SOC2 Type 2 Review: A Guide

Reading Time: 2 minutes

A SOC2 Type 2 report contains 5 sections you may want to review when evaluating a service provider.
This article briefly describes sections and identifies items to keep in mind when reviewing a SOC2 Type II report.

Auditor Reputation

Before diving into the report, determine if the report auditors are reputable.

  • Only CPA forms can issue SOC reports
  • Licenced CPA firms must undergo peer reviews every 3 years
  • Determine if the firm has information security certifications

Report Time Period and Bridge Letter

Determine the time period the report is valid for. If there is a gap from when the report was issued and your review time, request a bridge letter.
The bridge letter will detail any material changes.

Report Sections

Section 1 – Independent Service Auditor’s Report
Section 2 – Management’s Assertion
Section 3 – Description of the system
Section 4 – Trust Services Criteria and Related Controls
Section 5 – Other information provided by management

Section 1 – Independent Service Auditor’s Report

The independent service auditors provides their opinion on whether or not the organization passes the assessment. Review the opinion and determine which of the four is being provided.

  • Qualified Opinion: there is at least one issue during the evaluation
  • Unqualified Opinion: no issues were found during the evaluation
  • Adverse Opinion: there may be material or pervasive issues. Vendor is most likely not reliable.
  • Disclaimer: insufficient evidence provided to form an opinion with effects being material and pervasive.

Section 2 – Management’s Assertion

Management acknowledgement that the systems were suitably designed and operating effectively over the assessment period.
This section may be reviewed optionally.

Section 3 – Description of the system

Ensure this section covers the system or service the organization is planning on acquiring.
This section contains 9 segments.

  1. Overview of Services Provided
    Brief overview of the services provided. Ensure this section describes the services being procured.
  2. Principal service commitments and system requirements
    Trust Service Categories should be include with what your company agrees to provide to customers and should match
    to what is in your MSA, SLA, and other contracts you have with your customers.
  3. Components of the system
    Systems used by the company to fulfill their security operations. That may include hosting providers, software tools,
    and other items. This section will help you understand what tooling is in place.
  4. System incidents
    Description of any incidents affecting the system that cause the company to fail in their commitments
  5. Control Activities
    Describes the processes and procedures in place that surround the tools listed in ‘Components of the system’.
  6. Complementary user entity controls
    This section describes controls the provider expects the purchaser to put in place in order to achieve the providers
    commitments. e.g SaaS company requires the purchaser to inform them of employee termination in order to offboard accounts.
  7. Complementary subservices organization controls
    Describes the responsibility of the provider when it comes to the shared responsibility model or the like.
  8. Specific trust services criteria not applicable to the system
    Look for any criteria not covered which may not be inline with your companies MSA, SLA, or other agreements.
  9. Significant changes to the system during the period
    This section describes if there has been any changes to the system during the audit period.

Section 4 – Trust Services Criteria and Related Controls

This section details the steps and results the auditors took in testing listed controls.
Look for any exceptions as this will give an indication of internal system process and procedures effectiveness.

Section 5 – Other information provided by management

Any exceptions from Section 4 are usually accompanied by a management response indicating a planned fix or reason for the exceptions.

Beesham Sarendranauth

Author: Beesham Sarendranauth