A SOC 2 report (Service Organization Control report 2) focuses on the controls a company uses to protect customer data, as well as the operational effectiveness of those controls. A SOC 2 report should not be confused with a SOC 1 report, which focuses on a company’s financial reporting, nor should it be confused with a SOC 3 report, which has similar output to a SOC 2 report but in more natural language. This blog post will focus on the SOC 2 report and an overview of its seven main components.
The SOC 2 report itself is based in five Trust Service Principles as defined by the AICPA (American Institute of CPAs):
- Security - provides customer assurance that their data is secured against unauthorized access
- Availability - assures that the systems needed to store and process data will be available for use
- Processing integrity - requires the processing of data to be accurate and complete
- Confidentiality - ensures information labeled sensitive/confidential is protected as such
You have some flexibility as far as which principles to adhere to, unlike HIPAA compliance or PCI-DSS, which have more rigid requirements. And because each SOC 2 audit can have different criteria, each SOC 2 report is different - and therefore yours will be unique to your organization.
Once you have been through the SOC 2 audit, the CPA (Certified Public Accountant) will write the final SOC 2 report. This can take 1-5 weeks, but a 2-4 week turnaround is average. The timing depends on the firm, the scope of your assessment, the large amount of audit evidence that requires review, and a volume of tasks required to meet strict AICPA (American Institute of CPAs) standards.
When the report is issued, it will be broken down into seven sections:
In this section, the auditor will determine as to whether your description of the system you provide as a service to customers is fairly represented in the audit report. Specifically, the description is measured against the Trust Services Principles.
Independent Service Auditor’s Report
This section summarizes the auditor’s opinion of how effective your controls are when mapped to the Trust Services Criteria.
In this section, a background on the service organization is provided, including a description and purpose of the system in scope, as well as the company’s physical location and industry.
This section provides detailed descriptions of the people, policies, software, processes, and data used by the organization. If you use a third-party hosting provider for your data center needs, this infrastructure section would provide information about that provider such as the physical location, area square footage, and status of any SOC audits the provider is pursuing or has completed. Additionally, this section gives a high-level overview of the technologies used in the environment, such as the virtualization software, networking hardware, database types, backup configuration, and system redundancy.
Relevant Aspects of the Control Environment
In this section, the auditor will report on your control environment, information/communication systems, risk assessment processes and monitoring of controls.
Complementary User-Entity Controls
This section provides a detailed description of how your controls are implemented.
Trust Services Principles, Criteria Related Controls, and Tests of Controls
This final section of the report details the controls you have in place, as well as the effectiveness of those controls when measured against the Trust Services Criteria.
It’s important to know that the SOC 2 audit does not grade as pass or fail. Your auditor provides an opinion on how your organization adheres to the Trust Service Principles in scope. And if the assessor’s opinion agrees with management’s assertion, you will receive what is called an unmodified (clean) opinion, essentially stating that you can be trusted as a service organization. You might also have some minor exceptions on some of your controls and still receive a “clean” report. But if there are more significant exceptions, such as failing to provide adequate evidence of a control or not following a control altogether, your audit may claim a qualified or adverse opinion. The desired result is to receive an opinion from the auditor stating that you can be trusted as a service organization.
Your SOC 2 report is now ready to share with your user entities, giving them confidence that your organization uses effective controls to process and protect their data.