March 2026soc 2 report

What a SOC 2 Report Actually Contains (And What Auditors Look For)

What's actually inside a SOC 2 report? A founder and CISO's guide to reading SOC 2 reports — sections, auditor opinions, exceptions, and what to look for in vendor reports.

By QuickTrust EditorialUpdated 2026-02-28

What a SOC 2 Report Actually Contains (And What Auditors Look For)

Your enterprise prospect just requested your SOC 2 report. You have one — you went through the audit, you got certified. But when their procurement team reads it, what are they actually looking for?

Or maybe you're on the other side: a security questionnaire arrived from one of your SaaS vendors, and they sent back a 150-page PDF. You're supposed to review it. Where do you start?

SOC 2 reports are formal documents with a specific structure — and once you understand that structure, they become genuinely readable. This guide walks through every section of a SOC 2 report, explains the critical distinctions (unqualified vs. qualified opinion, exceptions vs. findings), and tells you exactly what savvy readers look for when they evaluate your report.

The Anatomy of a SOC 2 Report

A standard SOC 2 report has four major sections, sometimes followed by additional information provided by the service organization (your company). Here's what each section contains and what readers are looking for.

Section I: The Independent Service Auditor's Report

This is the most important page in the entire document. It's written by the CPA firm — not by you — and it contains the auditor's formal opinion on your controls.

What it contains

  • The name of the auditor (CPA firm)
  • The scope of the engagement (which Trust Service Criteria, which systems, which observation period)
  • The auditor's responsibility (what they tested and how)
  • The opinion itself

The two types of opinions

Unqualified Opinion ("Clean Report")

An unqualified opinion means the auditor found that your controls were suitably designed (Type 1) and/or operating effectively (Type 2) throughout the period, with no significant exceptions. This is what you want. The language looks like:

"In our opinion, the description fairly presents [Company]'s system that was designed and implemented throughout the period... the controls stated in the description were suitably designed... and the controls operated effectively..."

Qualified Opinion (Exceptions Noted)

A qualified opinion means the auditor identified one or more controls that either were not suitably designed or did not operate effectively. The language identifies the specific controls where exceptions were found:

"Except for the matter described in the following paragraph... In our opinion..."

A qualified opinion is not automatically a deal-breaker for your prospects. The questions buyers ask:

  1. What was the exception?
  2. Was it remediated?
  3. Does it affect the controls relevant to our data?

Minor exceptions (e.g., two access review instances out of 52 quarterly samples were late) are very different from material exceptions (e.g., MFA was not enforced for any production account during the entire observation period).

What sophisticated buyers look for in Section I

  • The auditor's name. Big 4 and top-tier regional CPA firms carry more weight than unknown boutiques.
  • The observation period. A report covering a 12-month period is more meaningful than a 6-month report. A report that's 18+ months old may be expired in the buyer's vendor risk policy.
  • Unqualified vs. qualified. If qualified, the buyer will skip to the exceptions.

Section II: Management's Description of the System

This section is written by your management team — it's your description of your system, your services, your controls, and your environment. It is not an independent assessment; it is your representation.

What it typically contains

  • Overview of the service organization: What your company does, how your product works, who your customers are
  • Components of the system: Infrastructure (cloud providers, data centers), software (application stack, third-party tools), people (roles and responsibilities), data (what types of data you hold and how it flows), procedures (your key operational processes)
  • System boundaries: What is and is not in scope for the audit
  • Relevant aspects of the control environment: How your organization approaches risk management, governance, HR, and change management at a high level
  • Control activities: A description of each control relevant to each Trust Service Criterion, organized by criterion

What auditors look for

Auditors compare this section against what they actually find during testing. If your description says "MFA is enforced for all production access" and the auditor finds two accounts without MFA, that discrepancy becomes an exception. The description must be accurate — it's your sworn management assertion.

What buyers look for

Buyers scan this section to understand:

  • What data you hold and how you protect it
  • Which controls apply to the services they're using
  • Whether the described controls align with your security questionnaire answers
  • Whether the system boundary includes all the systems touching their data

A common red flag: a system description that is vague or generic. Sophisticated buyers recognize templated, non-specific descriptions and trust them less.

Section III: Description of Tests of Controls and Results

This is the technical heart of the report. For each control in scope, the auditor documents:

  1. The control activity (what the control is supposed to do)
  2. The test performed (how the auditor tested it)
  3. The result (what they found — pass, or exception with details)

For SOC 2 Type 2, auditors typically test each control with a sample of 25–50 evidence items from across the observation period. This is called attribute testing: for each sample item, was the control operating correctly?

Example entry format

Control CC6.1 - Logical Access Control description: The organization restricts logical access to systems and data based on the principle of least privilege. Access is granted based on documented business need and approved by the appropriate manager.

Test performed: We selected a sample of 40 user access provisioning events from the audit period and inspected evidence of documented business need and manager approval for each.

Results: For 2 of the 40 samples selected, we could not obtain evidence that manager approval was obtained prior to access provisioning. We consider this a deviation from the specified control.

Reading Section III as a buyer

When you receive a vendor's SOC 2 report and want to assess their security posture:

  1. Scan for the word "deviation" or "exception." Every instance deserves scrutiny.
  2. Look at the exception rate. 2 exceptions in 40 samples (5% deviation rate) for a low-risk control is very different from 2 exceptions in 40 samples for MFA enforcement.
  3. Assess materiality. Is the exception in a control category that affects your data? An exception in physical access controls at a data center you don't use is less concerning than an exception in your cloud access controls.
  4. Look for management's response (in Section IV or appended to Section III). Did they acknowledge the gap? Did they remediate it? A vendor that self-identifies root cause and remediation inspires more confidence than one that is silent.

