SOC 2 Report Examples (Broken down into each section)

As cloud-hosted businesses, you must ensure secure the security of your customer’s data in your environment as well as with the vendors in your system. SOC 2, in this context, is a globally-accepted way to secure data, build trust, and unlock growth opportunities.

As business owners, it is, therefore, crucial that you understand what a SOC 2 report is, what it contains, and how it adds to your security posture. Read this article to get an overview of the different sections in a SOC 2 report with examples and what to look for and glean from it.

What is a SOC 2 Report?

A SOC 2 report is a detailed description of your SOC 2 audit. It is an evaluation by an independent certified auditor of whether your business provides a secure, available, confidential, and private solution to your customers. The auditor releases the report after examining your organization’s control over one or more of the Trust Services Criteria (that you have chosen). 

The SOC 2 report contains the auditor’s detailed opinion on the design and operating effectiveness of your internal controls. It is, in essence, a testimony to the strength of your infosec practices. It is meant to enable the report users (your customers and customer’s customer) to assess and address the risks that arise from their relationship with your organization.

What to look for in a SOC 2 Report Example?

Knowing what to look for in a SOC 2 report and what it means (to you and your customers) is vital. Here’s why: 

1) As a service provider, your SOC 2 report gives your customers and prospects a peek into your security practices. Therefore, you ought to decipher what the report says about your business’ security posture.

2) As a customer, your vendor’s SOC 2 report helps you evaluate their security risks and validate if they have the necessary security best practices in place to protect your information.

Read on to understand what to look for when receiving a SOC 2 report and where to find the technical details, security control configurations, and other information.

SOC 2 Report Example

The crux of the SOC 2 report lies in understanding whether a particular organization meets its audit criteria or not. The SOC report, therefore, provides detailed information about the audit, management perspectives, system description, tests of controls, and other relevant information. While all this can make the report quite intimidating, what with its reams of information in legal-speak, here’s a ready reckoner on the various sections of the report and what to look for in each of them.

A SOC 2 report example helps to evaluate whether your business provides a secure, confidential, and private solution to your customers.

Every SOC 2 report should have the 5 sections:

• Management Assertion
• Independent Service Auditor’s Report
• System Description
• Applicable Trust Services Criteria and Related Controls, Tests of Controls, and Results of Tests
• Other information provided by the Management

In most SOC 2 reports, you will find four sections and an optional fifth section.

Here’s a SOC 2 report example that showcases what each section includes:

Source: AICPA’s Illustrative Type 2 SOC 2 Report with the Criteria in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Sections of SOC 2 Report

The SOC 2 report is an information mine about the audited entity. It includes (but is not limited to) general information on the audited organization, the auditor’s opinion on the compliance assessment of the organization’s controls, and the description of the tests involved. The report also includes recommendations for improving security protocols when needed. 

Here’s a lowdown on each section and what it contains:

Section 1: Management Assertion

This section provides assertions, statements and facts as given by the audited organization and relates to their system(s) under audit. It’s written by the organization and is essentially the management acknowledging that the information provided is accurate and relevant. The section summarises the organization’s services, products, structures, systems and controls. It, however, doesn’t contain technical details. 

Here’s a gist of what this section contains:

1. Types of services provided
2. Components of systems – Infrastructure, System, People, Procedures and Data
3. Aspects of systems
4. How the systems capture and address significant events and conditions
5. Processes used to prepare and deliver reports
6. Any applicable Trust Service Criteria that are not being met by controls, with reasons as to why

Section 2: Independent Service Auditor’s Report

This section is much like your university grade card as it captures your auditor’s rating on your compliance. It shows whether or not you passed the assessment. It is, therefore, one of the most read and important sections of the report. 

In this section, the auditor shares their opinion on your SOC 2 audit readiness. It also includes a description of the scope of the audit, the organization’s responsibilities, the auditor’s responsibility and inherent limitations in the assessment, such as human error and circumvention of controls, to name a few. 

Here are the four types of auditor opinions and what they mean:   

• Unqualified – You pass with flying colours! 

An unqualified opinion means that the auditor did not find any issues during the audit. Every control tested was designed appropriately (Type 1 report) and operated effectively (Type 2 report).

• Qualified – Close, but not quite.

The auditor has some reservations as some areas require attention. But how bad is a qualified report? Well, it depends on the controls in question that failed and how they impact the report users.

