SOC Reporting

Helping Service Organizations
Manage Customer Requirements

We work with and help service organizations create reports on internal controls for the services they provide. Service Organization Control (SOC) reports provide a consistent framework to report these controls. Our SOC services consist of:

  • Readiness Services

    For service organizations looking to issue a SOC report, our readiness services will guide you through the stages to prepare you for the audit. The approach focuses on identifying, designing and documenting key processes, identifying controls, mapping controls to the required criteria (for SOC2), assessing control gaps, and developing management’s assertion and narrative language for inclusion in the final SOC report (Template of the report). We will customize our effort for particular facets of your service. This approach will prepare your business to pass the testing standards used by external auditors for compliance.

  • Service Organization Control (SOC) Reporting Service

    As a CPA firm with deep experience performing SOC reporting audits, we are prepared to assist with issuing any of the following audit reports:

    • SOC 1

      Also known as SSAE16 — Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting.

    • SOC 2

      Report on Controls at a Service Organization relevant to one or more of the five Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and/or Privacy. Controls are mapped to static criteria for each principle selected.

    • SOC 3

      Formerly WebTrust and SvsTrust reports. Publically displayable reports built on the same foundation of Trust Services Principles and Criteria.

    • ISAE 3402

      Assurance Reports on Controls at a Service Organization (International Standard)

  • All SOC reports can be issued as a Type I or a Type II report. Typically organizations undergoing their initial SOC report will perform a readiness assessment, followed by a Type I report, and then a Type II report annually thereafter:

    • Type I

      Provides independent third party verification by a licensed CPA firm as to whether internal controls described by a service organization are suitably designed to meet specified control objectives, and expresses an opinion by the CPA firm as to the design of the controls at a point in time. A Type I report does not give assurance over a period of time, and is typically utilized for first-time issuers, as a pre-cursor to Type II report

    • Type II

      A Type II report provides independent third party verification by a licensed CPA firm as to whether internal controls described by a service organization are suitably designed to meet specified control objectives, and expresses an opinion by the CPA firm as to the design and operating effectiveness of the controls over a period of time, typically twelve months in duration. A Type II audit is performed annually, and the corresponding report issued. This is what is expected by customers, and their auditors as the procedures are sufficient to replace the work they would otherwise have had to perform

Need a Compliance Expert?

From assisting with simple audit adjustments to developing large compliance solutions, we’ll take care of your process and compliance needs. Contact us today to learn how we’ll make your business more successful.

Contact Us