Understanding Your SOC 2 Report
Once your SOC 2 audit is complete, you'll receive a formal report from your auditor. Understanding what's in this report, and how to interpret it, helps you use it effectively with customers and stakeholders.
Key Takeaways
| Point | Summary |
|---|---|
| Report structure | Five main sections: auditor's opinion, management assertion, system description, controls, and test results |
| The opinion matters | An "unqualified" opinion means your controls are working as designed |
| Exceptions are normal | Having some exceptions noted doesn't mean you failed |
| Confidentiality | SOC 2 reports are typically shared under NDA with customers |
| Validity | Reports are typically considered current for 12 months |
Quick Answer: Your SOC 2 report is a formal document from your auditor containing their opinion on your controls, a description of your system, the controls tested, and the results of testing. An unqualified opinion indicates your controls are designed and operating effectively.
The Five Sections of a SOC 2 Report
Section 1: Independent Service Auditor's Report (The Opinion)
This is the most important section. It contains the auditor's formal opinion on your controls.
Types of opinions:
| Opinion Type | Meaning |
|---|---|
| Unqualified | Controls are designed and operating effectively (what you want) |
| Qualified | Controls are generally effective, but with specific exceptions |
| Adverse | Significant control failures identified |
| Disclaimer | Auditor couldn't form an opinion |
An unqualified opinion is the standard result for a successful audit.
Section 2: Management's Assertion
This section contains your organization's formal statement about:
- The accuracy of the system description
- The controls in place
- The period covered by the report
It demonstrates that management takes responsibility for the control environment.
Section 3: System Description
A detailed description of your organization and systems, including:
| Element | What It Covers |
|---|---|
| Company overview | Description of your organization |
| Services | What services are covered by the report |
| Infrastructure | Technology and systems in scope |
| Software | Applications and tools used |
| People | Roles and responsibilities |
| Data | Types of data processed |
| Subservice organizations | Third parties used |
| System boundaries | What's in and out of scope |
This section helps readers understand what was actually examined.
Section 4: Applicable Trust Services Criteria and Controls
Lists all the controls tested against the Trust Services Criteria:
- Which criteria are included (Security, Availability, etc.)
- Your specific controls that address each criterion
- How controls are implemented
Section 5: Tests of Controls and Results
The detailed results of auditor testing:
- Which controls were tested
- What testing procedures were performed
- The results of each test
- Any exceptions or deviations identified
This is the evidence that controls are actually working.
Reading Your Report Effectively
Start with the Opinion
The opinion letter tells you the overall result. Look for:
- Type of opinion (unqualified is the goal)
- Any scope limitations
- The period covered
Review the System Description
Check that it accurately reflects:
- Your organization as it was during the audit period
- The systems and services covered
- The boundaries defined during scoping
Examine Test Results
For each control area:
- Were tests performed?
- What were the results?
- Are any exceptions noted?
Understand Exceptions
Exceptions are specific instances where a control didn't work as expected. They don't necessarily mean failure:
| Exception Type | Typical Handling |
|---|---|
| Minor deviation | Noted but doesn't affect opinion |
| Isolated incident | Noted with context |
| Remediated issue | Noted as resolved |
| Systemic problem | May affect opinion |
What Customers Look For
When customers review your SOC 2 report, they typically focus on:
The Opinion
- Is it unqualified?
- Does it cover the right period?
Scope Coverage
- Are the systems they care about included?
- Are the relevant Trust Services Criteria covered?
Specific Control Areas
- Access controls
- Change management
- Data encryption
- Incident response
- Vendor management
Exceptions
- How many exceptions?
- What type?
- Were they remediated?
Type 1 vs Type 2 Reports
Type 1 Report Contents
| Section | Coverage |
|---|---|
| Opinion | On design of controls at a point in time |
| System description | As of audit date |
| Controls | Listed and described |
| Testing | Design evaluation only |
Type 2 Report Contents
| Section | Coverage |
|---|---|
| Opinion | On design AND operating effectiveness |
| System description | During observation period |
| Controls | Listed, described, and tested |
| Testing | Operating effectiveness over the period |
Type 2 reports are more comprehensive because they demonstrate controls working over time.
Sharing Your Report
With Customers
Standard approach:
- Share under NDA
- Provide watermarked PDF
- Use a secure sharing portal
What to include:
- Full report
- Any clarifying context if needed
Publicly
SOC 2 reports are not typically shared publicly. For public-facing information:
- Consider SOC 3 (public summary)
- Use your Trust Center
- Reference your SOC 2 status on your website
Report Validity and Currency
How Long Is a Report Valid?
Technically, SOC 2 reports don't expire. However:
- Industry expects annual renewal
- Reports over 12 months old are considered stale
- Customers typically want reports from within the past year
Bridge Letters
If your report is aging while you await renewal:
- Request a bridge letter from your auditor
- Confirms no material changes since last report
- Bridges the gap until new report is ready
See our SOC 2 Bridge Letters guide for more details.
Interpreting Common Report Elements
Control Categories
Controls are typically organized by Trust Services Criteria categories:
| Category | What It Covers |
|---|---|
| CC1 | Control environment |
| CC2 | Communication and information |
| CC3 | Risk assessment |
| CC4 | Monitoring activities |
| CC5 | Control activities |
| CC6 | Logical and physical access |
| CC7 | System operations |
| CC8 | Change management |
| CC9 | Risk mitigation |
Testing Terminology
| Term | Meaning |
|---|---|
| Inquiry | Auditor asked personnel about controls |
| Observation | Auditor watched control in operation |
| Inspection | Auditor examined documentation or evidence |
| Reperformance | Auditor re-executed the control procedure |
Exception Descriptions
When exceptions are noted, you'll typically see:
- Description of the control
- What was expected
- What was observed
- Impact assessment
Using Your Report for Sales
Security Questionnaires
Your SOC 2 report can help answer security questionnaire questions:
- Reference specific controls
- Point to relevant report sections
- Demonstrate third-party validation
Sales Conversations
Use your report to:
- Demonstrate security commitment
- Differentiate from competitors
- Reduce time spent on security reviews
Marketing
While the full report is confidential, you can:
- Mention SOC 2 compliance status
- Display SOC 2 badge on website
- Reference in sales materials
After Receiving Your Report
Immediate Actions
- Review for accuracy
- Note any exceptions that need attention
- Set up secure sharing process
- Update marketing materials
Ongoing
- Track report expiration
- Plan for annual renewal
- Address any noted exceptions
- Monitor for scope changes
The Bastion Approach
We help you get the most from your SOC 2 report:
- Pre-audit preparation - Ensuring controls are ready so exceptions are minimized
- Report review - Helping you understand your report and its implications
- Sharing setup - Establishing secure processes for customer sharing
- Exception remediation - Addressing any noted issues before next audit
Questions about your SOC 2 report? Talk to our team
Sources
- AICPA SOC 2® Guide - Official guidance on SOC 2 report contents and structure
- AICPA Trust Services Criteria - Framework for control categories and testing