 Report?
There are five distinct sections of the SOC 2 report, only four of which are required:
Report From the Auditor
The report from the auditor section provides customers with an evaluation of the effectiveness of the organization’s controls in meeting the Trust Service Criteria. The auditor will provide one of four assessments of the system overall in a somewhat unintuitive way:
- Unqualified: This designation states that the system meets assessment requirements without qualification (without errors or gaps).
- Qualified: The organization has met most of its requirements, but some areas need to improve, either due to design or implementation. This is an invitation to correct the issue and maintain SOC 2 attestation.
- Adverse: The organization did not pass its audit.
- Disclaimer: For some reason, insufficient information was provided to complete the audit.
In the management’s assertion, the organization’s management makes certain assertions, or binding claims, about their systems and how they meet TSC requirements. Specifically, these assertions will include:
- Management asserts that they have fairly represented the organization’s systems to the auditor as part of their evaluation.
- Management asserts that control objectives were implemented within that system by a specific date (for Type I reports) or throughout a date range (for Type II reports).
- Management must provide their criteria for making the previous assertions.
This section briefly overviews these assertions, with the following section providing details. The auditor will review the organization’s description of its controls and evaluate whether the controls are designed to meet the TSC requirements.
As the name suggests, the system description describes the organization’s systems undergoing the SOC 2 assessment. The organization often completes this section following the overview and assertions of Section 2.
The system description typically includes references to any of the following components:
- Software: This section provides information on the software the organization uses to support its services, including the type of software, version numbers, and any customization or configuration settings.
- Personnel: This section describes the employees involved with the assessed system, including their roles and responsibilities, training, and access privileges.
- Data: This section provides information on the types of data processed by the service organization’s system, including the sources, types (for example, PII), and data flows throughout the system.
- Administration: This section provides the organization’s policies and procedures for managing risk and ensuring compliance.
This section will also apply the TSC to your controls, putting them in one of the five buckets where they apply.
Description of Criteria
This section is the meat of the report, providing control evaluations of all relevant components. Formatted as an extensive table, this serves as an assessment index.
One thing to note is that this section will look slightly different depending on the test. Due to the fact that a Type I report only focuses on a specific moment in time, the auditor will attest to the soundness of control designs and implementations without providing testing results.
In a Type II report, however, the auditor will provide the results of their tests (usually conducted on-premises over the six-plus months of auditing) in this section.
This optional final section is a grab-bag of possible information if it is needed. This can include addressing any audit gaps on the part of the auditor or any exceptions or notes the organization leaves to respond to test results.
Why Get a SOC 2 Report?
SOC 2 attestation provides several benefits for both organizations and their customers. Some of these benefits include:
- Customer Confidence: SOC 2 attestation provides customers with an authentic, verified report that the service organization takes to protect data security and integrity across the board. This also provides a serious competitive advantage compared to non-certified organizations.
- Compliance: SOC 2 attestation can be a first step to a wider compliance infrastructure. While SOC 2 isn’t required by law, it can serve as a stepping stone to government regulatory frameworks like HIPAA or FISMA. This can also reduce the burden of audits for these other requirements.
- Focus on Risk: SOC 2 attestation can help the organization identify and mitigate risks, especially if those organizations have never focused on risk categories before.
Set Yourself Up for Success in SOC 2 Compliance with Continuum GRC
We aren’t just a compliance tool–we are a top-to-bottom operation of security experts building the next level of cloud security tools. The Continuum GRC platform can support serious audits under numerous frameworks like SOC 2. More importantly, we help foreground risk management to ensure you are more than compliant… you are secure.
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.