Browse our list of commonly used security, privacy, and compliance terms and acronyms.
What is a SOC 2 report?
A SOC 2 report includes the following sections:
This section summarizes the claims company management has made about their security controls. It also describes, in management’s view, whether the organization’s systems satisfy the Trust Services Criteria included in the audit.
Independent Service Auditor’s Report
This section includes the auditor’s opinion about how the organization’s controls perform against the TSC selected. An “unqualified opinion” indicates the company is fully compliant and the auditor didn’t find anything to qualify that assertion. A “qualified opinion” means the company is nearly fully compliant, but a few areas may need improvement. An “adverse opinion” means security controls are insufficient in one or more significant areas. A “disclaimer of opinion” means the auditor doesn’t have enough information to support any of the other options.
This section explains what your organization does, including industry, location, and technical infrastructure. It also summarizes the security controls that have been implemented.
This section defines the people, policies, processes, software, data, and technology that comprise the organization, as well as any third parties outsourced.
Relevant Aspects of the Control Environment
This section details your internal controls relating to information systems, risk assessment and management, and monitoring.
Complementary User-Entity Controls
CUECs, also known as User Control Considerations (UCCs), are controls that organizations depend on their customers to implement. For example, removing access for former employees.
Complementary Subservice Organization Controls
Similar to CUECs, these are controls organizations rely on supporting vendors such as data processing services to implement.
Trust Services Criteria, Criteria Related Controls, and Tests of Controls
This section lists every security controls in place and the results of any tests the auditor ran against those controls.
Any additional information provided by the organization that the auditor didn’t use or deemed irrelevant to the audit.