866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

How to Read Your SOC Report Blog Feature
Jonalea Gaalema

By: Jonalea Gaalema

Print/Save as PDF

How to Read Your SOC Report

SOC Examinations

“What am I looking at here?”

Tony Montana asks George Sheffield that question during the classic gangster film Scarface after being arrested for tax evasion. Theoretically, Tony knows what he’s up against, but he wants his lawyer to be specific and explicit, so he knows exactly.

If you’ve just completed your first SOC examination, you may have received your final report but, like Tony, you’re not really sure what you’re looking at (though you’re probably pretty clear it’s not tax evasion charges). As a seasoned SOC assessor firm with over two decades of experience, we’ve provided thousands of organizations with a SOC report, and we want to help you avoid any potential confusion over the contents.

In this article, we’re going to break down a SOC report by section. Of course, we’re going to do this based on our report deliverable, but even if you use a different vendor who uses a different format, you should still glean a better understanding of the information contained within.

After reading, you’ll better understand both each section’s significance and how you and other readers you’ll share the report with can gain the most context, insight, and value from the report.

What are SOC Reports?

Perhaps we should first note that there are different SOC reports, in addition to different types of them.

SOC Reports

SOC Report Types

SOC 1

Type 1 / Type 2

SOC 2

Type 1 / Type 2

SOC 3

Type 2

SOC for Cybersecurity

Design-Only / Design & Operation

SOC for Supply Chain

Design-Only / Design & Operation

The different SOC reports evaluate different controls against different objectives or criteria—for more in-depth details, check the links provided—whereas the report type determines what about those controls is evaluated and for what amount of time.

All that to say, depending on what SOC report and what type you opted for, your report may deviate slightly from the following in terms of the depth of content, and SOC 3 reports will look very different—that’s a general use report and won’t include a Section 4 or Section 5 at all.

It’s important to provide that slight disclaimer so you’re not caught off guard, but in general, your SOC report should contain the following, to an extent.

What’s in a SOC Report? The 5 Sections

Section 1: Independent Service Auditor’s Opinion

Formatted as a letter, we’ll start this section off by describing the scope of the engagement, including the system(s) being examined, the examination date/period, your responsibilities, and our responsibilities.

But the most important part of this section is the auditor’s opinion of the following things:

  • Was the description of the system you provided fairly presented or in accordance with description criteria?
  • Were your controls suitably designed to achieve control objectives or service commitments and system requirements based on criteria?
  • And, if it’s a Type 2 or Design & Operation report, did the controls operate effectively throughout the period? 

Section 2: Management’s Assertion

Following that is another section formatted as a letter, but this one—rather than coming from us, or your auditor—is prepared and submitted by you, the organization being assessed.

It’s called a Management’s Assertion, and it confirms that:

  • Your leadership prepared the system description.
  • The description of the system is fairly presented or in accordance with description criteria.
  • The criteria used in that description.
  • The controls were suitably designed to achieve control objectives or service commitments and system requirements based on criteria.
  • In Type 2 or Design & Operation reports, the controls operated effectively throughout the period. 

Section 3: Description of the System

Following those two relatively short sections of your report, Section 3 will contain more details, as it features an in-depth description of the system examined. These details will be broken into several subsections. We’ve highlighted a few as follows (in order):

Overview of
Operations

Helps readers better understand your organization through an overview of:

  • Your business
  • The specific system being audited
  • How your organization or system operates
  • A high-level description of the processes and procedures used to carry out the functions of the organization or system

System
Components

Describes organization components used to achieve your business objectives, including information on the infrastructure and software in your environment and the people who are responsible for providing the service.

Valuable procedural details are also included here which let your readers know about organizational policies and processes related to:

  • System access
  • Change management
  • Data backup
  • Incident response

Control
Environment

Includes information related to your company’s ethical values, organizational structure, and methods of accountability, which are considered foundational to the internal controls of your organization.

Risk Assessment

Describes your risk responsibility, risk identification, risk factors—external and internal—and risk analysis.

Information and Communication

Lists the methods used to relay information to employees, including via policies, trainings, and tools. Also describes how details pertaining to each party’s roles, commitments, and requirements are communicated to external users.

Monitoring

Outlines operational activities in place to verify that internal controls are operating as intended. May include operational procedures, separate evaluations, and reviews of the monitoring procedures.

Complementary Controls at User Entities (CCUEs)

and/or

Complementary Controls at Service Organizations (CCSOs)

***Whether these are included depends on the scope of your report.

If they are included, this subsection outlines the control activities that your user entity (usually the customer) is expected to implement to help meet the aforementioned control objectives.

For example, if CCUEs are present, your customers may be expected to implement controls that ensure each user account that was provisioned to access your system was properly set up and contained the appropriate permissions according to each user’s role.

Section 4: Control Activities

**Not Included in a SOC 3 or SOC for Cybersecurity Report

For certain SOC reports, this next section is considered the “core” of the report, as it lists the specific controls included in the scope of the engagement. Depending on whether your report is a SOC 1 or SOC 2 or Type 1 or Type 2, it’ll contain variations but, regardless of the report type, you can expect the details of the control activities you specified to be contained here.

Type 2 Reports

Moreover, if you opted for a Type 2 report, it’ll contain even more detail, including:

  • Explanation of the different types of testing performed by your service auditor (inquiry, observation, and inspection testing); and
  • The testing results for each test activity. 

Section 5: Other Information Provided by the Service Organization

**Not Always Present

This is an unaudited section that may appear in your SOC report due to the following reasons:

  • If a report had anything other than an unqualified opinion: Meaning that controls(s) were not found to be suitably designed and/or operating effectively—you may have chosen to respond here and provide context surrounding the deficiencies that led to that opinion.
  • If the report opinion was unqualified, but a testing exception was found: Similarly, you may choose to respond to any exception(s) here, using Section 5 as an opportunity to inform readers of your report of steps you took to remedy the deficiencies or exceptions that were discovered during the audit.
  • Provide information not in the scope or not allowed to be in the scope of the examination: You may also choose to use Section 5 as an opportunity to inform readers of your plans for the future and changes that are anticipated to impact the environment or services offered. 

However, please note that this section is solely intended to present your response—it is not modified by your service auditor in any way.

Moving Forward with Your Next SOC Examination

Tony Montana knew he was operating outside the law and shouldn’t have been—he likely wasn’t even surprised when the police showed up. But he still asked his lawyer for clarification on the details. Similarly, this content should give you better clarification about the contents of your SOC report, allowing you to understand more precisely what you’ll be reading once the audit is completed.

Now that you’ve gained that clarity, it’s time to both take full advantage of a completed SOC examination and prepare for your next one—luckily, we have resources that can help:

About Jonalea Gaalema

Jonalea Gaalema is an Experienced Associate with Schellman, based out of Dallas, Texas. Prior to joining the firm in 2022, she held business management and accounting roles after receiving her MBA. Jonalea now maintains multiple industry certifications related to cybersecurity, information systems auditing, cloud security, and governance. As an auditor at Schellman, Jonalea supports a variety of compliance examinations and is primarily focused on SOC 1 and SOC 2 attestations for organizations across various industries. 

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.