System and Organization Controls (SOC) reports are pretty easy to read once you get a handle of how they’re structured. The reports are typically made up of 4 or 5 sections, not including the cover page and table of contents.
The section details below are provided to give a general idea of what’s included in each section. However, they’re not all inclusive. I’ll go into more detail regarding some of the sections in later posts.
Section I: Independent Service Auditor’s Report
The Independent Service Auditor’s Report includes the scope of the engagement, service organization and service auditor responsibilities, and most important of all, the auditor’s opinion. The opinion will include 2 or 3 statements depending on if it’s a Type 1 or Type 2 report.
A Type 1 report will indicate the description is fairly presented and the controls related to the control objectives were suitably designed as of a specific date (e.g., September 30, 2025).
A Type 2 report will indicate the description is fairly presented, controls related to the control objectives were suitably designed throughout the period (e.g., October 1, 2024 – September 30, 2025), and controls operated effectively to provide reasonable assurance the control objectives were achieved throughout the period (e.g., October 1, 2024 – September 30, 2025).
Section II: Management Assertion
The Management Assertion documents, from the management of the service organization perspective, the services included in the scope of the report, any services completed by subservice organizations (if applicable), acknowledges the service organizations responsibilities in fairly presenting system, and that the controls were suitably designed.
The service auditor will typically provide a Management Assertion template to the service organization for review and completion. The service organization has a choice to sign or leave it unsigned in the final report.
Section III: Description of the System
The Description of the System provides an overview of the service organization operations and controls in narrative form. There are certain aspects that are required to be included, while others can be limited by just referencing the control objectives and controls documented in Section IV. I’ve found the best system description includes more detail than just the control objectives / controls and provides a cross reference of controls between both sections.
This section also includes complementary controls for both users (service organization clients) and subservience organizations.
Section IV: Tests of Controls and Results
Control objectives, controls supporting each control objective, tests completed by the service auditor, and test results are noted in this section, typically in table format. The test results would note if any exceptions were noted during testing, even if the report has a “clean opinion.” The best case scenario for the service organization is for the test results to note something in line with “No exceptions noted.” for each control.
Section V: Other Information Provided by the Service Organization (Optional)
The Other Information section is optional at the discretion of the service organization. Some companies will use this section to provide additional information about their organization that was not included in the description of the system. This can include other services provided by the organization or future plans for the organization.
Also, in the event there were exceptions / issues noted during testing that were reported in Section IV of the report, some organizations will include additional background regarding the exception(s), action plans to remediate the control weaknesses, and if the action plans were already implemented.
The service auditor will review this section for adequacy, but it’s not subjected to the same procedures applied in forming an opinion. In other words, this section is not tested by the service auditor.
The Manager Assertion, Description of the System, Control Objective and Controls included in the Section IV, and Other Information sections are all provided by the service organization. The only sections / parts noted above that are technically completed by the service auditor are Section I and the tests of operating effectiveness and test results columns included in Section IV.
Zalovo GRC 