• Adverse – You failed. 

An adverse opinion indicates that the organization materially failed one or more of the standards, and its controls and system isn’t reliable. 

• Disclaimer of Opinion – No comments!

This technically isn’t an opinion. It essentially means that the information provided wasn’t enough for the auditor to form an opinion. It happens when the auditors do not have access to the information they need or are unable to complete it neutrally.

Note that this section gives the overall status of the assessment alone. You won’t find details beyond that here. 

Here’s a SOC 2 audit report example that highlights the auditor’s opinion.

Source: AICPA’s Illustrative Type 2 SOC 2 Report with the Criteria in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Section 3: System Description

If management assertion was a brief overview of the organization’s system description, this section is a detailed deep dive. It’s a must-read section and covers the system(s), scope & requirements, components, controls, sub-service organizations and other systems information. 

It includes details of the human resources, roles and responsibilities and also features the list of system components and controls grouped with the relevant common criteria.

This section covers a detailed account of the control environment, control activities (policies and procedures), information and communication system, monitoring (to assess the quality of internal control performance through penetration testing and vulnerability scans), and risk assessment (the organization’s assessment of relevant risks and its management).

Some of the items in the system description would be:

Overview of services provided: It contains a brief overview of the services offered by the organization. Your customers will read here to ensure that the services they seek from you are covered in the compliance scope. You will also find service commitments and system requirements here. 

System components: You will find technical details such as where the organization (or its application) is hosted, tools used and access control here. For instance, if your business is hosted in AWS, you will need to give details about the AWS environment here. It will contain a detailed description of your infrastructure, software, people, procedures and data.

Control activities: A detailed description of the various control activities of the organization can be found here. From how the organization onboards new employees to how it keeps data secure through database protection, encryption and access, this is your go-to section for how the organization has designed its controls.

Not applicable trust services criteria specifics: If any specific criteria didn’t apply to the organization, they would be described here.

This section is critical for your customer to decide whether they trust you enough to conduct business with you. Invest time to read this section in your vendors’ SOC 2 report. 

Complementary User Entity Controls (CUECs) and Complementary Subservice Organizations Controls (CSOCs) are also included here. Any significant changes to the system during the period (Type 2 reports only) are also described here. For instance, a new acquisition, or a change in cloud service provider, to name a few. This section will also contain system incidents if the organization failed to meet its commitments. 

Section 4: Applicable Trust Services Criteria and Related Controls, Tests of Controls, and Results of Tests

This section details all the tests (and their results) performed during the audit and therefore is a critical section in the report. It gives the insights that explain the auditor’s opinion detailed in section 2.

This section includes (in a tabulated format) the following:

• Control Criteria
• Control Number
• Control Description from the Organization
• Test Description from the Auditor
• Test Results

Source: AICPA’s Illustrative Type 2 SOC 2 Report with the Criteria in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Difference between SOC 2 Type 1 and SOC 2 Type 2 Report

While the first three sections of the report will be the same for both SOC 2 Type 1 and SOC 2 Type 2 reports, this section would be significantly different. 

In a Type 1 report, this section will feature the list of all the controls tested during the audit. It won’t feature the auditor tests or the results of tests. This is because Type 1 assesses the design of the controls at a point in time. 

In a Type 2 report, you will find the controls list, auditor’s tests and the test results for each listed control. This section (for a Type 2 report) will also showcase exceptions or deviations noted by the auditor. 

Source: AICPA’s Information for Service Organization Management report

Section 5: Other information provided by the Management

This section is optional and details management’s response to any deviations or exceptions highlighted by the auditor in Section 4 by giving more context and information about the exceptions. For instance, if one of the exceptions noted by the auditor was that some of the new hires didn’t undergo background verification, the management can acknowledge the same here and cite reasons why and propose ways to ensure such misses don’t repeat. 

This section also contains information on the organization’s future plans that can have a bearing on its control environment and system(s). 

Become SOC 2 Compliant the Smart Way 

SOC 2 compliance can appear daunting and intensive at first. But it needn’t be. With Sprinto, your audit journey is a well-thought-out and detailed process during which we help define the controls and checks, and automate it all with our easy-to-use and intuitive platform. Sprinto replaces all the manual, error-prone, repetitive busy work with automation. 

To learn more about how Sprinto can help you sail through your SOC 2 journey, book a demo here.