SOC 2 Report Types

If you’re landing on this page from a search engine, chances are you’re just starting out on your SOC 2 journey. You can find out more about Service Organisation Control (SOC) 2 in our SOC 2 hub, or read on to learn more about SOC 2 report types and how to achieve an unmodified opinion – aka a successful SOC 2 audit.

What is a SOC 2 report?

A SOC 2 report is an internal controls report illustrating how an organisation safeguards its customers’ data. The report also evaluates the effectiveness of the organisation’s controls over a specified time period. There are two different types of SOC 2 reports:

• SOC 2 Type 1;
• SOC 2 Type 2.

SOC 2 Type 1 reports evaluate the effectiveness of controls in a snapshot in time, while SOC 2 Type 2 reports evaluate the effectiveness of controls over the duration of a longer period, for example six months or a year.

Each report is based on the American Institute of Certified Public Accountants (AICPA) Trust Services Principles and documents the organisation’s controls in line with:

• Information security
• Availability
• Process integrity
• Confidentiality
• Privacy.

The scope of the report must include all criteria within each Trust Principle, which allows an auditor to assess the efficacy of a business’s operational and compliance controls.

Unlike ISO 27001 audits, which must be performed by a certified auditor, SOC 2 reports must be run by a Certified Public Accountant (CPA). SOC 1 evaluates internal controls relevant to a service organisation's client's financial statements, while a SOC 2 report addresses a service organisation's controls that are relevant to its operations and compliance.

In essence, a SOC 2 report is an auditor’s opinion of how an organisation’s controls fit the principal requirements.

What is a SOC 2 Type 2 Report?

As we mentioned, SOC 2 Type 1 reports evaluate an organisation’s controls at a particular point in time, and SOC 2 Type 2 reports evaluate an organisation’s systems, controls and these controls’ effectiveness over a longer period, generally between six and twelve months.

SOC 2 Type 1 reports can be used by organisations to establish whether its controls are suitably designed. SOC 2 Type 2 reports, by contrast, assure an organisation’s customers and potential customers that the organisation effectively protects customer data and maintains a high level of information security.

Once the SOC 2 Type 2 audit is complete, the auditor will issue an opinion based on the control descriptions management has provided versus the actual effectiveness of the controls. This could be:

• An unmodified opinion, meaning there are no material errors or flaws in your systems.
• A qualified opinion, meaning the auditor has discovered material flaws in system control descriptions, but they’re limited to specific areas.
• An adverse opinion, meaning there are inaccuracies in your controls’ descriptions, and vulnerabilities in design and operational efficacy.

Achieving SOC 2 Type 2 With Hicomply

Using the Hicomply tool, you and your compliance team can speed up preparation for your SOC 2 Type 2 audit and set your organisation up for success. The Hicomply workflow feature allows you to build the required policies and procedures for your SOC 2 compliance into automated, intelligent workflows.

Instead of painstakingly building out your processes, automatically trigger them within Hicomply, including the required notifications and stages to match the requirements of your ISMS or SOC 2 policy. The Hicomply dashboard also allows authorised users to see, quickly and easily, the status of risks, incidents and overall compliance, reducing the risk of key person dependencies and making your SOC 2 processes more efficient.

Learn more about SOC 2 in our SOC 2 hub.

Book your Hicomply demo