In the previous blogs of this series, several aspects of SOC examinations were explored. This portion will include an in depth look at the contents of a SOC 2 report.
In order to provide an accurate description of the system being tested and the results of testing, SOC 2 reports are generally lengthy. The report contains a great deal of information, but is broken down into four main sections:
Management provides an assertion regarding the presentation and effectiveness of the controls in place to achieve the cybersecurity criteria. The assertion addresses description criteria and control criteria.
Independent Auditor’s Report
The CPA’s opinion is expressed about whether the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and whether the controls within that program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
Overview of the Organization and Services
The description of the entity’s systems used for processing users’ data. This description is prepared in accordance with specific description criteria.
Description of Criteria, Controls, and Comments
This section’s composition is dependent on the Trust Services Principles that the organization selects. The principles are as follows:
- Security – Information is protected during its lifecycle from unauthorized physical and logical access.
- Availability – Information and systems are available for use when necessary.
- Processing Integrity – System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality – Information designated as confidential is protected.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed as necessary.
Of the principles above, security must be included in a SOC 2 examination. The remaining principles are optional and can be added if they meet the needs of the organization.
The four sections listed above comprise a SOC 2 report, which are intended to meet a broad range of users who have sufficient knowledge and understanding of the service organization and its system.