Attestation report
SOC 2
Attestation report

SOC 2

All frameworks

What it is

An attestation report performed by a licensed CPA firm under AICPA standards. It evaluates a service organization's controls against the Trust Services Criteria (TSC). Output is an opinion (Type I = design; Type II = design + operating effectiveness over a period).

Who uses it

U.S.-centric SaaS and service providers selling to enterprise customers. Often the first compliance report a startup pursues.

Why it matters

SOC 2 is the most-requested security report in B2B SaaS. Most junior GRC analysts in SaaS spend a large share of their time on evidence collection for SOC 2 Type II.

Structure

Security (Common Criteria)

Required for every SOC 2 — protects against unauthorized access, disclosure, and damage.

Availability

Systems are available for operation and use as agreed (think uptime SLAs, capacity, BCP/DR).

Confidentiality

Information designated confidential is protected (NDAs, encryption, retention, secure disposal).

Processing Integrity

System processing is complete, valid, accurate, timely, and authorized (input/processing/output controls).

Privacy

Personal information is collected, used, retained, disclosed, and disposed of per the privacy notice.

Terminology

TSC
Trust Services Criteria — the five categories above.
Type I vs Type II
Type I = controls designed at a point in time. Type II = also operating effectively over a 3–12 month period.
Auditor
A CPA firm — only CPAs can sign SOC 2 reports.
Bridge letter
Issued between report periods to assure customers no material change has occurred.
Carve-out / Inclusive
How sub-service organizations (e.g., AWS) are handled in your report.

Beginner explanation

SOC 2 is not certification — it is an opinion letter from an auditor. The audit is mostly about producing evidence that you actually do what your policies say.

Practical examples

  • An auditor samples 25 of the 400 production changes in the year and asks for evidence each was approved before deployment.
  • A startup picks just Security and Availability for its first SOC 2 to keep scope tight.

Advanced notes

SOC 2 reports are restricted-use; SOC 3 is the public, marketing-friendly version. SOC 1 is for financial-reporting controls (think SOX), not security.