SOC 2 Report

Businesses often outsource services related to information technology and cloud services to the third-party for better operations. Although outsourcing may be a convenient option, yet it cannot possibly work smoothly without checks and due diligence.

Entrusting your business-critical information related to customers, employees, and internal operations to a third-party company without accountability may most likely put you into trouble.

A SOC2 Report sets standards for service organizations to establish strong and measurable controls for the organization. It makes the service organization accountable for securing its systems and operational controls effectively. Besides, performing regular SOC 2 audits becomes mandatory for service organizations, thus ensuring the adoption of industry best practices for security controls. 

What is the SOC2 Report?

SOC2 Report is an audit report that provides details about the effectiveness and efficiency of the internal controls of the service organization. It details out how well the service organization and implemented measures to safeguards customer data and how effective are those controls.

These are reports issued by third-party auditors covering controls relevant to the Trust Services Criterion: Security, Availability, Process Integrity, Confidentiality, and/or Privacy. This report is essential for clients and stakeholders of the service organization to understand the internal control, risk management processes, vendor management programs, and regulatory oversight of the service organization.

What does a SOC2 Report include?

SOC 2 report provides details on the service organization’s controls which is critical for your business. Given below is the structure of a SOC2 report which highlights the key aspects of the audit conducted on service organizations. 

Structure of a SOC2 Report

Section1: Independent Auditor’s Report 

Section 2: Management Assertion 

Section 3: Description of Control  

Sections 4: Relevant aspects of the control environment

Section 5: Description of the System 

Section 6: Auditors Test of Control and Results of Test

Section7: Other Information 

The most important aspect of this report is knowing what to look for in the given information from your SOC 2 report. One needs to understand what the report conveys and how best can it be interpreted. Here are some key elements to look for in the SOC2 report to help you with your business decisions. 

1. Independent Auditor’s report

The Independent Auditor’s report is the summary of the auditor’s opinion on how effective the organization’s controls are when mapped with the Trust Services Criteria in scope. It gives details on system design, and the operating effectiveness of control to meet the objectives. This section of the report will include scope, service organization responsibilities, service auditor’s responsibilities, inherent limitation, and opinion of the auditors (Qualified and Unqualified opinion) .

What to look for in the Independent Auditor’s report?

As you review the report, you need to pay close attention to the service organization’s controls that impact your business’s security. Given below are the possible opinions that the independent auditor may deliver and you should look for in this section of the report:

  • Unqualified Opinion-This is issued when the independent auditor supports the findings with no modifications.
  • Qualified Opinion- This is issued when the auditor cannot provide an unqualified opinion, but the findings are not so severe that they issue an adverse opinion as well.
  • Adverse Opinion- This is issued when the auditor concludes that the user entity should not rely on the vendor’s systems.
  • Disclaimer Opinion-This is issued when the auditor cannot express an official opinion as they could not find the necessary evidence required to establish an official opinion.

The best outcome for your business and the service organization is to receive an unqualified opinion from the independent auditor. Any other opinion one must evaluate a bit more to determine the impact of the opinion provided.

2. Management Assertion

The management of the Service organizations is expected to provide a written assertion to the auditor describing their systems and operations that help them accomplish their business objectives. It is a declaration by the service organization about the system designed and controls are in place and whether or not they are in accordance with the AICPA’s 5 Trust Service Criteria.

For auditors performing a SOC 2 audit, the organization must acknowledge and accept the responsibility of providing management assertion.

What to look for in the Management Assertion?

The AICPA broadly draws out three functions of management assertion that you must carefully look into to understand where the service organization stands. This includes-

  • Ensuring whether the description of the service organization’s system is presented in accordance with the description criteria. 
  • Ensuring whether the controls stated in the description are suitably designed
  • Ensuring whether the controls are operating effectively.

