Attestation Report

An attestation report is the formal document a CPA firm issues at the end of a SOC 2 audit. It contains the auditor's independent opinion on whether the service organization's controls are designed (Type 1) or designed and operating effectively (Type 2) to meet the selected Trust Services Criteria. The report typically includes management's description of the system, the controls in scope, the auditor's tests and results, and any exceptions identified. SOC 2 reports are restricted distribution documents shared with customers, prospects, and regulators under non-disclosure agreements. They are not public certifications like ISO 27001 certificates. Most enterprise procurement teams will request the latest SOC 2 attestation report as part of vendor due diligence before signing a contract. A clean opinion (no qualifications) signals the controls met the criteria; a qualified opinion flags specific exceptions worth investigating.