System and Organization Control (SOC) 2 has become a popular framework in cybersecurity risk management and reporting. Many organizations choose to obtain a SOC 2 report in order to gain detailed information and assurance about the controls at their service organization. SOC 2 reports are performed by a third-party auditor in the U.S. under SSAE 18 and the AICPA guide to reporting on service organization controls relevant to the five trust services criteria (TSC)—Security, Availability, Processing Integrity, Confidentiality, and Privacy.
This report is applied to a range of systems used by customers and companies. Because these reports include controls over specific requirements, such as disaster recovery solutions and security risk monitoring, they’re generally considered a deeper dive into your organization’s systems when compared to a SOC 1 and SOC 3 report.
Within a SOC 2 examination, your organization can obtain a Type 1 or Type 2 report. If your organization has previously documented your controls through an automation partner, Type 1 reports may be performed right away. Type 1 reports, referred to as point-in-time reports, test the design of your controls on a specific date. Type 2 reports are generally audited throughout a 3 to 12 month period.
Achieving SOC 2 compliance and obtaining a SOC 2 report provides assurance to current and prospective clients that you have procedures and internal controls in place in order to provide safe and reliable services, ensure privacy and availability of data, and maintain information security standards.
From preparation to promotion, there’s a lot of information surrounding SOC compliance and reporting. We’re breaking down each section of the most common type of SOC report, the SOC 2 report.
Take a look at the five main sections below and what to expect when obtaining your SOC 2 report.
Section 1 of your SOC 2 report includes information written by your auditor. This section highlights whether or not your organization “passed” the assessment, which is categorized as either qualified or unqualified.
“Qualified” may seem like a positive result in most circumstances, however, for a SOC 2 report a qualified opinion actually means that the auditor found at least one issue that did not work effectively throughout the reporting period.
While receiving a qualified opinion for your SOC 2 report can feel daunting, it’s not the end-all, be-all. In fact, it’s fairly typical for SOC 2 auditors to find issues that deem controls as either 1.) designed or 2.) operated ineffectively. Throughout this process, BARR acts as your true partner, walking you through what we find, and guiding you toward success along the way.
Receiving the opinion that your organization is unqualified means you “passed,” and the auditor didn’t find any issues with the effectiveness of your controls relevant to the trust services criteria—security, availability, processing integrity, confidentiality, and privacy—during the specified reporting period.
Section 2 allows your organization to state that you did, in fact, prepare and implement your system descriptions. It’s an overview of your organization stating that:
While this section won’t contain technicalities, it acts as a precursor to Section 3, where you’ll write your own system descriptions in greater detail.
Section 3 includes important information regarding the people, processes, and technology that support your product or service. Companies often write their own descriptions, and it serves as an overview of your organization’s systems and controls you have in place.
This section is arguably the most critical section of your SOC 2 report, as your response will help BARR assess whether or not your system components are providing effective customer data protection and security.
Here are the eight components that the AICPA recommends you include in your system description:
While writing your own system descriptions might feel intimidating, as your auditor, BARR is here to guide you through the process, working with you along the way. Read more on how to write your SOC 2 report system descriptions.
Section 4 is the most detailed section within your SOC 2 report. This is where all your controls that were evaluated are listed. Think of this section like an index where you can easily find the most relevant information from your audit.
Up until now, Type 1 and Type 2 reports will look relatively the same. However, in Section 4, a Type 1 report will contain different information than a Type 2 report.
Because Type 1 reports are a point-in-time assessment, in Section 4 of the SOC 2 report, you’ll find a list of controls tested without the auditor’s test results. Under the AICPA, Type 1 reports only require the auditor’s evaluation if the controls were designed properly within a specific period of time.
Type 2 reports, on the other hand, do include all the controls tested and the auditor’s test results. You might find that most people go straight to this section when reading a SOC 2 report. This is because, in this section, you can find any controls that the auditor might have flagged as operating ineffectively.
This section is available as an optional part of SOC 2 reporting where your organization can provide additional information relevant to your audit. Within this section, you might find details like a response to any exceptions found during the SOC 2 report. For example, if the auditor lists a specific gap in Section 4, in this section, your organization can provide additional context for why that gap might exist.
While a SOC 2 report contains a lot of detailed information, our BARR consultants are here to guide you through each step of the SOC 2 compliance process. We hope this article demystifies what to expect when going through SOC 2 attestation and obtaining your SOC 2 report so you can walk into your audit with ease and walk out with greater assurance.
Interested in more information about BARR’s SOC 2 auditing process? Schedule a call with us today. We also offer a full range of SOC compliance services, including SOC 1, SOC 3, and SOC for cybersecurity.