So, you’ve just been handed a SOC 2 report. Now what? These reports can be overwhelming since they are sometimes more than 100 pages long. Let’s start with the basics. All SOC 2 reports have at least five sections, sometimes six if there are exceptions in the report. They are the Independent Auditor’s Report, Management’s Assertion, Description of the Organization’s Operations, Control Criteria and Complementary User Entity Controls, Description of Test Controls, and in some cases Other Information Provided by the Organization. In this article, we will go over each section and discuss the importance of each one. Since this is such a large topic, we will cover these sections in two parts, with sections 1-3 covered in this article and sections 4-6 in an article to come.
Independent Auditor’s Report
This is the opinion of the organization’s controls from the auditor. This section informs the readers of the Scope of the audit, which is what system or service the auditors base their testing and opinion on. It is important to make sure the reader reviews this section, as most times the SOC is not all-encompassing and pertains to a certain system or service from the organization. This section also calls out whether the organization uses one or more subservice organizations. A subservice organization is a vendor that the organization uses to perform some of the relevant controls in the SOC.
The next two subsections are the Service Organization’s & the Service Auditor’s Responsibilities. These subsections note what portions of the audit the applicable party is responsible for. The opinion is one of the main focal points of this section. It informs the readers whether the organization is compliant or not. If the reader sees that the organization’s system or service was, 1) implemented in accordance with the description, 2) the controls were suitably designed, and 3) the controls operated correctly, then the organization has a clean opinion from the auditor and is thus in compliance. The last subsection is Restricted Use. It is important that the readers keep this SOC report confidential since it encompasses sensitive information on how the organization operates. The key takeaways from this section are the auditor’s opinion, scope, and whether the organization uses a subservice organization.
This section mostly reiterates the important sections of the Auditor’s Report. It states the scope of the audit, any subservice organizations, and the three key aspects of the opinion. Management of the organization signs the assertion; it is a summary of the services the organization provides and a statement of agreement with the auditors.
Description of the Organization’s Operations
This section is written completely by the organization. The description gives the reader a better understanding of what the organization does and describes the system under audit and the related controls in more detail. Also in this section, more detail is provided on any subservice organizations the organization uses. The reader will see that, along with the explanation of the subservice organization, it lists whether they are inclusive or carve-out. If a subservice organization is inclusive to the organization, then the relevant controls provided by the subservice organization are included within the description and testing of the audit. However, if the subservice organization is carved out then the relevant controls provided are not included in the description or testing of the audit.
In our next SOC article, we will finish our overview of the remaining sections of a SOC 2 report: Control Criteria and Complementary User Entity Controls, Description of Test Controls, and Other Information Provided by the Organization.
If your entity is interested in obtaining any additional information on SOC reports or if there are any other questions related to SOC, please contact us. For more information, be sure to visit our System and Organization Controls (SOC) service page and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA regarding our services.