SOC2 Type 2 Review: A Guide
A SOC2 Type 2 report contains 5 sections you may want to review when evaluating a service provider.
This article briefly describes sections and identifies items to keep in mind when reviewing a SOC2 Type II report.
Auditor Reputation
Before diving into the report, determine if the report auditors are reputable.
- Only CPA forms can issue SOC reports
- Licenced CPA firms must undergo peer reviews every 3 years
- Determine if the firm has information security certifications
Report Time Period and Bridge Letter
Determine the time period the report is valid for. If there is a gap from when the report was issued and your review time, request a bridge letter.
The bridge letter will detail any material changes.
Report Sections
Section 1 – Independent Service Auditor’s Report
Section 2 – Management’s Assertion
Section 3 – Description of the system
Section 4 – Trust Services Criteria and Related Controls
Section 5 – Other information provided by management
Section 1 – Independent Service Auditor’s Report
The independent service auditors provides their opinion on whether or not the organization passes the assessment. Review the opinion and determine which of the four is being provided.
- Qualified Opinion: there is at least one issue during the evaluation
- Unqualified Opinion: no issues were found during the evaluation
- Adverse Opinion: there may be material or pervasive issues. Vendor is most likely not reliable.
- Disclaimer: insufficient evidence provided to form an opinion with effects being material and pervasive.
Section 2 – Management’s Assertion
Management acknowledgement that the systems were suitably designed and operating effectively over the assessment period.
This section may be reviewed optionally.
Section 3 – Description of the system
Ensure this section covers the system or service the organization is planning on acquiring.
This section contains 9 segments.
- Overview of Services Provided
Brief overview of the services provided. Ensure this section describes the services being procured. - Principal service commitments and system requirements
Trust Service Categories should be include with what your company agrees to provide to customers and should match
to what is in your MSA, SLA, and other contracts you have with your customers. - Components of the system
Systems used by the company to fulfill their security operations. That may include hosting providers, software tools,
and other items. This section will help you understand what tooling is in place. - System incidents
Description of any incidents affecting the system that cause the company to fail in their commitments - Control Activities
Describes the processes and procedures in place that surround the tools listed in ‘Components of the system’. - Complementary user entity controls
This section describes controls the provider expects the purchaser to put in place in order to achieve the providers
commitments. e.g SaaS company requires the purchaser to inform them of employee termination in order to offboard accounts. - Complementary subservices organization controls
Describes the responsibility of the provider when it comes to the shared responsibility model or the like. - Specific trust services criteria not applicable to the system
Look for any criteria not covered which may not be inline with your companies MSA, SLA, or other agreements. - Significant changes to the system during the period
This section describes if there has been any changes to the system during the audit period.
Section 4 – Trust Services Criteria and Related Controls
This section details the steps and results the auditors took in testing listed controls.
Look for any exceptions as this will give an indication of internal system process and procedures effectiveness.
Section 5 – Other information provided by management
Any exceptions from Section 4 are usually accompanied by a management response indicating a planned fix or reason for the exceptions.
