Understanding the Key Elements of a SOC 2 Report

One of the most effective ways for service organizations—a broad category that includes cloud service providers — to demonstrate they have implemented security controls for safeguarding sensitive data to meet their service commitments is by obtaining a System and Organization Controls (SOC) 2 report.

Developed by the American Institute of CPAs (AICPA), a SOC 2 report offers a framework that allows a third-party accounting firm to examine a service organization’s security practices and controls, and to prepare an objective attestation whether the provider’s security measures are designed and operating effectively.

The report is based on five Trust Services Criteria (TSC) highlighting various aspects of a service organization’s information protection posture. Typically, a service organization will have to meet the Security (also known as the “Common Criteria”) criterion to undergo a SOC 2 examination. However, organizations can opt into four additional Trust Services Criteria based on their service commitments and customer requirements.

The other criteria are Availability, Confidentiality, Privacy, and Processing Integrity. For cloud service organizations, a combination of Security, Availability, and Confidentiality represents the most common selection.

Deciding whether to include categories beyond the required security criteria depends on factors including specific customers’ or prospects’ concerns, the types of data a service provider handles on behalf of its customers, or the service organization choosing to present as comprehensive of a report as possible.

A SOC 2 report is considered “restricted use,” and is intended to be shared only with customers, prospects, business partners, and regulators. Because the report includes detailed system information and a controls matrix specific to the service organization, which may include proprietary information, it should not be shared publicly.

A SOC 2 is not the only type of report a service organization may be interested in obtaining. A SOC 1 report is a formal audit of a company-specific service provider’s controls that could affect their customers’ financial reporting. The other type of report is known as a SOC 3, which is a summarized version of a SOC 2 type 2 report. This report, intended to be used as a marketing tool to an unrestricted audience, provides a generalized opinion on controls related to one or more of the Trust Service Criteria.

Service organizations can elect to undergo two different SOC 2 audits. A Type 1 report evaluates whether controls are designed properly at a specific point in time. A SOC 2 Type 2 evaluates whether those controls are designed and functioning as intended over a specified period of time, typically six or 12 months. When customers are asking for a SOC 2 report, they are generally referring to a SOC 2 Type 2. The Type 1 report is usually performed as part of initial readiness at the beginning of your SOC 2 journey.

To prepare for a SOC 2 audit, a service organization will develop comprehensive documentation of systems, processes, and controls. A SOC 2 readiness tool, such as Drata or Vanta, can help service organizations implement necessary controls based on the applicable Trust Services Criteria for their organization.

During the review, an independent audit firm will assess and validate the service organization’s controls before issuing a report summarizing its findings. The best outcome for the service organization is when the audit firm issues an “unqualified opinion” that the organization under examination can achieve its service commitments and its controls are designed and operating effectively.

A SOC 2 audit is typically performed annually, so the service organization will likely use the report’s findings to fine-tune and maintain its controls before its next examination.

Having a SOC 2 attestation to share with prospects and customers can provide many benefits for service organizations. For example, a SOC 2 report is often considered a qualifying factor in the due diligence process as companies (especially large enterprises) evaluate potential vendors.

Similarly, undergoing a SOC 2 audit may be a contractual requirement between a service organization and its clients. Some customers may accept a SOC 2 report in place of a security questionnaire.

In short, a SOC 2 report provides assurance that a service organization or other service organization has implemented strong security controls and procedures to conform with industry security best practices for protecting systems, data, and managing risk.

To learn more about SOC 2 reports and how they can benefit your organization, contact us.