SOC 2 reports are, in official terms, attestation reports. So what does that mean and why is it relevant when thinking about SOC 2 reports?

First, the definition:

  • attestation report – a consulting service in which a CPA expresses a conclusion about the reliability of a written statement that is the responsibility of someone else

When we break down that definition, we can apply it to SOC 2 reports.

  • Consulting service – the examination engagement that the CPA will provide in order to deliver the SOC 2 report.

  • Expresses a conclusion – this is the actual CPA’s report (which includes their opinion), and often included as “section 1” of a complete SOC 2 report.

  • Written statement – this is “management’s assertion” in the SOC 2 report and often is included as “section 2”. The management assertion will state that the company prepared the system description, as well as that the controls in that description were suitably designed as of a specific date (and operating effectively over a period of time if a type 2 report).

Putting that all together, in our SOC 2 attestation report, we have:

  • Section 1 – CPA’s report with an opinion on management’s assertion

  • Section 2 – Management’s assertion that includes their statement about the system and its controls

  • Section 3 – System description (as referenced in Section 2 from management)

[1] “Attestation report – definition of attestation report by The Free ….” Accessed 10 Aug. 2020.

  • Section 4 – shows the criteria that the controls are measured against, the controls themselves, and in type 2, the CPAs testing of those controls and results of tests

So why is all of this relevant for SOC 2?

The boring answer is that attestations follow AICPA standards (in particular SSAE 18). But, when you break it down, it comes down to the assertion made by your company. In your assertion, you are going to state things like:

  • The system description was prepared in accordance with the AICPA’s description criteria

  • The system can meet the commitments to your customers (for security, availability, etc.), and that the system has requirements in place to help meet those commitments. (NOTE – these are measured against the in-scope trust services criteria).

Your CPA then comes in and measures these assertions through inquiry, examination, testing, etc. Your CPA then forms the report based on these tests, and from there, you have your SOC 2 report (there’s a little more to it than that, but let’s keep this simple).

Did this answer your question?