The Anatomy of a SOC 2 Report

~7 min read · Tags: SOC 2, Audit, Report

1) Auditor’s Opinion

The opinion states whether controls were suitably designed (Type I) and operating effectively (Type II) over the period.

2) Management’s Assertion

Declares responsibility for system description and control design/operation against Trust Services Criteria (TSC).

3) System Description

Scope, services, boundaries, relevant infrastructure, software, people, processes, and data.

4) Controls, Tests & Results

Control activities with auditor’s procedures and sample results, plus exceptions and observations.

5) Complementary Information

  • Complementary User-Entity Controls (CUECs)
  • Subservice organizations & carve-outs
  • Other relevant information and management response