What controls auditors most commonly test

Control AreaTypical Tests Performed
Logical accessAccess provisioning samples, MFA enforcement, access review evidence, offboarding evidence
Change managementDeployment samples — did each have documented review/approval?
Monitoring and alertingSIEM configuration, sample alert review, log retention confirmation
EncryptionSSL/TLS configuration, database encryption settings, key management documentation
Incident responseIncident log review, tabletop exercise documentation
Vendor managementVendor list, evidence of annual vendor reviews, SOC 2 reports on file
Backup and recoveryBackup configuration, restoration test evidence
Risk assessmentRisk register, annual risk assessment documentation

Section IV: Additional Information Provided by the Service Organization (Optional)

Many SOC 2 reports include an optional fourth section where your management provides additional context, clarifications, or management responses to exceptions.

Common uses of Section IV

  • Management responses to exceptions: If the auditor noted exceptions, management can provide context ("The two access provisioning instances without documented approval predated our new onboarding workflow, which was implemented in March. All subsequent provisioning events include documented approval.") and remediation evidence.
  • Complementary User Entity Controls (CUECs): These are controls that your customers (user entities) must implement for the overall control environment to function. For example, "Customers are responsible for managing their own user access within the application." This shifts some responsibility to your customers and limits your own control scope.
  • Additional context about the system: Any clarifications about the system description that management wants to add.

What buyers should know about CUECs

CUECs (Complementary User Entity Controls) can be a trap. If your vendor's SOC 2 report includes an extensive CUEC list, it means the vendor is delegating significant security responsibility to you. Before relying on a vendor's SOC 2 report, review their CUEC list and confirm you're actually implementing those controls.

Mid-article CTA: Building your vendor review process — or preparing your own SOC 2 report for review? Download our SOC 2 evidence checklist — the exact list of evidence items auditors sample most frequently. Get the checklist → trust.quickintell.com

How to Read a Competitor's or Vendor's SOC 2 Report: A 10-Minute Review Process

When you receive a vendor's SOC 2 report, here is an efficient review process:

Step 1 (1 minute): Check the cover page

  • What CPA firm issued it?
  • What's the observation period? Is it recent (within 12 months)?
  • Is it Type 1 or Type 2?

Step 2 (2 minutes): Read Section I — the opinion

  • Unqualified or qualified?
  • If qualified, what are the exceptions?

Step 3 (5 minutes): Scan Section III for exceptions

  • Search for "deviation," "exception," or "we noted"
  • For each exception: What control? How many deviations? What's the rate?
  • Assess whether the exceptions affect controls relevant to your data

Step 4 (2 minutes): Check Section IV for management responses

  • Did management acknowledge exceptions?
  • Is there evidence of remediation?
  • Review the CUEC list — are you actually implementing those controls?

Summary judgment:

  • Clean unqualified opinion, recent, Type 2, Big 4 or mid-tier auditor → Strong
  • Unqualified opinion, minor exceptions (< 5% deviation rate on low-risk controls) → Acceptable
  • Multiple exceptions on high-risk controls (MFA, access management, logging) → Requires follow-up
  • Type 1 from an unknown boutique, 18+ months old → Push for updated report

Preparing Your Own SOC 2 Report for Review

When your report goes out to prospects, these are the things that sophisticated buyers will scrutinize — and what you need to get right.

1. Keep your observation period current

A Type 2 report more than 12 months old is often considered expired by enterprise vendor risk programs. Plan your annual re-audit to ensure your report stays current.

2. Eliminate exceptions before fieldwork

Work with your security team (or QuickTrust engineers) to validate that every control is operating correctly before auditor fieldwork begins. Exceptions that appear in your report stay in your report — you cannot revise them after issuance.

3. Use a credible auditor

Your auditor's reputation reflects on your report. Mid-tier regional CPA firms and SOC 2-specialized boutiques with recognized names are generally accepted. Unknown firms raise questions.

4. Write a clear, specific system description

Generic or vague system descriptions are a yellow flag for sophisticated buyers. Be specific about what data you hold, how it flows, what systems are in scope, and what controls you have in place.

5. Respond to exceptions clearly

If your report includes exceptions, proactively address them when sharing the report. Include a written management response and evidence of remediation. This demonstrates maturity and accountability.

Getting Your Report Right the First Time

QuickTrust's approach to audit preparation is designed to produce a clean, unqualified report on the first attempt. Our engineers implement all controls before auditor fieldwork begins, and our pre-audit readiness review simulates the auditor's testing process to catch any evidence gaps before they become report exceptions.

Across 100+ SOC 2 audits, QuickTrust has maintained a 100% pass rate — not by gaming the process, but by ensuring controls are fully implemented and evidence is complete before the auditor starts.

Download our SOC 2 evidence checklist.

The exact evidence items auditors sample most frequently — organized by control category. Use it to confirm your evidence package is complete before fieldwork begins.

Download the checklist → trust.quickintell.com

Ready to get SOC 2 certified?

Our engineers implement controls, prepare evidence, and coordinate your SOC 2 audit.

Get SOC 2 Ready

Related Articles

March 2026

The Complete SOC 2 Compliance Guide for SaaS Startups (2026)

Evergreen

What Is SOC 1? The Complete Guide to SOC 1 Reports for Service Organizations

March 2026

How to Get SOC 2 Certified in 8 Weeks: A Step-by-Step Implementation Playbook