“What am I looking at here?”
Tony Montana asks George Sheffield that question during the classic gangster film Scarface after being arrested for tax evasion. Theoretically, Tony knows what he’s up against, but he wants his lawyer to be specific and explicit, so he knows exactly.
If you’ve just completed your first SOC examination, you may have received your final report but, like Tony, you’re not really sure what you’re looking at (though you’re probably pretty clear it’s not tax evasion charges). As a seasoned SOC assessor firm with over two decades of experience, we’ve provided thousands of organizations with a SOC report, and we want to help you avoid any potential confusion over the contents.
In this article, we’re going to break down a SOC report by section. Of course, we’re going to do this based on our report deliverable, but even if you use a different vendor who uses a different format, you should still glean a better understanding of the information contained within.
After reading, you’ll better understand both each section’s significance and how you and other readers you’ll share the report with can gain the most context, insight, and value from the report.
What are SOC Reports?
Perhaps we should first note that there are different SOC reports, in addition to different types of them.
SOC Reports |
SOC Report Types |
---|---|
Type 1 / Type 2 |
|
Type 1 / Type 2 |
|
Type 2 |
|
Design-Only / Design & Operation |
|
Design-Only / Design & Operation |
The different SOC reports evaluate different controls against different objectives or criteria—for more in-depth details, check the links provided—whereas the report type determines what about those controls is evaluated and for what amount of time.
All that to say, depending on what SOC report and what type you opted for, your report may deviate slightly from the following in terms of the depth of content, and SOC 3 reports will look very different—that’s a general use report and won’t include a Section 4 or Section 5 at all.
It’s important to provide that slight disclaimer so you’re not caught off guard, but in general, your SOC report should contain the following, to an extent.
What’s in a SOC Report? The 5 Sections
Section 1: Independent Service Auditor’s Opinion
Formatted as a letter, we’ll start this section off by describing the scope of the engagement, including the system(s) being examined, the examination date/period, your responsibilities, and our responsibilities.
But the most important part of this section is the auditor’s opinion of the following things:
- Was the description of the system you provided fairly presented or in accordance with description criteria?
- Were your controls suitably designed to achieve control objectives or service commitments and system requirements based on criteria?
- And, if it’s a Type 2 or Design & Operation report, did the controls operate effectively throughout the period?
Section 2: Management’s Assertion
Following that is another section formatted as a letter, but this one—rather than coming from us, or your auditor—is prepared and submitted by you, the organization being assessed.
It’s called a Management’s Assertion, and it confirms that:
- Your leadership prepared the system description.
- The description of the system is fairly presented or in accordance with description criteria.
- The criteria used in that description.
- The controls were suitably designed to achieve control objectives or service commitments and system requirements based on criteria.
- In Type 2 or Design & Operation reports, the controls operated effectively throughout the period.
Section 3: Description of the System
Following those two relatively short sections of your report, Section 3 will contain more details, as it features an in-depth description of the system examined. These details will be broken into several subsections. We’ve highlighted a few as follows (in order):
Overview of |
Helps readers better understand your organization through an overview of:
|
System |
Describes organization components used to achieve your business objectives, including information on the infrastructure and software in your environment and the people who are responsible for providing the service.
|
Control |
Includes information related to your company’s ethical values, organizational structure, and methods of accountability, which are considered foundational to the internal controls of your organization. |
Describes your risk responsibility, risk identification, risk factors—external and internal—and risk analysis. |
|
Information and Communication |
Lists the methods used to relay information to employees, including via policies, trainings, and tools. Also describes how details pertaining to each party’s roles, commitments, and requirements are communicated to external users. |
Monitoring |
Outlines operational activities in place to verify that internal controls are operating as intended. May include operational procedures, separate evaluations, and reviews of the monitoring procedures. |
Complementary Controls at User Entities (CCUEs) |
***Whether these are included depends on the scope of your report. If they are included, this subsection outlines the control activities that your user entity (usually the customer) is expected to implement to help meet the aforementioned control objectives. For example, if CCUEs are present, your customers may be expected to implement controls that ensure each user account that was provisioned to access your system was properly set up and contained the appropriate permissions according to each user’s role. |
Section 4: Control Activities
**Not Included in a SOC 3 or SOC for Cybersecurity Report
For certain SOC reports, this next section is considered the “core” of the report, as it lists the specific controls included in the scope of the engagement. Depending on whether your report is a SOC 1 or SOC 2 or Type 1 or Type 2, it’ll contain variations but, regardless of the report type, you can expect the details of the control activities you specified to be contained here.
Type 2 Reports
Moreover, if you opted for a Type 2 report, it’ll contain even more detail, including:
- Explanation of the different types of testing performed by your service auditor (inquiry, observation, and inspection testing); and
- The testing results for each test activity.
Section 5: Other Information Provided by the Service Organization
**Not Always Present
This is an unaudited section that may appear in your SOC report due to the following reasons:
- If a report had anything other than an unqualified opinion: Meaning that controls(s) were not found to be suitably designed and/or operating effectively—you may have chosen to respond here and provide context surrounding the deficiencies that led to that opinion.
- If the report opinion was unqualified, but a testing exception was found: Similarly, you may choose to respond to any exception(s) here, using Section 5 as an opportunity to inform readers of your report of steps you took to remedy the deficiencies or exceptions that were discovered during the audit.
- Provide information not in the scope or not allowed to be in the scope of the examination: You may also choose to use Section 5 as an opportunity to inform readers of your plans for the future and changes that are anticipated to impact the environment or services offered.
However, please note that this section is solely intended to present your response—it is not modified by your service auditor in any way.
Moving Forward with Your Next SOC Examination
Tony Montana knew he was operating outside the law and shouldn’t have been—he likely wasn’t even surprised when the police showed up. But he still asked his lawyer for clarification on the details. Similarly, this content should give you better clarification about the contents of your SOC report, allowing you to understand more precisely what you’ll be reading once the audit is completed.
Now that you’ve gained that clarity, it’s time to both take full advantage of a completed SOC examination and prepare for your next one—luckily, we have resources that can help:
About Schellman
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.