ByteChek Learning Center

What is an attestation report?

Written by: Mr. ByteChek
Updated over a 2 months ago

SOC 2 reports are, in official terms, attestation reports. So what does that mean and why is it relevant when thinking about SOC 2 reports?

First, the definition:

  • attestation report – a consulting service in which a CPA expresses a conclusion about the reliability of a written statement that is the responsibility of someone else

When we break down that definition, we can apply it to SOC 2 reports.

  • Consulting service – the examination engagement that the CPA will provide in order to deliver the SOC 2 report.

  • Expresses a conclusion – this is the actual CPA’s report, and often included as “section 1” of a complete SOC 2 report.

  • Written statement – this is “management’s assertion” in the SOC 2 report and often is included as “section 2”. The management assertion will state that the company prepared the system description, as well as that the controls in that description were suitably designed as of a specific date (and operating effectively over a period of time if a type 2 report).

Putting that all together, in our SOC 2 attestation report, we have:

  • Section 1 – CPA’s report with an opinion on management’s assertion

  • Section 2 – Management’s assertion that includes their statement about the system and its controls

  • Section 3 – System description

[1] “Attestation report – definition of attestation report by The Free ….” https://www.thefreedictionary.com/attestation+report. Accessed 10 Aug. 2020.

  • Section 4 – shows the criteria that the controls are measured against, the controls themselves, and in type 2, the CPAs testing of those controls and results of tests

So why is all of this relevant for SOC 2?

The boring answer is that attestations follow AICPA standards (in particular SSAE 18). But, when you break it down, it comes down to the assertion made by your company. In your assertion, you are going to state things like:

  • The system description was prepared in accordance with the AICPA’s description criteria

  • The system can meet the commitments to your customers (for security, availability, etc.), and that the system has requirements in place to help meet those commitments. (NOTE – these are measured against the in-scope trust services criteria).

Your CPA then comes in and measures these assertions through inquiry, examination, testing, etc. Your CPA then forms the report based on these tests, and from there, you have your SOC 2 report.

ByteChek's platform helps companies of all sizes establish security programs, automate cybersecurity readiness assessments, and complete cyber security assessments faster – all from a single platform.

With ByteChek, companies can quickly build their information security policy from the ground up utilizing the ByteChek information security policy generator. The ByteChek platform then connects with the applications companies use every day to eliminate evidence collection and vague auditor requests.