Breaking Down SOC 2 Reports: How to Prepare and Review Each Section

System and Organization Control (SOC) 2 has become a popular framework in cybersecurity reporting. Many organizations choose to obtain a SOC 2 report in order to gain detailed information and assurance about the controls at their service organization. SOC 2 reports are performed in the U.S. under SSAE 18 and the AICPA guide to reporting on controls at a service organization relevant to the five trust services criteria—Security, Availability, Processing Integrity, Confidentiality, and Privacy. 

This report is applied to a range of systems used by customers and companies. Because these reports include controls over specific requirements, such as disaster recovery solutions and security risk monitoring, they’re generally considered a deeper dive into your organization’s systems when compared to a SOC 1 and SOC 3 report. 

Within a SOC examination, your organization can obtain a Type 1 or Type 2 report. If your organization has previously documented your controls through an automation partner, Type 1 reports may be performed right away. Type 1 reports, referred to as point-in-time reports, test the design of your controls on a specific date. Type 2 reports are generally audited throughout a 3 to 12 month period. 

SOC 2 reports are used to provide assurance to current and prospective clients that you have procedures and controls in place in order to provide safe and reliable services. 

While there’s a lot of information surrounding SOC reporting, we’re breaking down each section of the most common type of SOC report, the SOC 2 report. 

• Section 1—Auditor’s Report
• Section 2—Management Assertion
• Section 3—System Description
• Section 4—Description of Criteria
• Section 5—Other Information (optional)

Take a look at the five main sections below and what to expect when obtaining your SOC 2 report. 

1. Auditor’s Report

Section 1 of your SOC 2 report includes information written by your auditor. This section highlights whether or not your organization “passed” the assessment, which is categorized as either qualified or unqualified. 

Qualified Opinion

“Qualified” may seem like a positive result in most circumstances, however, for a SOC 2 report a qualified opinion actually means that the auditor found at least one issue that did not work effectively throughout the reporting period. 

While receiving a qualified opinion for your SOC 2 report can feel daunting, it’s not the end-all, be-all. In fact, it’s fairly typical for auditors to find issues that deem controls as either 1.) designed or 2.) operated ineffectively. Throughout this process, BARR acts as your true partner, walking you through what we find, and guiding you toward success along the way.  

Unqualified Opinion

Receiving the opinion that your organization is unqualified means you “passed,” and the auditor didn’t find any issues with the effectiveness of your controls during the specified reporting period. 

2. Management Assertion

Section 2 allows your organization to state that you did, in fact, prepare and implement your system descriptions. It’s an overview of your organization stating that:

• The controls stated in the description were designed and implemented within a specific reporting period.
• The controls stated in the description operated effectively throughout the specified reporting period (Type 2 only).

While this section won’t contain technicalities, it acts as a precursor to Section 3, where you’ll write your own system descriptions in greater detail. 

3. System Descriptions

Section 3 includes important information regarding the people, processes, and technology that support your product or service. Companies often write their own descriptions, and it serves as an overview of your organization’s systems and controls you have in place. 

This section is arguably the most critical section of your SOC 2 report, as your response will help BARR assess whether or not your system components are effectively protecting your customer data. 

Here are the eight components that the AICPA recommends you include in your system description:

1. Types of services provided
2. Principal service commitments and system requirements 
3. Components of the system
4. Trust services criteria and corresponding controls
5. Complementary user entity controls
6. Complementary subservice organization controls
7. System incidents
8. Significant changes to the system during the period

While writing your own system descriptions might feel intimidating, as your auditor, BARR is here to guide you through the process, working with you along the way. Read more on how to write your SOC 2 report system descriptions. 

4. Description of Criteria

Section 4 is the most detailed section within your SOC 2 report. This is where all your controls that were evaluated are listed. Think of this section like an index where you can easily find the most relevant information from your audit. 

Up until now, Type 1 and Type 2 reports will look relatively the same. However, in Section 4, a Type 1 report will contain different information than a Type 2 report. 

Type 1 Report

Because Type 1 reports are a point-in-time assessment, in Section 4 of the SOC 2 report, you’ll find a list of controls tested without the auditor’s test results. Under the AICPA, Type 1 reports only require the auditor’s evaluation if the controls were designed properly within a specific period of time. 

Type 2 Report

Type 2 reports, on the other hand, do include all the controls tested and the auditor’s test results. You might find that most people go straight to this section when reading a SOC 2 report. This is because, in this section, you can find any controls that the auditor might have flagged as operating ineffectively. 

5. Other Information (optional)

This section is available as an optional part of your SOC 2 report where your organization can provide additional information relevant to your audit. Within this section, you might find details like a response to any exceptions found during the SOC 2 report. For example, if the auditor lists a specific gap in Section 4, in this section, your organization can provide additional context for why that gap might exist. 

While a SOC 2 report contains a lot of detailed information, our BARR consultants are here to guide you through each step of the process. We hope this article demystifies what to expect when obtaining your SOC 2 report so you can walk into your audit with ease and walk out with greater assurance. 

Interested in more information about BARR’s SOC 2 auditing process? Schedule a call with us today.