What is a SOC 2 report? A plain-English guide to its sections
A SOC 2 report is a CPA firm's independent examination of a service organization's controls. Knowing its four sections is the difference between rubber-stamping a PDF and actually understanding what was tested.
What a SOC 2 report actually is
A SOC 2 report is the output of an attestation examination performed under the AICPA's standards, in which an independent CPA firm evaluates a service organization's controls against the Trust Services Criteria. It is not a certification and there is no pass-or-fail badge, despite how it is often marketed; instead it is a detailed report containing a professional opinion plus the evidence behind that opinion. Because it is issued under AT-C Section 205, only a licensed CPA firm can perform the engagement and sign the report, which is what gives the document its weight with auditors and procurement teams. Crucially, automation platforms such as Vanta, Drata, or Secureframe do not issue the report; they help you prepare for and manage the audit, but a separate CPA firm must conduct the examination and issue the opinion.
Section 1: the independent auditor's opinion
The first section is the auditor's report, the part most readers should turn to first because it states the conclusion. Here the CPA firm names the system in scope, the Trust Services categories covered, and the relevant date or period, then renders an opinion. An unqualified opinion is the clean result, meaning the auditor found the controls suitably designed and, for a Type 2, operating effectively. A qualified opinion flags specific deficiencies that are significant but not pervasive, while adverse opinions and disclaimers signal serious or unresolvable problems and should prompt hard questions. Importantly, an unqualified opinion does not mean zero issues were found; it means any issues identified were not severe enough to undermine the overall conclusion, which is why you still read the rest of the report.
Section 2 and Section 3: management's assertion and the system description
Section 2 is management's written assertion, the service organization's own formal statement that its controls were designed, and for a Type 2 operated, to meet its service commitments and system requirements based on the applicable criteria. It matters because the auditor is opining on management's assertion, so this section establishes what management is actually claiming. Section 3 is the system description, typically the longest part of the report, written by management to explain the business, the services provided, the boundaries of the system, the infrastructure and software involved, the people and procedures, and how the organization addresses risk. For a reader, Section 3 is where you confirm that the scope matches the product you are buying, because a report can be technically clean while covering a system or environment that is not the one you actually use.
Section 4: the controls and the results of testing
Section 4 is the heart of the evidence, presenting the specific controls mapped to the Trust Services Criteria, the tests the auditor performed, and the results of those tests, usually laid out in a table. This is where experienced reviewers spend their time, because it reveals whether the auditor noted any exceptions or deviations and how management responded to them. A single exception is not automatically disqualifying, but its nature matters: a missed quarterly access review reads very differently from a failure of the encryption or change-management controls you depend on. In a Type 2 report this section shows testing across the full observation period, whereas a Type 1 reflects only a point-in-time evaluation of design, which is the key distinction to keep in mind while reading.
Type 1 versus Type 2, and the report's restricted use
Two report types exist: a Type 1 assesses whether controls are suitably designed as of a single date, while a Type 2 also tests whether they operated effectively over a period, commonly three to twelve months. Most customers ultimately want a Type 2 because point-in-time design tells you little about how an organization behaves day to day. One practical detail that surprises first-time recipients is that SOC 2 reports are restricted-use documents, intended for the service organization, its customers, and parties with sufficient understanding of the system, not for public posting, which is why vendors share them under NDA rather than on a website. When you receive one, read the opinion, confirm the scope and period in Section 3, scan Section 4 for exceptions, and check that the report is recent enough that a bridge letter may be needed to cover the gap since the period end.