How To Read A SOC 2 Report

How To Read A SOC 2 Report

Becoming SOC 2 compliant is important for organizations validating their security efforts. A SOC 2 report can assure people about the effectiveness of your security systems, your application availability, and the steps you take to protect sensitive information.

However, what happens when you actually have a SOC 2 report already in your hands?

In this article, we’ll show you exactly how to read a SOC 2 report, how to interpret the lingo, and how to explain it to your employees, investors, and anyone else you want. All you need to do is to know how to use the SOC 2 report to answer the following questions:


What’s In A SOC 2 Report?

A SOC 2 report is generated after an audit is conducted on your company’s security, availability, processing integrity, confidentiality, and/or privacy. You can use the report to prove to current clients and prospects your company’s compliance with the relevant requirements.

The SOC 2 report usually includes the following:

  • Opinion letter
  • Management assertion
  • Detailed description of the system or service
  • Details of the selected trust services categories
  • Tests of controls and the results of testing
  • Optional additional information

The report usually specifies if the company complies with evaluated AICPA Trust Service Criteria (TSC). See a Sample SOC 2 Report.


Who Issues A SOC 2 report?

The first question you need to answer before examining the SOC 2 report is: “who issued it?”

According to the AICPA, only CPAs and CPA firms can issue SOC reports. If you want to ensure your team receives a valid report, make sure you work with a licensed CPA firm and have this firm issue the report you’re going to examine. If the firm lacks a CPA license, then it doesn’t undergo a peer review, so no one is reviewing its auditing practices.

Although any CPA or CPA firm can technically issue a SOC report, not all of them will have the right technology or information security certifications to evaluate your security practices and issue a proper SOC report.

Remember: SOC reports aren’t simple financial audits. They’re information security audits, and, as such, should ideally be issued by firms specialized in information security for SOC 1 and SOC 2 audits.

Make sure the firm that is issuing the report has the right certifications not only showing their license to issue a SOC report, but the knowledge of information security and cybersecurity. Consider working with a SOC 2 audit firm that provides services to similar size organizations and industries. Your team will have a better experience working with an auditor that has performed assessments with similar companies.


What’s The Auditor’s Opinion?

The first thing you’ll usually see in a SOC report will be the auditor’s opinion regarding the vendor’s system. This is the main reason behind a SOC report, so you need to know how to read it.

The auditor will present their opinion in the following four possible ways:

Unqualified Opinion

Unqualified Opinion means the auditor finds the description fairly presented and supports the findings. According to the audit, the auditor finds that the controls within the organization are well designed to achieve the objectives included within the scope of the audit.

Qualified Opinion

Qualified Opinion means the auditor’s findings were insufficient to warrant an unqualified opinion, but that the findings were not as severe to deliver an Adverse Opinion.

This can be issued due to various reasons including the auditor concluding that the description of the service has errors or omissions, that there are deficiencies in the operation or design of controls, and/or that the controls cannot achieve at least one control objective.

Adverse Opinion

Adverse Opinion means that the auditor has concluded that the company’s systems are not reliable.

This opinion is issued along with the errors, omissions, or deficiencies that make it unlikely for most or all control objectives or criteria to be achieved.

Disclaimer Opinion

Finally, a Disclaimer Opinion means that the auditor cannot issue an official opinion due to their inability to gather enough data to present an opinion.

This opinion can be issued due to several reasons, like the organization’s refusal or inability to present enough information to the auditor.


What Type Of SOC 2 Test Was Performed?

There are two SOC 2 Report Types:

Type I.

Analyzes whether the controls in an organization were designed correctly. The auditor reviews the controls at the present time to evaluate whether they can achieve their objectives or not.

Type II.

Tests and evaluates not only if the controls can achieve their objectives, but how effective they are. This offers an in-depth analysis of how the controls are designed and how they function day-to-day.


What Was Audited During The SOC 2 Audit?

It’s the vendor’s responsibility to decide which criteria will be examined during a SOC 2 audit and what will not. Teams will typically engage with the auditor to determine what criteria a SOC 2 audit will evaluate.

You can find what was in-scope for the audit in the description of the system. If you’re familiar with the system, you’ll be able to discern if the company has chosen to exclude anything from the audit, and evaluate how important or relevant it is to the security of the system and the data.


Were There Any Relevant Exceptions?

A SOC 2 report will include any relevant exceptions found during testing. These exceptions are a vital part of a SOC 2 report. Once you know which controls are vital to the organization, you can examine which exceptions were noted in those controls.

That way, you can determine if any of those exceptions are critical to the organization’s data, and determine the impact those exceptions may have on security.

These exceptions will usually follow wording like “except for the matter described as follows”, or use terms as “inadequate” or “misrepresentation”.


Getting Ready For A SOC 2 Audit

Looking to prepare for a SOC 2 audit? Although the prospect of having your company complete an audit may seem daunting, the process becomes much easier if you are properly prepared.

Teams that have established administrative policies and technical controls in place will be better prepared to answer questions from auditors, complete audits more quickly, and save money on the process.

Learn how Dash ComplyOps can help you and your team prepare and achieve SOC certification in the cloud.

Dash AWS marketplace