The SOC 2 report demonstrates the control environment over information security, providing service organization management, user entities, business partners, and other parties with information about controls at the service organization relevant to security, availability, processing integrity, confidentiality, or privacy to support users’ evaluations of their own systems of internal control. It is appropriate for companies whose customers desire assurance that their data is protected and they can rely upon your services.

These reports follow the AICPA’s Trust Services Criteria, which is a framework of high level objectives divided into five categories:

Security, Availability, Processing Integrity, Confidentiality, and Privacy

The categories included in a SOC 2 report are selected based on the relevance to the organization’s service commitments and system requirements to its users. While the criteria are prescriptive in  SOC 2, the controls designed to meet those criteria are specific and unique to each organization.

Here’s how GBQ can help service organizations understand, prepare, and take action.

What is the SOC 2 Report?

The SOC 2 (Service Organization Control 2) report is an independent assessment that evaluates the effectiveness of a service organization’s controls. This report provides assurance to clients and stakeholders that the organization has established and maintained proper controls to safeguard their data and ensure the reliability of its services.

Here’s some information on how to read and understand a SOC report.

How to Prepare for Your First SOC Examination

Get Ready

  • During this initial step, GBQ will work with you to define the scope and boundaries of the system being audited. Our team will conduct interviews to guide management through the process of identifying and selecting relevant controls that meet the applicable trust services criteria. We will then assess if any control gaps need to be remediated and provide guidance in writing a system description (a key element of the SOC report!). This process is very hands-on and is where you will determine what services should be included in the SOC examination. This will also identify weak areas that would benefit from adding or modifying controls. The primary outcome of the readiness phase is your gap assessment, or list of specific action items that need to be addressed before starting your first SOC examination.


  • Following the readiness assessment, time and effort are required to remediate any identified control gaps. Our team can be as involved in the process as you desire. At the very least, we prefer to check in with you regularly through this phase so we can provide you with guidance and input while you work through action items.

Type 1 Report

  • The SOC 2 Type 1 report is a full report including the independent auditor’s opinion, but it is performed as of a specific date and includes only the testing of the design and implementation of controls as of that date. This is the best place to start for first-time SOC candidates because it can be issued as soon as controls are identified to be implemented, much sooner than waiting for a Type 2 period to pass. The Type 1 examination is also a good “dry run” test of the organization’s ability to gather the needed documentation to support the auditing of controls before the specific results of those tests will be included in the report.

Type 2 Report

  • At least six months after your initial SOC 2 Type 1 report, and not more than 12 months after, a SOC 2 Type 2 report can be issued. The primary difference between the Type 2 and Type 1 engagement is that the operating effectiveness of the controls in place over a period of time are tested in a Type 2 engagement through sampling across the entire audit period, and the testing results are presented in the report.

Partner with GBQ

SOC 2 reports must be completed by an external auditor from a licensed CPA firm. Contact GBQ to get started and learn more about our services.