How it works
European auditors encounter SOC 2 reports most often when their client uses a US-based SaaS provider for a function that affects financial reporting indirectly (cloud hosting, identity management, data storage, backup infrastructure). ISA 402.9 requires you to obtain an understanding of the services provided and the controls at the service organization that are relevant to the audit. A SOC 2 report gives you that understanding for IT general controls mapped to the Trust Services Criteria.
The report itself contains four sections you need to read, not one. The service auditor's opinion sits in Section I. Section II is management's description of the system. The control objectives, the controls tested, the test procedures performed, and the results appear in Section III. Section IV lists complementary user entity controls (CUECs) that the service organization assumes your client operates. ISA 402.15 requires you to evaluate whether the description and tests of controls in the report are sufficient for your purposes. That evaluation requires reading Sections II through IV, not just the opinion.
Key Points
- A SOC 2 report covers IT controls, not financial reporting controls (that is a SOC 1).
- The report's period must overlap with your client's fiscal year or you need a bridge letter.
- User entity controls listed in the report are your client's responsibility to operate, not the service organization's.
- Reading only the opinion page is the single most common shortcut that produces inspection findings.
Worked example: Schiphol Payments B.V.
Client: Dutch fintech company, FY2024, revenue €85M, IFRS reporter. Uses CloudVault Inc. (US-based) for production database hosting.
Obtain the SOC 2 Type II report from CloudVault. The report covers the period January 1 to September 30, 2024. The client's fiscal year ends December 31, 2024.
Read Section III. The service auditor notes two control exceptions: one relates to access reviews completed 14 days late in Q2, one relates to a backup restoration test that failed and was re-performed. Evaluate whether these exceptions affect assertions relevant to the audit of Schiphol Payments.
For each exception, document the control, the nature of the exception, the period affected, and your conclusion on whether additional audit procedures are required. The late access review does not affect financial data integrity because compensating detective controls (audit logging with daily review) operated throughout the period.
Read Section IV. The report lists four CUECs: the user entity must enforce MFA on all accounts accessing CloudVault, must review user access quarterly, must maintain its own backup verification process, and must restrict administrative access to named individuals.
Check the three-month gap. Obtain a bridge letter from CloudVault confirming no significant changes to controls between October 1 and December 31, 2024.
Conclusion: the SOC 2 report, together with the bridge letter and CUEC testing, provides sufficient appropriate evidence over IT general controls at the subservice organization level for the periods relevant to Schiphol Payments' FY2024 audit.
What reviewers and practitioners get wrong
- Auditors frequently rely on SOC reports without evaluating the complementary user entity controls listed in Section IV. The same pattern appears in AFM inspections of Dutch firms using US-hosted platforms.
- Teams treat a clean SOC 2 opinion as blanket assurance over IT controls without reading Section III. ISA 402.15 requires evaluating whether the specific controls tested and the results are sufficient for the assertions relevant to your audit. A SOC 2 that tested availability controls does not cover processing integrity unless those criteria were also in scope.
SOC 1 vs SOC 2
| Dimension | SOC 1 | SOC 2 |
|---|---|---|
| What it covers | Controls relevant to user entities' financial reporting (ICFR) | Controls relevant to the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy) |
| Governing standard | ISAE 3402 / AT-C 320 | ISAE 3000 (Revised) / AT-C 205 |
| Primary user | External auditors assessing ICFR at a service organization | External auditors, management, regulators, customers assessing IT controls |
| Typical trigger | Payroll processing, fund administration, claims handling | Cloud hosting, SaaS platforms, data centres, identity providers |
The practical question is whether the service affects a financial statement number directly (SOC 1) or affects the IT environment that supports financial reporting indirectly (SOC 2). A cloud payroll processor that calculates wages and posts journal entries needs a SOC 1. A cloud hosting provider that stores the database needs a SOC 2.
Key standard references
- AT-C 205 (AICPA): Governs SOC 2 engagements in the US.
- ISAE 3000 (Revised): Governs SOC 2-equivalent engagements internationally.
- ISA 402.9: Requires the user auditor to obtain an understanding of controls at the service organization.
- ISA 402.15: Requires the user auditor to evaluate whether the SOC report is sufficient for audit purposes.
Related terms
Related reading
Frequently asked questions
What is the difference between a SOC 1 and a SOC 2 report?
A SOC 1 covers controls relevant to user entities' financial reporting (ICFR), governed by ISAE 3402 or AT-C 320. A SOC 2 covers IT controls mapped to the AICPA Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy), governed by ISAE 3000 (Revised) or AT-C 205. The practical question is whether the service affects a financial statement number directly (SOC 1) or affects the IT environment that supports financial reporting indirectly (SOC 2).
Can I rely on a SOC 2 report without reading the full document?
No. ISA 402.15 requires evaluating whether the specific controls tested and the results are sufficient for the assertions relevant to your audit. Reading only the opinion page is the single most common shortcut that produces inspection findings. You must read Section II (system description), Section III (controls and test results), and Section IV (CUECs).