Compliance 101

How SOC 2 Compliance Works: Reading a SOC 2 Report

SOC 2 Report

We talk a lot about getting SOC 2 compliant; the gap analysis, implementing controls, executing a risk assessment, and finally passing your evidence to auditors. But what happens after you have a SOC 2 report in hand? How do you read it? What do your investors, partners, or prospects look for when they ask for a copy?

This post will cover exactly how to read a SOC 2 report and how to know what others will be looking at in the report.

What is in a SOC 2 report?

A SOC 2 audit generates a report on the relevant controls to a service organization system’s security, availability, processing integrity, confidentiality, and/or privacy. If this sounds familiar, it should. Your report reflects the relevant Trust Service Criteria your business chose at the beginning of the SOC 2 process.

Management, auditors, regulators, and your customers use the report when performing due diligence, examining oversight of your information security, and meeting governance, risk, and compliance program requirements.

Reading a SOC 2 report

SOC 2 reports can be long, dense, and difficult to read. We break down each important section of the report below. Let’s dive in.

Auditor’s Opinion

SOC 2 reports don’t bury the lede. First up, the auditor’s opinion of the service organization’s overall information security posture.

Service organizations will receive one of four opinions from their CPA firm: unqualified, qualified, adverse, or disclaimer. Auditors structure the report so that readers understand the opinion upfront. Stakeholders navigate to this opinion first to understand if there are issues and the severity of the issues.

  • Unqualified

Consider this a passing grade. This is the highest rating for a SOC 2 report and indicates that the auditor did not find any material issues during the audit.

  • Qualified

Your SOC 2 will receive a qualified opinion when the auditor identifies material findings that cause the service organization’s controls to fail to meet certain SOC 2 trust services criteria.

  • Adverse

Auditors issue an adverse opinion when they identify pervasive failures and believe that users are unable to rely on the service organization’s in-scope systems.

  • Disclaimer

If auditors did not have access to sufficient evidence to form an opinion, they will issue a disclaimer of opinion. The service organization will need to collect more evidence of their controls to go through another audit.

Management’s assertion

After the auditor’s opinion, the management of the service organization provides an assertion. The service organization presents the facts as complete, accurate, and reliable for the assessment.

Think of this section as the swearing-in of the service organization, that everything presented to auditors is true and complete to the best of their ability.

Description of the system

Following management’s assertion, they’ll author a description of the service system. This will cover information on the offered service: what it’s used for, what kind of data the system holds and transmits, and an overview of the types of users.

This section will also include information on the internal functioning of the business, like where employees are located, the types of teams the company leverages, the systems used to get their jobs done, and more.

Description of controls

For a Type 1 audit, this is where the meat of the report will be. The service organization describes the types of controls that have been implemented and how they protect the organization as a whole.

Type 1 report

A SOC 2 Type 1 report covers:

  • Management’s description of the system
  • How control objectives are achieved

Businesses frame a Type 1 report around a specific date, so it does not show tests of controls or the results of tests. Generally, the CPA that executes the audit will issue an opinion, which addresses the suitability of control architecture.

Type 2 report

During a Type 2 audit, the auditors will look over the description of controls to better understand how to test them and judge the effectiveness.

In a SOC 2 Type 2 report, the auditor will issue a similar opinion as a Type 1 with the addition of operating effectiveness. They evaluate controls over a period of time, typically a 12 month period. The report shows descriptions of control tests and results by the auditor.

Tests of controls and results of tests

This is an added feature that only appears in a Type 2 report. Overall, it will summarize the tests of different controls and note the results. The results will be the main consideration when determining the opinion given by the auditor.

While the execution of tests is dependent on the types of controls implemented, auditors test controls in three ways:

  1. Inquiry: auditors inquire about the design and/or operating effectiveness of a control, e.g. “Inquired of the CTO and determined that administrative access to the application is restricted to authorized engineering personnel.”
  2. Inspection: auditors inspecting evidence of the process itself. This is the highest level of assurance, which is ideal to provide your auditors with the ability to do.
  3. Observation: auditors will observe evidence of controls as a third party, like providing sample customer contracts. This typically happens when the cloud environment is proprietary.

After performing tests, the auditors create a matrix-like presentation of the results where they note exceptions.

Management’s Response

Finally, if auditors identify an inconsistency or exception during control tests, the organization has the opportunity to respond. Ideally, businesses don’t want exceptions. But in the instance of an exception, management provides details of what led to the control breakdown.

Have any other questions on the SOC 2 process? Need to find a reliable auditor who knows how cloud technology works? Laika has you covered.