What is a SOC 2 Report? With Examples + Template

Satya Moutairou

4 Aug 2023

SOC 2 report examples

You’re facing a SOC 2 audit, and you don’t quite know what to expect or how to prepare for it. Although an independent auditor will inspect your company’s IT security program, you’re not entirely sure what information the resulting report may contain. To get fully prepared, it can be helpful to look at some real-life SOC 2 audit report examples. In the following article, we’ll look at a few sample SOC 2 reports, but first, let’s address the obvious question.

What is a SOC 2 report? 

A SOC 2 report is a third-party audit that reveals the organizational structure of a company’s security program and indicates if the controls in place are safe, effective, and compliant with SOC 2 regulations. The document may cover the following criteria: security, availability, confidentiality, processing, integrity, and privacy. Of these criteria, only security is mandatory, but depending on the scope of the audit, some or all of the other criteria can be included.

Since a SOC 2 audit report may be shared with your potential business partners, it’s important to understand exactly what it says about your company’s security program. Structurally, a SOC 2 report contains five sections:

  • Section 1: Auditor Report, a summary of audit findings and their alignment with SOC 2 criteria
  • Section 2: Management Assertion, confirmation that the auditor had access to all relevant documentation
  • Section 3: Description of Company Program, an overview of your company’s security program
  • Section 4: Controls Tested, a detailed list of the security control the auditor tested and the outcome of those tests
  • Section 5: Company Response, an optional company response to the auditor’s conclusion

Let’s look at each of these sections to understand their significance.


SOC 2 REPORT layout

The following SOC 2 report examples have been omitted for brevity. Click here or on the example images below to access the full, free report template.

Section 1: Auditor report

In section 1, the independent service auditor specifies the scope of the audit (e.g., “This audit involves security plus availability and confidentiality.”). Section 1 is also where the auditor reveals how confident they are that your company is compliant with the security standards set by SOC 2. 

Often, people think the outcome of an audit is a simple pass or fail, but the real question is, “Did the company comply with all SOC 2 criteria?” Section 1 provides the answer to this question, which makes it the most important part of the report.

Section 1 provides a quick overview of whether the auditor encountered any issues and if they have reasonable assurance that your company is compliant. Test results in section 4 will then give more details about any problems they encountered.

Here’s an example of Section 1 of a SOC 2 report from the American Institute of Certified Public Accountants (AICPA).

Section 1 SOC 2 REPORT

Section 2: Management assertion

While the auditor creates the management assertion section, the company being audited is required to sign this section. In doing so, the company confirms that they have provided the auditor with all the information and complete documentation needed to render an accurate judgment.

Companies do occasionally provide false information, or withhold information, during a SOC 2 assessment audit, despite the risk to their reputation for doing so. Your signature here protects the auditor, who can then say, “We drew our conclusion based on the documents they gave us. We had no idea that they’d falsified information.” 

Section 2 SOC 2 REPORT

Section 3: Description of company program

The third section of the SOC 2 report provides a description of your company’s internal IT security controls, so it’s almost always the longest section of the report. Sometimes, a friendly auditor will offer to help you create this document, but most of the time, it’s your company’s responsibility. 

Section 3 can be very thorough or quite limited, depending on how much information you want to share. Either way, it is intended to be an overview of your company’s entire security program that includes a list of:

  • The system(s) being audited
  • All departments accessing the system(s)
  • Your IT policies and procedures
    • Risk assessment and incident response processes
  • How you onboard new employees
  • How you give access to the security program to employees 

Section 3 SOC 2 REPORT

Section 3 varies by company. Some feel safe sharing everything, including highly specific inside information about things like access controls, encryption, and possible vulnerabilities. Others take a far more cautious approach in order to protect themselves, concerned that a detailed description of their security infrastructure, including potential points of entry, may somehow get into the hands of hackers, even if the report isn’t made for public consumption. The rise of hacking and the increased prevalence of ransomware has made this cautious approach more common. For those companies, section 3 will contain only concise, key information. 

Someone considering doing business with your company will find this part of the report very important because it reveals important details about the program being audited. It won’t tell them everything, but it will give a good idea of all relevant components, data security controls, and any notable incidents that led to system changes. 

Companies are responsible for Section 3

Your company won’t get to see Sections 1 and 2, or know what the auditor concluded, until the SOC 2 report is ready. However, you do have to sign the management assertion and build Section 3 before the audit starts. 

Many companies are unaware that they are responsible for Section 3, so they are left scrambling to create the document when the auditor asks for it. When that happens, it can delay the whole process because most auditing firms will refuse to start an audit without a completed Section 3. Fortunately, some auditors create pre-filled templates to help companies follow the required format and layout. 

Section 3 as a control of its own

One thing to note: Section 3 is intended to be a living document that reflects your company’s current state, so when you experience changes, those changes must be reflected in this section. For example, maybe your company recently migrated onto the cloud. That is a significant change that must be reflected in Section 3.

If you discontinued a consumer product this year or replaced it with a new product, the relevant information needs to be updated. In fact, this section should be treated almost as a control of its own, something that you maintain and update consistently and regularly, not at the last minute before an audit starts.

Since Section 3 gives a detailed overview of your company’s security program, it requires the collaboration of many different departments. Your marketing team writes a description of the system(s) being audited. Your engineering team provides an update on the company’s technical inventory. Process owners may need to provide details about relevant processes. All of this requires time, so early preparation will make an audit go a lot smoother.

Section 4: Controls tested

The fourth section of a SOC 2 report provides a detailed list of the security controls protecting customer data that the auditor tested. Typically, the auditor will describe how they inspected these controls and then share the test results from their inspection. 

Section 4 is where the auditor will explain the controls your company has implemented. If the auditor is 100% confident in your compliance, section 4 will be a description of those controls. If they are not 100% confident in your SOC 2 compliance, the auditor will explain which control failed to operate effectively and why.

Readers are most likely to be current stakeholders or people considering doing business with you, so what they find in this section may have a direct impact on your company’s bottom line.  

Section 4 SOC 2 REPORT

Section 5: Company response

In section 5, your teams can respond to the auditor’s observations of failed controls. For example, your team may say something like, “The auditor conducted this test, but in our defense, here is what we believe really happened.” 

From your response, a reader who is considering doing business with you may decide that the auditor was tougher than they needed to be and say, “We still feel comfortable working with this company.” It also provides them the opportunity to go back to your company and ask if you’ve fixed the problem. Bear in mind, companies have a lot of leeway for how they respond, and in some cases, you may decide not to respond at all. 

*Due to the nature of this section, no example will be provided. 

Be prepared for your next SOC 2 audit

Now that you have a better understanding of what to expect from a SOC 2 audit report, you should feel prepared to deal with your next audit. Remember, early preparation of section 3 will help things go a lot smoother. Keep the information in that section updated so it accurately reflects your company’s current state. Don’t wait until the last minute before an audit begins!

Want to know what to do next? Check out how to securely share your SOC 2 report. If you need help, you can find a template for a SOC 2 audit report at the website of the American Institute of Certified Public Accountants (AICPA). You can also contact TrustCloud for additional help or information.