It’s true that AICPA SOC 2 reports can include 100+ pages of detailed criteria and technical jargon. But while it’s not exactly a beach read, a SOC 2 report does have a clear and linear structure that makes it easy to navigate.
A SOC 2 report guides a reader through the results of an audit. It outlines a particular system and discusses whether that system meets the audit criteria.
This is why a SOC 2 report is so long. It typically covers:
- Detailed information about the purpose and scope of the audit
- Information about the system and internal controls
- The perspectives of company management and the auditor
What’s Included in a SOC 2 Report?
SOC 2 reports have five main sections:
1. Report from the auditor
This first section of a SOC 2 report is a summary of the audit. Short, sweet, and to the point, this section is written by the auditor. It provides a brief summary of the entire SOC examination, including the audit’s scope and time period and the auditor’s final opinion.
For many, this is the most important part of the report, since it usually says whether the service organization passed its audit. Here are the terms auditors use to describe the results:
- Unqualified: The company passed its audit.
- Qualified: The company passed, but some areas require attention.
- Adverse: The company failed its audit.
- Disclaimer of Opinion: The auditor doesn’t have enough information to make a fair conclusion.
2. Management assertion
This is usually the shortest section of the report. The management assertion allows the company to make claims (or “assertions”) about its systems and organization controls.
Most management assertions are the company’s way of saying: “these are our systems, these are their security controls, and this is what we think about it all right now.” This section may also include the company’s assertions about the audit itself, such as the timeframe and scope.
This section might seem redundant, but it’s often necessary to create a legal basis between the company and the auditor.
3. System description
This section provides a detailed overview of the system that’s under audit. It outlines system components, procedures, and system incidents.
Common parts of a system description include:
- System scope and requirements
- System components (e.g., infrastructure, people, etc.)
- Control frameworks
- System incidents
- Complementary information (e.g., user responsibilities, etc.)
Of course, this section is only as detailed and complex as the system it’s describing. Usually, you can expect a good 20-30 pages of detailed information.
4. Tests of controls
This is the longest section of a SOC 2 report and it describes every test performed during the audit.
Since SOC 2 reports are information security-oriented, most of the tests found in this section relate to the “Security” Trust Services Criteria. Here, Security breaks down into nine Common Criteria (CC).
Most SOC 2 reports show tests in a table format with the following information:
- Common Criteria (CC)
- Trust Services Criteria or control objectives
- Control number
- Control description from the company
- The auditor's test description
- Test results on operating effectiveness
5. Other information
Some SOC 2 audit reports include an extra section for additional information. For example, management’s response to specific test results. Companies can explain why an exception occurred or what they've done since to fix it.