System and Organization Controls (SOC) reports play a significant role in providing insights into the controls and processes implemented by service organizations.
SOC 2 reports provide their readers with information about the controls in place at the service organization to achieve the applicable trust services criteria (Security, Availability, Processing Integrity, Confidentiality and/or Privacy) and provide users with information about the suitability of the design and operating effectiveness of controls (only in a SOC 2 Type 2 report). Among the essential components of a SOC 2 report, five key sections are typically included. The following is a quick rundown of how these reports can help an organization promote a secure and dependable digital landscape and provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria.
Section 1 – Independent Service Auditor’s Report
Section 1 is the auditor’s opinion on the service organization’s controls and whether they have been operating as designed (Type 1) and/or operating effectively (Type 2). Additionally, this section provides a brief synopsis of the system(s) in scope, the examination period or as-of date, and applicable trust service criteria. See our Understanding SOC Report Opinions article for additional details.
Section 2 – Management Assertion
Section 2 is management’s assertion, which is the statement made by the service organization’s management regarding the design and/or operating effectiveness of the controls in place to achieve its service commitments and system requirements based on the applicable trust service criteria. In simple terms, this is the service organization’s statement that its controls have been operating as designed as of a specified date and/or operating effectively throughout the specified period. Management’s assertion is prepared using the service organization’s letterhead (required), signed by the appropriate member(s) of management (optional but recommended), dated the same date as the service auditor’s opinion and included in the final report.
Section 3 – System Description
Section 3 is an in-depth management-written description of the system in scope for the SOC 2 report. This is typically the longest section of the SOC 2 report, as it may have graphics, such as reporting structures, network diagrams, etc. Additionally, the system description covers an in-depth dialogue about the organization’s background, services provided, processes, controls and personnel. The system description is required to include the criteria for a description of a service organization’s system set forth in DC 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report (With Revised Implementation Guidance—2022) in AICPA, Description Criteria. Required criteria include:
- The types of services provided;
- The principal service commitments and system requirements;
- The components of the system used to provide the services, including:
- Infrastructure
- Software
- People
- Procedures
- Data
- Boundaries of the system;
- For identified system incidents that (a) were the result of controls that were not suitably designed or operating effectively or (b) otherwise resulted in a significant failure in the achievement of one or more of those service commitments and system requirements, as of the date of the description (for a Type 1) or during the period of time covered by the description (for a Type 2), as applicable, the following information:
- Nature of each incident
- Timing surrounding the incident
- Extent (or effect) of the incident and its disposition;
- The applicable trust services criteria and the related controls designed to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved;
- If service organization management assumed, in the design of the service organization’s system, that certain controls would be implemented by user entities, and those controls are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements would be achieved, those complementary user entity controls (CUECs);
- If the service organization uses a subservice organization and the controls at the subservice
organization are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements are achieved, the following:- When service organization management elects to use the inclusive method:
- The nature of the service provided by the subservice organization;
- The controls at the subservice organization that are necessary, in combination with controls at the service organization to provide reasonable assurance that the service organization’s service commitments and system requirements are achieved;
- Relevant aspects of the subservice organization’s infrastructure, software, people, procedures and data;
- The portions of the system that are attributable to the subservice organization;
- When service organization management decides to use the carve-out method:
- The nature of the service provided by the subservice organization;
- Each of the applicable trust services criteria that are intended to be met by controls at the subservice organization;
- The types of controls that service organization management assumed, in the design of the service organization’s system, would be implemented by the subservice organization that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements are achieved (commonly referred to as complementary subservice organization controls (or CSOCs);
- When service organization management elects to use the inclusive method:
- Any specific criterion of the applicable trust services criteria that is not relevant to the system
and the reasons it is not relevant; - In a description that covers a period of time (Type 2 examination), the relevant details of significant changes to the service organization’s system and controls during that period that are relevant to the service organization’s service commitments and system requirements;
- The system description also includes details of the service organization’s relevant aspects of the control environment, risk assessment process, information and communication systems, and monitoring of controls.
Section 4 – Description of Criteria and Related Controls
Section 4 includes the following:
The Controls Specified by the Service Organization and Tests of Operating Effectiveness section includes a table with the following columns based on the type of report (SOC 2 Type 1 or SOC 2 Type 2)
- SOC 2 Type 1
- Control Number
- Description of the Service Organization’s Controls
- Applicable Trust Services Criteria
- SOC 2 Type 2
- Control Number
- Description of the Service Organization’s Controls
- Test of Effectiveness
- Test Result
- Applicable Trust Services Criteria
Schneider Downs also includes in its reports a section that includes the Trust Services Criteria and mapping to controls specified by the service organization, which provides a breakdown of the control activity mappings for the Trust Services Criteria included in the report. This subsection includes a table with the following columns:
- Criteria
- Criteria Description
- Control Activity Mappings
Section 5 – Other Information Provided by the Organization
In a SOC 2 report, the Other Information Provided by the Service Organization section commonly includes additional details or context that the organization can include to strengthen the understanding of the system and the controls being evaluated. Within this section, the organization has the opportunity to provide a management response to any exceptions noted that gives readers insight into why an exception occurred, and what steps were taken to ensure that the issue has been remediated. This section can also include any additional information that management of the service organization wants to or is required to include (e.g., additional services provided that are not within the scope of the examination or subsequent events that occurred subsequent to the as of date (Type 1) or report period end (Type 2) but before the report date/date the report is issued. This section is not audited, the auditor disclaims an opinion on such information, and this section is not included in all SOC 2 reports.
If your organization is in need of a SOC report, please contact a member of Schneider Downs’ SOC Services team.
About Schneider Downs IT Risk Advisory
Schneider Downs’ team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
To learn more, visit our dedicated IT Risk Advisory page.
