What Is a SOC 2 Report? [+ Example]

So, your customer or client asked you for a SOC 2 report. Now what? 

You’re probably wondering what exactly this report looks like, why you need it, and most importantly, how to get it. 

While each SOC 2 report is as unique as the organization it audits, there are common themes woven throughout each report. We dig into what SOC 2 reports entail and how they’re structured, and include images of SOC 2 report examples below.

What Is a SOC 2 Report?

A SOC 2 report is an attestation by a certified public accountant (CPA) stating that your organization meets the official SOC 2 standards issued by the American Institute of Certified Public Accountants (AICPA).

The report—typically requested by a prospective or existing customer—helps them confirm that your company’s security complies with or exceeds industry standards. Or, in other words: You’ll keep their data, customers, and systems protected. 

There are two types of SOC 2 reports:

SOC 2 Type 1 is a point-in-time report. This means the auditor checks your security at a single point in time. Are you secure today? A Type 1 report asks the auditor to check your security for that particular moment.

This report is a great way to ensure the security measures you’ve recently implemented meet industry standards. It can help you prove to leadership that the hard work your team has been putting into compliance will pay off. And it can prove to prospective customers and clients that you are on your way to long-term, ongoing security compliance.

That said, Type 1 is considered a lower-value type of report because it doesn’t show long-term commitment to compliance. It only shows that at one specific point in time, you were able to meet the standards.

The more valuable report is SOC 2 Type 2. This report shows compliance over time—often covering a period of at least three months to up to a year. In this report, the auditor looks at your compliance—not just for the last week, but for the past year (or the past three or six months). This report helps prospective clients feel comfortable with your ongoing commitment to security and compliance.

Which Trust Services Criteria Are Required for a SOC 2 Report?

SOC 2 reports focus on one or more of AICPA’s five Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is the only required TSC for a SOC 2 report. 

Many companies also choose to audit their Availability and Confidentiality because both requirements help prove to customers their data is protected. For companies in healthcare, a Privacy audit may also be requested. While rare, some companies may choose to include Processing Integrity criteria.

What’s Included in a SOC 2 Report?

No matter which combination of TSC you audit for, a completed SOC 2 report includes five sections:

• The auditor report

• Management assertion

• Detailed system description

• Test results

• Other Information Provided by the Service Organization (Optional)

The Auditor Report 

This report—also known as an opinion letter—is the auditor’s summary of their audit. It typically includes:

• When the auditor started the project

• The scope of their review

• The time period covered (is it a single point-in-time or a year’s review?)

• Anything good or bad they found during the audit

• An opinion on your security (or other criteria)

The opinion section can fall into four categories.

1. Unqualified is an A-plus. It means everything looks great. You’re fully compliant.

2. Qualified means you came close. Your SOC 2 compliance is looking good, but the auditor still wants you to address a few things.

3. Adverse means you aren’t there yet. Your compliance program needs work.

4. Disclaimer of Opinion means the auditor cannot issue an opinion due to limitations in the scope of their audit. 

Management Assertion

This is where you (the business owner) and your management team talk about the audit from your perspective. It covers the scope, timeline, and other relevant considerations from the business's perspective instead of the auditor's.

While you’re required to write the management assertion, it can be a tricky task for those going through a SOC 2 audit for the first time. You can ask your auditor to provide an example or two of what a management assertion could look like. 

Detailed System Description

Your system description makes up the bulk of your SOC 2 report. This section is authored by you (the business owner) and/or your teams. Think of this portion of the report as an overview of your company and its systems, teams, and security controls. 

You’ll talk about the trust service principles and how your compliance program addresses them. And you’ll give clients a detailed look at the best practices in place across your organization.

This section often includes: 

• Key features of the system

• Principle service commitments and system requirements

• System boundaries

• Trust Services Criteria not applicable to the system

• Subservice organizations

• Relevant aspects of the control environment, risk assessment, information and communications, and monitoring

• Incidents and system changes

Test Results

Test results are the final section where the auditor backs up your assertions and covers the systems, teams, and security controls in their own words. 

This section includes: 

• The controls applicable to the TSC.

• A description of the tests performed by the auditor. 

• The results of the auditor’s tests. 

Other Information Provided by the Service Organization

This final section is optional and provides additional relevant information not covered in the report. Typically, this section will include management's responses to exceptions, but can include any information the service organization is relevant to the report user, such as information about a recent acquisition.

SOC 2 Report FAQ

Below, we answer a few commonly asked questions about SOC 2 reports. 

Where Can I Find a SOC 2 Report Example?

To give you an idea of what a real SOC 2 report looks like, we recommend reviewing the AICPA’s SOC 2 report example. 

Who Needs a SOC 2 Report?

With security top of mind for pretty much everyone these days, any company that handles data (which is most of us) should be prepared to provide a SOC 2 report to prospective clients.

Remember that it can take over a year to become compliant and get a Type 2 report, so it’s best to work on compliance as soon as you can—even if you haven’t received a request from a prospect just yet. 

What Are SOC 2 Reports For?

The company requesting a SOC 2 report is typically one that wants to hire you as a vendor. They’re asking for SOC 2 because they want to confirm your security compliance and feel safe working with you.

Sometimes they'll request the report for their own peace of mind. Or maybe they need it to give their clients peace of mind. Sometimes they have industry standards to meet on their end. Other times there are compliance or regulatory standards they have to comply with. Often, all four of these reasons intersect.

Who Creates SOC 2 Reports?

CPAs must create and issue SOC 2 reports. Any CPA firm can technically do your report, but we suggest looking for one with strong security experience. If a firm only does a few SOC 2 reports each year, the process might not be as smooth and straightforward as it would be with a firm that has a dedicated team for SOC 2.

Look for CPAs experienced with SOC 2 reports and your specific industry. CISA and CISSP certifications are a plus. And don’t forget to check references before a firm.

How Does SOC 2 Differ From SOC 1 and SOC 3?

While we focus on SOC 2 in this article, there are actually three types of SOC reports. 

• SOC 1 is about meeting financial standards.

• SOC 2 is a more detailed, security-focused report. It often includes confidential information and a high level of detail about your security programs.

• SOC 3 is a high-level, public-facing version of a SOC 2 security report (with anything confidential scrubbed out).

How Much Does a SOC 2 Report Cost?

The cost of a SOC 2 audit can range from $12,000 to $100,000, depending on the complexity of your audit.

Factors that your auditor should be asking about when giving you an estimate include:

• The scope of your audit/report

• Your organization's size and complexity

• The maturity of your compliance program

• The number of trust services criteria you want to include

For an accurate quote, speak directly with a CPA firm.

How Drata Can Simplify Your SOC 2 Report Process

SOC 2 compliance is a vital part of being a tech vendor, but SOC 2 audits can be complicated, lengthy, and stressful. That’s where Drata comes in. 

Our automation software lets you easily collect and provide evidence auditors need, generate reports and overviews, and flag when there’s a risk to your compliance. Auditors can log into the tool and directly pull the info they need. Our tool also allows you to easily share dashboards and reports in a simple, easy-to-digest format.

Ready to simplify your SOC 2 reporting process? Schedule a free demo today.