What is a SOC 2 Attestation?

SOC 2
Written By Ryan Johanson

The SOC 2 report, or attestation, is the output of the audit. It contains the opinion of the auditor, a description of the platform being audited and the results of the audit.

Section 1 -Independent Service Auditor’s report

The opinion section of the audit report lays out the scope of the audit, the company’s responsibilities, the CPA (auditors) firm’s responsibilities, any imitations of the audit and the opinion.

The audit firm expresses an opinion on three distinct but complementary subject matters.

  1. Whether the description of the system is presented in accordance with the description criteria.

  2. Whether controls were suitably designed to provide reasonable assurance that the company’s services commitments and system requirements were achieved based on the applicable trust services criteria.

  3. Whether controls operated effectively to provide reasonable assurance that the company's service commitments and system requirements were achieved based on the applicable trust service criteria.

Below is what the opinion of a “clean” audit should look like.

In our opinion, in all material respects,

a. The description presents XYZ, Inc.’s Really Cool (system) that was designed and implemented throughout the period of Month 01, 202X to Month 31, 202X in accordance with the description criteria.

b. The controls stated in the description were suitably designed throughout the period Month 01, 202X to Month 31, 202X, to provide reasonable assurance that XYZ, Inc.’s service commitments and system requirements would be achieved based on the applicable trust services criteria if its controls operated effectively throughout the period and if the sub-service organization and user entities applied the complementary controls assumed in the design of XYZ, Inc.’s controls throughout the period.

c. The controls stated in the description operated effectively throughout the period Month 01, 202X to Month 31, 202X, to provide reasonable assurance that XYZ, Inc.’s service commitments and system requirements were achieved based on the applicable trust services criteria if complementary sub-service organization controls and complementary user entity controls assumed in the design of XYZ, Inc.’s controls operated effectively throughout the period.

Section 2 - Assertion of XYZ Management

In this section the organization’s management basically says that the company has done everything according to the guidelines the AICPA has laid out, they haven’t lied or hid anything from the auditors. Below is a sample of what the company’s management is asserting. 

We confirm, to the best of our knowledge and belief, that:

a. The description presents XYZ, Inc.’s Really Cool (system) that was designed and implemented throughout the period of Month 01, 202X to Month 31, 202X, in accordance with the description criteria.

b. The controls stated in the description were suitably designed throughout the period Month 01, 202X to Month 31, 202X, to provide reasonable assurance that XYZ, Inc.’s service commitments and system requirements would be achieved based on the applicable trust services criteria if its controls operated effectively throughout that period, and if the sub-service organization and user entities applied the complementary controls assumed in the design of XYZ, Inc.’s controls throughout that period.

c. The controls stated in the description operated effectively throughout the period Month 01, 202X to Month 31, 202X, to provide reasonable assurance that XYZ, Inc.’s service commitments and system requirements were achieved based on the applicable trust services criteria if complementary subservice organization controls and complementary user entity controls assumed in the design of XYZ, Inc.’s controls operated effectively throughout that period.

CTA: READ More: 

Section 3 - System Description

In this section, the organization lays out the platform or system that is being audited. They are “drawing a box” around what was in the scope of the audit. The system is defined as the “infrastructure, software, procedures and data that are designed, implemented and operated by people to achieve one or more of the organization's specific business objectives (for example, delivery of services or production of goods) in accordance with management-specified requirements.”

DC Section 200 says, “Though the description is generally narrative in nature, there is no prescribed format for the description. Flowcharts, matrixes, tables, graphics, context diagrams, or a combination thereof may be used to supplement the narratives contained within the description.” This means that there is no one way that the system description needs to be laid out. As long as it covers the required information and is able to be understood by the reader it is acceptable. 

Most auditors will have a template for you to use. Some SOC 2 readiness platforms also have a template generator. 

You can contact us for our template.

You can also read the specific guidelines from the AICPA here .

Description of Test of Controls and Results Thereof

This is where the auditor lays out the controls that were tested and the results of the tests. You hope to see “No exceptions noted” in the Results of Service Auditor’s Test of Controls column. This means that the auditor found that the organization was following the control based on the evidence. 

If you see “No events to test” it means that the event did not occur during the audit period. For example, a smaller start-up company may not have any employees that terminated during the audit period. The auditor would not have any evidence to show that the company did or did not follow the applicable procedures and policies. 

If you see “Exceptions noted”, it means that the auditor found in some situations that the organization did not follow the control. If you see this you will also see a Section V of the report, where management responds to why the control experienced exceptions during the examination period.

Sample SOC 2 report

The AICPA has created a sample report

Your report’s format will look slightly different based on the CPA firm performing the audit but all of the critical information will be there.

The SOC 2 report, or attestation, is what your customer will request to make sure that your security posture is up to industry standards and that you are a safe company to work with. We advise those with a SOC 2 report to have those you are sharing it with sign an NDA (non disclosure agreement) due to the sensitive nature of the contents of the report.

ABOUT JOHANSON GROUP:

Johanson Group, based in Colorado Springs, CO, provides audits and professional services to public and private companies in a variety of industries world wide.

We serve:

  • SaaS Start-ups

  • SaaS Healthcare Organizations

  • Established SaaS Companies

  • Government SaaS Organizations

We provide:

  • SOC 2 assessments

  • HIPPA assessments

  • ISO/IEC 27001 reports

Ryan Johanson
Previous

Your Pre-Audit Checklist for SOC 2 Compliance
Next

Essential Knowledge: SOC 2 Compliance Requirements