What is in a SOC 2 Report?

SOC COMPLIANCE

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

SOC 2 Reports – Part 1

Service Organization Control (SOC) 2 Exam Overview

Business demands today often require organizations of all sizes to outsource certain function to service providers when it is not economical for the business to perform the function itself. Some common examples include:

• Database hosting
• Donor management
• Server co-location
• Backup services
• Software development

Organizations that outsource these and other functions entrust the service organizations to process transactions completely and accurately, protect the organization’s data, and fulfill other service guarantees. But how does the service organization demonstrate to their customers and prospects that they are doing these things.

One such mechanism that provides the assurances of an independent CPA firm is the System and Organization Controls (SOC) 2 examination. A SOC 2 exam, sometimes colloquially referred to as a SOC 2 audit, is the gold standard in the U.S. for assurances over data security, system availability, system processing integrity, confidentiality, and privacy.

To obtain a SOC 2 audit report, the CPA firm is hired by the service provider to perform sufficient procedures to issue an opinion. That opinion is included in an overall SOC 2 report that is compiled by the auditor and given to the service organization. The service organization can then provide that report to prospects and clients seeking assurances the service organization is meeting their objectives related to security, availability, processing integrity, confidentiality, and privacy.

But what exactly is in a SOC 2 report?

What goes into a SOC 2 Report?

SOC 2 reports generally range from 40 to 80 pages. Complex reports from very large organizations can be well over a hundred pages. The reports are comprised of up to five sections.

Section I – Independent Service Auditor’s Report

The service auditor’s report contains the overall opinion (conclusions) of the auditor regarding the areas within the scope of the exam. The service auditor’s report also indicates the description of the system the auditor examined is included within Section III of the report. This is to make clear to the report reader what the auditor actually examined. This is important, especially for organizations with multiple services, products, or systems, to ensure readers are not lead to believe the audit opinion covers areas that were not actually audited.

The auditor also discloses whether or not controls at subservice providers were included in the examination. For example, if a SaaS provider hosts their application in a third-party data center, then that data center provides important controls to the SaaS provider. The auditor will disclose whether or not those controls were included (carved-in) to the scope of the audit, excluded (carved out), or a combination of the two.

The auditor’s report contains a number of other disclosures regarding auditor responsibilities, service organization management’s responsibility, and other limitations.

The meat of the report that most readers are after, however, is the opinion. The SOC auditor issues opinions over three key areas:

1. That the description of the system, as presented in Section III of the report, is a fair representation of the actual processes and controls.
2. The controls described in the description were suitable designed.
3. The controls operated effectively throughout the period.

The auditor can issue a variety of opinions based on the results of the audit, and we dive into those opinions in Part II of this article series on SOC reports.

Section II – Management’s Assertion

The next part of the SOC 2 report contains management’s specific disclosures and assertions to the report readers. Management’s disclosures and assertions mirror many of the disclosures in the service auditor’s report. Management’s assertions must comply with AICPA requirements and appear in the report on the service organization’s letterhead. The key disclosures and assertions include:

1. A statement from management indicating that they prepared the description of the system as presented in Section III.
2. Disclosures regarding the use of subservice providers.
3. Disclosures regarding the controls expected to be implemented by user entities.
4. Assertions that:
   • The description of the system, as presented in Section III of the report, is a fair representation of the actual processes and controls.
   • The controls described in the description were suitable designed.
   • The controls operated effectively throughout the period.

As you can see, the assertions themselves (number 4) essentially mirror the items that the auditor opines on.

Section III – Description of the System (“Description”)

Management’s Description is a narrative document, prepared by the service organization and provided to the auditor that provides details on the service organization’s system. In this context the system is not an individual computer system. Rather, the system are the processes and controls that allow management to achieve its service commitments and other objectives related to Security, Availability, Processing Integrity, Confidentiality, and Privacy. In various AICPA guidance, it is referred to as a system of internal control.

Management’s Description is provided to the auditor at the start of the engagement, and if processes change during the course of the engagement, updated versions should be provided to the service organization auditor.

In the final SOC 2 report, Management’s Description is incorporated into Section III.

