Structure of a SOC 2 Report

There are four main sections of a SOC 2 report. The content varies between a Type 1 and Type 2 report, and, in most cases, not all of the Trust Services Principles and Criteria are included in the report; however, the general structure of the SOC 2 report remains the same:

Section 1 (Type 1 and Type 2 Reports)
The service auditor’s expressed opinion

Section 2 (Type 1 and Type 2 Reports)
A written assertion by management of the service organization

Section 3
Management’s description of the service organization’s system

Section 4 (Type 1 and Type 2 Reports)
Design (Type 1 and Type 2) and operating effectiveness (Type 2 only) testing results

This general structure, and the guidelines therein, have been established by the AICPA. While this is the typical structure of the SOC 2 report, there is no single way to present the report. Every SOC 2 report that we’ve seen, in addition to the SOC 1 (formerly SSAE 16) reports for that matter, are different in their presentation. That’s okay in the eyes of the AICPA. The key in the report structure is that all the criteria are appropriately addressed and the auditor testing is sufficient.

Leave a Reply

Your email address will not be published. Required fields are marked *