We’re happy to offer news, updates, and thought leadership to our clients, friends, and subscribers. Please feel free to look around and subscribe to whatever topics you’re interested in using the form to the right.

SOC 2:  Breaking Down the Report

by | Apr 24, 2020 | For-Profit Entities, Healthcare, Not-for-Profits, Professional Services, SOC Suite

Internal Controls GearsIn the previous blogs of this series, several aspects of SOC examinations were explored.  This portion will include an in depth look at the contents of a SOC 2 report.

In order to provide an accurate description of the system being tested and the results of testing, SOC 2 reports are generally lengthy.  The report contains a great deal of information, but is broken down into four main sections:

Management’s Assertion

Management provides an assertion regarding the presentation and effectiveness of the controls in place to achieve the cybersecurity criteria. The assertion addresses description criteria and control criteria.

Independent Auditor’s Report

The CPA’s opinion is expressed about whether the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and whether the controls within that program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.

Overview of the Organization and Services

The description of the entity’s systems used for processing users’ data.  This description is prepared in accordance with specific description criteria.

Description of Criteria, Controls, and Comments

This section’s composition is dependent on the Trust Services Principles that the organization selects.  The principles are as follows:

  • Security – Information is protected during its lifecycle from unauthorized physical and logical access.
  • Availability – Information and systems are available for use when necessary.
  • Processing Integrity – System processing is complete, valid, accurate, timely, and authorized.
  • Confidentiality – Information designated as confidential is protected.
  • Privacy – Personal information is collected, used, retained, disclosed, and disposed as necessary.

Of the principles above, security must be included in a SOC 2 examination.  The remaining principles are optional and can be added if they meet the needs of the organization.

The four sections listed above comprise a SOC 2 report, which are intended to meet a broad range of users who have sufficient knowledge and understanding of the service organization and its system.


Subscribe to Email Updates

Posts by Topic

Skip to content