What Will Be in My SOC 2 Report?

by Maggie Austin / February 27th, 2018

The Seven Components of a SOC 2 Report

You’ve partnered with a licensed CPA firm, you’ve properly scoped your environment, you’ve conducted a SOC 2 gap analysis, you’ve remedied any non-compliant findings, you’ve worked with your auditor, you’ve completed your SOC 2 audit and achieved SOC 2 compliance, and now you’re finally receiving your SOC 2 report. Congratulations! You may be wondering, what will be in my SOC 2 report? The seven components of a SOC 2 report include:

1. Assertion – Provides a description to users on the service organization’s system controls, intended to meet Trust Services Criteria.
2. Independent Service Auditor’s Report – Provides a description of the service auditor’s examination of the suitability and effectiveness of the controls to meet the criteria.
3. System Overview – Provides background information on the service organization.
4. Infrastructure – Provides a description of the software, people, procedures, and data within the organization’s environment.
5. Relevant Aspects of Controls – Provides a description on the control environment, the risk assessment process, information communication systems, and monitoring of controls.
6. Complementary User-Entity Controls – Provides a description on how controls are implemented at the user organization.
7. Trust Services Criteria, Related Controls, and Tests of Controls – Outlines the controls in place and describes the tests on the effectiveness of the controls to meet the criteria.

Now that you have achieved SOC 2 compliance and received your SOC 2 report, the seven components of a SOC 2 report will provide user entities with reasonable assurance and the peace of mind that the controls at your service organization are suitably designed, in place, and appropriately protecting client data. A SOC 2 report can only be read by the user organizations that rely on your services, but a SOC 3 can be freely distributed, used in many different applications.

Reach out to us today if your service organization has been asking any of the following questions:

• What is a SOC 2 report?
• What will be in my SOC 2 report?
• What are the Trust Services Criteria?
• Why is a SOC 2 report valuable?
• What is a SOC 3 report?
• How can I market my SOC 2 compliance?

We frequently get the question: what will be in my SOC 2 report? The first of the seven components of a SOC 2 report is the assertion. The assertion provides a description to users on the service organization’s system controls, intended to meet Trust Services Criteria. The second section is Independent Service Auditor’s Report. The section provides a description of the service auditor’s examination of the suitability and effectiveness of the controls to meet the criteria. Next, we have system overview. The system overview provides background on the service organization. Infrastructure is next. Infrastructure provides a description on the software, people, procedures, and data. Next, we have Relevant Aspects of Controls. This section provides a description on the control environment, the risk assessment process, information communication systems, and monitoring of controls. Next, we have Complementary User-Entity Controls. This section provides a description on how controls are implemented at the user organization. Lastly, we have Trust Services Criteria, Related Controls, and Tests of Controls. This section outlines the controls in place and describes the tests on the effectiveness of the controls to meet the criteria.

If you have any questions about a SOC 2 report, or if you’re interested our SOC 2 compliance services, please reach out to us today.