Understanding SOC 2 Attestations: From Basics to Audit Readiness

SOC (System and Organization Controls)

An AICPA framework for reporting on controls at service organizations, including SOC 1, SOC 2, and SOC 3 reports.

SOC 2

An independent auditor’s report on a service organization’s controls relevant to the AICPA Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy).

Trust Services Criteria (TSC)

AICPA criteria used in SOC 2 and SOC 3 engagements: Security (required), plus Availability, Processing Integrity, Confidentiality, and Privacy.

Service Organization

A company that provides services (often cloud or outsourced services) that can impact its customers’ data, operations, or financial reporting.

User Entity

An organization that uses the services of a service organization; it relies on SOC reports to evaluate the service provider’s controls.

SOC 2 Type I

A SOC 2 report that evaluates whether controls are suitably designed at a specific point in time.

Trust Services Criteria (TSC)

AICPA-defined criteria that form the basis for SOC 2 examinations, organized into five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Trust Services Categories

The five high-level areas covered by SOC 2: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Common Criteria (CC)

The core set of criteria that implement the Security category and apply across all SOC 2 engagements; they cover areas like control environment, risk assessment, access control, operations, and change management.

Control

A specific policy, process, or technical measure implemented by an organization to meet one or more Trust Services Criteria.

Availability (TSC)

Category focused on ensuring systems are available for operation and use as committed or agreed, including uptime, capacity, backups, and disaster recovery.

Processing Integrity (TSC)

Category focused on ensuring that system processing is complete, valid, accurate, timely, and authorized.

SOC 2 Type I

An attestation on the design of controls relevant to selected Trust Services Criteria **at a specific point in time** (e.g., “as of June 30, 2025”). Does not test operating effectiveness over a period.

SOC 2 Type II

An attestation on the design **and operating effectiveness** of controls over a **defined period** (commonly 6–12 months). Includes detailed tests of controls and results.

Restricted-use report

A report intended only for specified parties (e.g., service organization management, user entities, their auditors). SOC 2 reports are restricted-use because they contain sensitive, detailed information.

Independent Service Auditor’s Report

The section of the SOC 2 report where the CPA firm states the **scope**, **period**, and **opinion** (unmodified, qualified, etc.) on the controls examined.

System Description

The management-prepared section describing the services, system boundaries, infrastructure, software, people, procedures, data, and relevant aspects of the control environment.

Complementary User Entity Controls (CUECs)

Controls that **customers (user entities)** are expected to implement and operate for the service organization’s controls to achieve the stated objectives.

System (in SOC 2 context)

The combination of services, processes, people, data, software, and infrastructure that are relevant to the services described in the SOC 2 report and to the selected Trust Services Categories.

System Boundary

The conceptual line that defines which components (people, processes, technology, data, locations) are included in the SOC 2 examination and which are excluded.

Subservice Organization (Subprocessor)

A third-party service provider that performs functions for the service organization and is relevant to the system and Trust Services Criteria (e.g., cloud provider, payment processor).

Carve-out Method

A method where the subservice organization is described in the SOC 2 report, but the auditor does not test its controls; instead, the report describes the complementary subservice organization controls the service organization implements.

Inclusive Method

A method where the subservice organization’s relevant controls are included and tested as part of the service organization’s SOC 2 examination.

Trust Services Categories (TSC)

The AICPA’s categories—Security (required), Availability, Processing Integrity, Confidentiality, and Privacy—used to organize control objectives and criteria in SOC 2.

Control Design

Whether a control is appropriately designed, on paper, to address a specific risk and meet relevant Trust Services Criteria (TSC). Focuses on intent, structure, and documentation.

Control Operation

Whether a control actually functioned as designed over a defined review period (e.g., 6–12 months). Evaluated through evidence such as logs, tickets, and reports.

Trust Services Criteria (TSC)

AICPA-defined criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy that SOC 2 controls must address.

Complementary User Entity Controls (CUECs)

Controls that customers (user entities) must perform for the service organization’s controls to be effective. Listed as assumptions in SOC 2 reports.

Complementary Subservice Organization Controls

Controls performed by subservice organizations (e.g., cloud providers) that the service organization relies on to meet certain TSC. Often listed when the carve-out method is used.

Policy vs Procedure

A policy is a high-level rule approved by management; a procedure (or standard/runbook) is the detailed, step-by-step method for implementing the policy.

Independent service auditor

A CPA firm (and its engagement team) that performs the SOC 2 examination under AICPA attestation standards, independent of the service organization’s management.

AT-C Section 320

The AICPA attestation standard that specifically governs examinations of controls at a service organization relevant to the Trust Services Criteria (SOC 2).

Type 1 vs. Type 2 SOC 2 report

Type 1: Reports on the fairness of the system description and the suitability of control design at a point in time. Type 2: Includes Type 1 elements plus operating effectiveness of controls over a specified period.

Evidence collection methods

The main methods are inquiry, observation, inspection of documents/records, and reperformance of controls.

Sampling

Testing a subset of the full population of control instances to draw conclusions about the entire population, based on risk and materiality.

Exception / Deviation

A tested instance where the control did not operate as described. Auditors evaluate the frequency and severity of exceptions to decide their impact on conclusions and the SOC 2 opinion.

Unmodified (Clean) Opinion

An auditor’s conclusion that, in their opinion, the description is fairly presented and controls were suitably designed (and, for Type II, operated effectively) in all material respects for the stated period.

Qualified Opinion

An opinion stating that, except for one or more specific material issues described in the report, the description and controls met the applicable criteria.

Adverse Opinion

An opinion stating that the description and/or controls did NOT meet the applicable criteria in all material respects, indicating significant, widespread issues.

Disclaimer of Opinion

A statement that the auditor does not express an opinion, usually because they could not obtain sufficient appropriate evidence to form a conclusion.

Type I vs. Type II SOC 2

Type I: Opinion on the fairness of the description and suitability of control design at a point in time. Type II: Opinion on description and control design AND operating effectiveness over a specified period.

Complementary User Entity Controls (CUECs)

Controls that the user organization (customer) is expected to implement for the service organization’s controls to achieve the Trust Services Criteria effectively.

SOC 2 Readiness Assessment

A structured review of an organization’s existing controls, documentation, and practices against SOC 2 requirements to identify gaps before a formal examination.

Gap Analysis

The process of comparing current controls to the SOC 2 Trust Services Criteria to identify missing, weak, or undocumented controls.

Remediation Plan

A prioritized action plan that assigns owners and timelines to address control gaps and weaknesses identified during a readiness assessment.

Type I vs. Type II SOC 2

Type I: Opinion on the design of controls at a point in time. Type II: Opinion on the design and operating effectiveness of controls over a period (typically 6–12 months).

Continuous Monitoring

An approach where control status and key security configurations are automatically and regularly checked, rather than only reviewed during audit season.

Evidence Management

The practice of systematically collecting, organizing, storing, and labeling artifacts (logs, screenshots, tickets, reports) that demonstrate control operation.