Professional Documents
Culture Documents
SOC 2 Audit Essential
SOC 2 Audit Essential
The United States Public Company Accounting Oversight Board (PCAOB) is a private-
sector, non-profit corporation, created by the Sarbanes-Oxley Act of 2002, to oversee
the auditors of public companies in order to protect the interests of investors and further
the public interest in the preparation of informative,
AICPA
AICPA is an organization consisting of certified public accountants that propose
accounting standards and principles to ensure consistency and accuracy in the
accounting profession
SOC 2
AICPA is an organization consisting of certified public accountants that propose
accounting standards and principles to ensure consistency and accuracy in the
accounting profession
(CC) Security, also known as common criteria: Controls that protect data from
unauthorized access.
(A) Availability: Controls that ensure data can be accessed when needed for
business use.
(C) Confidentiality: Controls that restrict unauthorized access to systems and
data.
(PI) Processing integrity: Controls to ensure that organizational systems
process data accurately and reliably.
(P) Privacy: Controls that protect the rights of consumers and their data.
When you receive your SOC 2 report, it will be broken into five sections:
Management Assertion
Independent Service Auditor’s Report
System Description
Applicable Trust Services Criteria and Related Controls, Tests of Controls, and
Results of Tests
Other information provided by the Management
In this section, the auditor shares their opinion on your SOC 2 audit readiness. It also
includes a description of the scope of the audit, the organization’s responsibilities, the
auditor’s responsibility and inherent limitations in the assessment, such as human
error and circumvention of controls, to name a few.
Here are the four types of auditor opinions and what they mean:
An unqualified opinion means that the auditor did not find any issues during the audit.
Every control tested was designed appropriately (Type 1 report) and operated
effectively (Type 2 report).
An adverse opinion indicates that the organization materially failed one or more of the
standards, and its controls and system isn’t reliable.
This technically isn’t an opinion. It essentially means that the information provided
wasn’t enough for the auditor to form an opinion. It happens when the auditors do not
have access to the information they need or are unable to complete it neutrally.
Note that this section gives the overall status of the assessment alone. You won’t find
details beyond that here.
Here’s a SOC 2 audit report example that highlights the auditor’s opinion.
Source: AICPA’s Illustrative Type 2 SOC 2 Report with the Criteria in the Cloud Security Alliance (CSA) Cloud Controls
Matrix (CCM)
It includes details of the human resources, roles and responsibilities and also features
the list of system components and controls grouped with the relevant common criteria.
This section covers a detailed account of the control environment, control activities
(policies and procedures), information and communication system, monitoring (to
assess the quality of internal control performance through penetration testing and
vulnerability scans), and risk assessment (the organization’s assessment of relevant
risks and its management).
System components: You will find technical details such as where the organization
(or its application) is hosted, tools used and access control here. For instance, if your
business is hosted in AWS, you will need to give details about the AWS environment
here. It will contain a detailed description of your infrastructure, software, people,
procedures and data.
Not applicable trust services criteria specifics: If any specific criteria didn’t apply
to the organization, they would be described here.
Control Criteria
Control Number
Control Description from the Organization
Test Description from the Auditor
Test Results
Source: AICPA’s Illustrative Type 2 SOC 2 Report with the Criteria in the Cloud Security Alliance (CSA) Cloud Controls
Matrix (CCM)
In a Type 2 report, you will find the controls list, auditor’s tests and the test results
for each listed control. This section (for a Type 2 report) will also showcase
exceptions or deviations noted by the auditor.
Source: AICPA’s Information for Service Organization Management report
This section also contains information on the organization’s future plans that can have
a bearing on its control environment and system(s).