3. Description of Controls

This section provides details including the scope of the report, disclosures, overview of operations, systems, and relevant infrastructure. It gives a high-level overview of the technologies used in the environment, like virtualization software, networking hardware, database types, backup configuration, and system redundancy. The section will highlight whether or not the controls are in place to support secure business operations. 

What to look for in the Description of Controls?

You must look for the findings outlined by the auditor for controls tested. It will state whether the controls tested by the auditor is working as intended, or not, or whether there were exceptions to its performance. You need to determine which controls are tested and in case of gaps identified you need to dig deep to know how it would impact your business. 

4. Relevant aspects of the control environment

In this section, the auditor will provide details pertaining to the control environment, risk assessments, information and communication systems, and monitoring of activities.

  1. Control Environment is a set of standards, structures, and processes that provide the foundation for performing internal control within the organization. 
  2. Risk Assessment is a process used to identify assess, and manage risks to achieve the business objectives. 
  3. Control Activities are measures implemented under the direction of management, as per policies and procedures, to mitigate the risks and achieve objectives. 
  4. Information and Communication is the channel of distribution of information needed to perform control activities. It would also include understanding internal control responsibilities to personnel internal and external to the organization. 
  5. Monitoring Activities is an on-going evaluation of implementation and operation of the five critical components of internal audit.

What to look for in this section? 

As you review this section of the report look for findings pertaining to the organization’s achievement of its strategic objectives, whether or not the service organization operates its business efficiently and effectively, whether or not do they comply with all applicable laws and regulations, and whether the organization has implemented measures to safeguard its assets.  

5. Description of Systems

This section describes in detail the critical systems of the organization that supports the delivery of products, solutions, or services to its customers. It includes the overview of the company, products, and services delivered, details on service commitment and system requirement, and components and boundaries of a System. 

What to look for in the system description?

As part of your report review process look for the following details in this section of the SOC2 Report 

  • Identify the specific products or services you use which is included in the scope of the SOC 2 report.
  • Make sure the list of products provided to third parties, are subject to the SOC2 audits are clearly described.
  • Whether or not what the service organization promised concerning the security of systems and data is in place. 
  • Whether or not there is the availability of systems that enable the delivery of products and services are met as per standards.
  • Appropriate measures are taken to protect the confidentiality of users’ data and/or processing commitments.

6. Auditors Test of Controls and Results of Test

This section provides information about the operating effectiveness of controls that were tested. It details about the controls that may affect the organization’s operations in providing services or delivering products to its customers. This section will have the following information – 

  • Control objective related to the applicable trust service principles, 
  •  Controls in place to meet the objectives 
  • Auditor’s tests of the controls including physical and environmental security controls, customer provisioning, system availability, information security, change management, backup process, and network monitoring. 

What to look for in auditors’ test of control and results of the test? 

You must look for specific controls that affect your business and ensure whether it meets the standard requirements. In addition to this, you must also review whether or not security measures are in place to protect your sensitive data and ensure system availability, information security, Change management process, and backup process is in place.  

7. Other information

Sometimes service organization provides additional information for its stakeholders in this section. This information is not “tested” by the SOC2 auditor, but it can provide you with useful information on Business Continuity Program, Incident Response Program, or other practices they want you to know about. This gives an estimation as to how quickly they can recover from a disaster.

What to look for in the other information? 

Ensure best practices are implemented and service organizations have in place Business Continuity Program and Incident Response Program for a quick bounce back in case of an incident.

Conclusion

When it comes to a SOC2 Audit report there is no pass or fail in it. The auditor simply provides an opinion on how your organization adheres to the Trust Service Principles in scope. If the auditor’s opinion aligns with the management’s assertion, you will receive an unmodified opinion stating that the service organization can be trusted.

The report may also suggest minor exceptions on some of your controls or some case provide an adverse opinion with adequate evidence showing controls are not in place. The objective of the report is to receive an opinion from the auditor stating whether or not the service organization meets the Trust Service Criteria outlined by AICPA.

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.