The following table presents a list of Control activities and Auditor tests on controls, as an example of what could be found in a SOC 2 report:

Control objective

1.1 Control activities provide reasonable assurance that building access to the service providers offices and sensitive areas is restricted to authorized individuals.

1.1.1 Access to the building is controlled by dual authentication: a combination of photo ID proximity card and PIN. Employee access is restricted to either the front door or the employee entrance of the building.	Observed during the building tour employees with photo ID proximity cards. Observed during the building tour that proximity card swipe stations and PIN pads are used at employee entrances to the building. Observed during the building tour that access through front door, employee entrance and other doors in the buildings is restricted.
1.1.2 Photo ID proximity cards are issued to authorized individuals in accordance with the Corporate Policy.	Inspected the Corporate Policy on keys access cards and alarm codes to confirm procedures for issuing photo ID proximity cards is documented Inspected a sample of issued photo ID proximity cards to confirm individuals were authorized according to the Corporate Policy.
1.1.3 Access logs documenting unauthorized access attempts in the buildings are monitored by security personnel. Identified failed access attempts are investigated within 24 hours.	Inspected a sample of card logs for evidence unauthorized access attempts in the building are logged. Observed during the tour the security office with monitors that showed access logs.
1.1.4 Physical access to sensitive areas is reviewed annually by managers responsible for the areas.	Inspected evidence of annual reviews performed for access to sensitive areas.
1.1.5 Visitors/contractors are escorted by an employee while in the building. First-time visitors are required to produce government issued photo identification and to read and acknowledge a visitors/contractors Orientation, which includes a non-disclosure agreement.	Observed during the tour visitors being escorted by security and management. Inspected the visitors log maintained for visitor passes to confirm Visitors/contractors signed in and signed out as required.
1.1.6 Video cameras are installed at entrance areas and critical areas within and surrounding the buildings. Video surveillance includes monitoring, recording and retention for 30 days	Observed during the tour video cameras at the entrance and in critical areas within and surrounding the building. Observed during the tour the security office with monitors that showed video camera footage. Inspected a sample of footage from the video camera system to confirm the retention of video surveillance for a minimum of 30 days.
1.1.7 A centrally controlled alarm system monitors building access. This alarm system is monitored by an external security firm 24 hours per day.	Inspected the service agreement with the external security firm and confirmed the requirement for continuous monitoring during the audit period. Inspected a sample of events reported by the external security firm.

Identify five (5) control activities, and auditor tests on controls corresponding to each, for the following control objective:

1.2 Logical security tools and supporting processes are implemented and configured to restrict access to critical applications to authorized users only.