How to review a SOC 2 report?

If your organization is undergoing a SOC 2 audit, there are specific things you should know to review in the report. This includes checking the auditor’s opinion, CUECs (Control Unusual Event or Condition) reports points of non-compliance, and analyzing its deviations and responses. 

Now, here is how you can review a SOC 2 report so that you leave no stone unturned!

To read a SOC 2 report effectively, follow these steps:

• Cover page: The cover page contains valuable information about the report, including the type of SOC 2 report, the dates covered, and the relevant TSC categories.
• Type of SOC 2 report: Two types of SOC 2 reports are Type 1 and Type 2. Type 1 confirms compliance with SOC 2 at a specific time, while Type 2 covers compliance for 6 or 12 months. 
• Trust Services Criteria: SOC 2 reports have 5 trust services criteria: Security (required) and optional ones like Availability, Processing Integrity, Confidentiality, and Privacy. Make sure the criteria align with the vendor’s product offering.
• Management’s assertion section states that your company’s management claims that its services and compliance fulfill the requirements for the TSC categories.
• Auditing firm: Pay attention to the reputation of the auditing firm. A well-known firm will probably conduct a thorough audit.
• Description of system/services: This section is the bulk of the SOC 2 report and the one you should focus on the most. It has a detailed system overview, including architecture, controls, and implementation. 
• Independent service auditor’s report: This section includes the auditor’s opinion on your SOC 2 compliance. An unqualified report is good, indicating compliance, while a qualified report means non-compliance and should be a red flag.
• Complementary user entity controls (CUEC): Note the policies and controls customers must implement when using the system, such as multi-factor authentication and single sign-on.
• Complementary subservice organization controls (CSOC): Subservices may have their own responsibilities for certain controls. Make you understand which controls fall under sub service responsibilities.
• Shared responsibility: If present, this section explains where responsibility for certain controls is shared between the vendor, customer, and/or subservice provider. Understand your organization’s responsibilities for control effectiveness.