Section 5, the unaudited section, of the SOC 2 report can vary significantly between reports. It may contain a lot of details about the service organization or it may only contain a response from management for a deficiency. So what can go in this section? There are various topics that can be included that can be beneficial to the service organization. This blog will discuss these topics along with the proper characteristics of a management response in Section 5.
How Do We Use Section 5?
It’s important to understand how a SOC 2 is compiled, so let’s make sure we have an understanding of each of the sections of a SOC 2 report.
The SOC report sections are broken down as follows:
Section 1: Independent Service Auditor’s Report
Section 2: Assertion of Management
Section 3: Description of the System and Controls
Section 4: Trust Services Category, Criteria, Related Controls, and Tests of Controls
Section 5: Other Information Provided That Is Not Covered by the Service Auditor’s Report
At Linford & Co., we move “Section 5: Other Information Provided…” to Section 6 and include “SOC2 Requirements and Controls” as Section 5. Linford & Co. includes this mapping to provide users of the report comfort that required AICPA criteria is met based on the Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) that are in scope. In this blog, when we refer to Section 5, we are referring to the AICPA’s “Section 5: Other Information Provided That Is Not Covered by the Service Auditor’s Report.”
What is “Section 5: Other Information Provided by the Service Organization”?
Section 5 is different from the other sections within a SOC 2 report because Section 5 is the only unaudited section. The service auditor will not require evidence to prove the claims or statements that are made in this section. The service auditor will, however, read and interpret Section 5 prior to report issuance in order to make sure the section is accurate and not misleading in any way to its readers.
Management Response to Audit Findings
Section 5 can be used for a myriad of reasons, the most frequent being the location within the report for the service organization to provide their formal response to deviations or deficiencies that are identified by the service auditor. This response is called the “Management Response.” The only caveat is that statements made in the management response should not be subject to procedures by the service auditor. If this occurs, then additional scrutiny will be applied around these statements. There are key questions to consider when writing a management response for a deviation or deficiency.
- What went wrong? Explain the root cause of the deficiency.
- What controls or procedures did management perform to lessen the risk of this deficiency? Describe the anticipated or completed mitigation around the deficiency.
- What fixed the deficiency? Conclude on the anticipated or completed remediation.
Sample Management Response to Audit Findings
Example Deficiency within Section 4 of the SOC 2:
- Controls Specified by Service Organization
-
-
- The service organization has encrypted workstations.
- The service organization has encrypted workstations.
-
- Procedures Performed by Service Auditor
-
-
- For a sample of workstations, inspected the configurations and noted the workstations were encrypted.
- For a sample of workstations, inspected the configurations and noted the workstations were encrypted.
-
- Results of Testing
-
- Exception Noted: One out of ten sampled workstations was not encrypted.
Example Response within Section 5 of the SOC 2:
Due to an isolated issue with the monitoring tool used to maintain the encryption status of workstations, the service organization is aware of one unencrypted workstation. The service organization enabled encryption immediately after discovery. The user of the workstation didn’t have access to client data, nor the production environment. Service organization management inspected 100% of existing workstations and determined that encryption was enabled. The service organization is in communication with the monitoring tool support team to determine when the tool’s monitoring issue will be resolved.
The statement above included the necessary elements of a well-written management response:
- Root cause: which was an issue with the monitoring tool.
- Mitigation procedures: which included the nature of the access for the user in question and management’s inspection of all other workstations.
- Remediation procedures: Encrypting the unencrypted workstation and the ongoing remediation discussions with the monitoring tool support team.
This response provided a complete understanding of this deficiency for the user of the report to determine the impact of the deficiency on their own operating environment.
If part of your remediation for a control is to design and implement a new control, please discuss this with your auditor prior to adding details of the new control in your management response. If a new control was added to the scope of the audit it will be tested within Section 4, even if it’s only applicable to a limited time frame during the examination period. In this scenario, the management response would be subject to audit procedures and the service organization would therefore be limited in what can be stated. The response can refer to the new control which is tested under Section 4.
What Other Information is in Section 5 of a SOC 2 Audit Report?
While Section 5 is usually reserved for confirmed deviations or deficiencies, it can also be used for the service organization to comment on non-occurrences or reasoning behind significant shifts in timing of the SOC 2. A control has a “non-occurrence” when a control is designed but there are zero instances of the control occurring during the audit period. Therefore, the service auditor is unable to test that the control is implemented and operating effectively. Service organizations may end up modifying the year-end of their SOC 2 report based on business cycles or to meet the contractual requirements of the service organization’s customers. If the timing of your report has significantly been modified, consider including this in Section 5 to let your customers know that while the timing of the report changed in the current year, it will remain consistent in future reports.
The service organization can include future plans for new systems in Section 5. If you intend to purchase a new system or add a new tool to your environment, this can be mentioned. This is important to let the reader know of the anticipated changes to the environment or the services they are being provided. This is also important to let your auditor know as well so everyone to prepare and determine if there will be any effect on the audit.
The service organization can include details of other services that are provided, as long as those services are not included in the scope of the audit. By highlighting additional services in your SOC 2, your existing customers can gain knowledge about services of which they may have been unaware. This is also helpful if the SOC 2 is provided to prospective customers to inform them of services provided that are not in scope for the audit.
Significant organizational changes, restructuring, and new leadership can be beneficial to convey to customers in Section 5. Additionally, if a large acquisition occurred the service organization can use Section 5 to alert the users of the report.
What is the Benefit of Adding Detail in Section 5?
Though Section 5 is unaudited, when a deviation or deficiency occurs your service auditor will typically ask you to develop your management response. The management response delivers the following:
- Confidence that the service organization and service auditors are in agreement
- Transparency around the service organizations’ completed or anticipated actions around deficiencies
- An understanding of the tone at the top within the organization through the relationship between management and their controls environment
Conclusion
Over the course of this short read, we have covered a refresh of the SOC 2 report sections with a specific focus on the AICPA’s Section 5: Other Information Provided That Is Not Covered by the Service Auditor’s Report. Hopefully, the overview of components that can be included in Section 5 and the example of a proper management response to a deviation or deficiency provided insight. Section 5 can be a useful tool for management to use to their benefit in a SOC report.
Linford & Company is an independent CPA firm that specializes in a variety of audit services, including SOC 1 and SOC 2 audits. If you have further questions please review our website and contact us to see how we can further assist you and your organization.
Hilary has eight years of IT audit and assurance experience. Prior to starting at Linford & Co, Hilary worked for Deloitte managing audit readiness assessments, Sarbanes-Oxley 404 and SOC examinations, and complex remediation procedures. Hilary is a certified information systems auditor (CISA), holds a Master’s Degree in Accounting from the University of Colorado-Denver and a Bachelor’s in Business Administration from Colorado State University.