Although the AICPA has not specified a format for the Description, the AICPA has prescribed minimum information that needs to be included in the description. Additionally, we have seen patterns emerge among the Descriptions in the numerous service organization SOC audits we’ve examined over the years. The outline below presents a combination of the requirements of a SOC 2 description and an organizational structure we regularly see.

1. System Overview
   • Service Provided – A description of the key service(s) that the service organization provides to its customers
2. Principal Service Commitments and System Requirements
   • Service Commitments – The key commitments made to customers.
   • System Requirements – The key requirements of the system necessary to meet those requirements
3. Components of the System
   • Infrastructure
   • Software
   • Data
   • Procedures
   • People
4. Incident Disclosure – If it impacted the controls or service commitments
5. Criterion Disclosure – Specific enumeration of which Trust Services Criteria (TSC) are applicable to the description. This will always include Security, and may include Availability, Processing Integrity, Confidentiality, and/or Privacy depending on the service commitments to the clients.
6. Complimentary User Entity Controls – A disclosure to the service organization’s customers that enumerates controls for which they are responsible. For example, a service organization provides a software-as-a-service (SaaS), it is generally the user entity (the customer) who grants and removes their own employee access.
7. Subservice Organizations – A disclosure indicating which controls at subservice organizations are key to management’s control objectives and service commitments. For example, a service organization that provides a SaaS would likely identify the company that manages the datacenter, identifying their responsibilities of physical access controls and environmental controls within the datacenter.
8. Criteria Not Applicable – There is a rebuttable presumption that all criteria in the relevant TSC sections are applicable. If any are not applicable, this portion of the description is the location to disclose that information.
9. Changes to the System During the Period – A disclosure of material changes to the system of internal controls during the period being audited.

Depending on the complexity of the system being described, the length of the description can vary greatly from one SOC report to the next. For example, we’ve seen very large and complex service organizations with descriptions approaching 60 pages. Yet, for other organizations that would also be regarded as large, we typically see them approaching 20 pages. Generally, it is going to be difficult for service descriptions to adequately describe their system in less than 10 pages.

Section IV – Trust Services Category, Criteria, Related Controls, and Tests of Controls

Section IV contains a detailed list of the controls, their alignment to the [Trust Services Criteria], the individual tests performed by the auditor and the results of each test.

If the auditor identifies any errors when performing their tests, they are noted as “exceptions” in this part of the report. Audit exceptions are plainly written and state only facts. For example, an exception might read, “User access to the domain controller for one sample of 25 terminated employees was not timely deactivated.”

The table in this report is prepared by the auditor, but the controls presented in the report and their alignment to the Trust Services Criteria, are provided to the auditor prior to the start of the audit.

Section V – Other Information Provided by the Service Organization that is not Covered by the Service Auditor’s Report

As the title describes, this section contains other information that the service organization wants to communicate to readers. The information in this section is not subject to audit procedures and is not included in the subject matter upon which the service auditor opines. In other words, if you are reading this section of the report, remember that this section is unaudited.

This section is generally used by management to disclose their responses to the testing exceptions noted in Section IV. Crafting these responses should be done with care. See Part 4 of this series on SOC 2 audit reports titled: Tips for Good Management Responses to Testing Exceptions.

Service organizations might also use this section to disclose how their controls align to other frameworks. For example, if report readers might need to see how the controls relate to NIST control frameworks, HITRUST, or ISO/IEC 27001, management could include a table that shows how their controls listed in Section IV align to those other frameworks.

Conclusion

SOC 2 reports are issued by a service auditor to a service organization. The report and the underlying audit standards provide a rigorous methodology for independent CPAs to audit organizational controls, as well as controls over the organizations Security, Availability, Processing Integrity, Confidentiality, and Privacy controls. The report contains the audit opinion, the description of the system being audited, the results of the SOC 2 testing procedures, and a myriad of disclosures.

Are you considering a SOC report and trying to figure out the right report for you? Keiter’s team of Risk Advisory Services professionals can help you. Email | Call: 804.747.0000

Additional SOC Resources:

• What are the SOC 2 Trust Services Criteria?
• SOC 2 Documents – What you need to provide your auditor
• The Hidden Costs of a SOC 2 and How to Avoid Them
• SOC 2 Challenges – Audit Evidence
• SOC 2 Challenges – Population Completeness