SOC Reporting

Helping Service Organizations
Manage Customer Requirements

We work with and help service organizations create reports on internal controls for the services they provide. Service Organization Control (SOC) reports provide a consistent framework to report these controls. Our SOC services consist of:

  • Readiness Services

    For service organizations looking to issue a SOC report, our readiness services will guide you through the stages to prepare you for the audit. The approach focuses on identifying, designing and documenting key processes, identifying controls, mapping controls to the required criteria (for SOC2), assessing control gaps, and developing management’s assertion and narrative language for inclusion in the final SOC report (Template of the report). We will customize our effort for particular facets of your service. This approach will prepare your business to pass the testing standards used by external auditors for compliance.

  • Service Organization Control (SOC) Reporting Service

    As a CPA firm with deep experience performing SOC reporting audits, we are prepared to assist with issuing any of the following audit reports:

    • SOC 1

      Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting.

    • SOC 2

      Report on Controls at a Service Organization relevant to one or more of the five Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and/or Privacy. Controls are mapped to static criteria for each principle selected.

    • SOC 3

      Formerly WebTrust and SvsTrust reports. Publically displayable reports built on the same foundation of Trust Services Principles and Criteria.

    • ISAE 3402

      Assurance Reports on Controls at a Service Organization (International Standard)

  • All SOC reports can be issued as a Type I or a Type II report. Typically organizations undergoing their initial SOC report will perform a readiness assessment, followed by a Type I report, and then a Type II report annually thereafter:

    • Type I

      Provides independent third party verification by a licensed CPA firm as to whether internal controls described by a service organization are suitably designed to meet specified control objectives, and expresses an opinion by the CPA firm as to the design of the controls at a point in time. A Type I report does not give assurance over a period of time, and is typically utilized for first-time issuers, as a pre-cursor to Type II report

    • Type II

      A Type II report provides independent third party verification by a licensed CPA firm as to whether internal controls described by a service organization are suitably designed to meet specified control objectives, and expresses an opinion by the CPA firm as to the design and operating effectiveness of the controls over a period of time, typically twelve months in duration. A Type II audit is performed annually, and the corresponding report issued. This is what is expected by customers, and their auditors as the procedures are sufficient to replace the work they would otherwise have had to perform

Kevin Abbott

CISSP, CISA, QSA Information Assurance and Security Lead
Member of ISC2 and ISACA

Kevin started with Cadence in 2008, and leads the SOC (Service Organization Control) Reporting and PCI (Payment Card Industry) compliance practices. As the SOC reporting lead, Kevin provides readiness and reporting services to companies across multiple industries and verticals. As the primary PCI QSA (Qualified Security Assessor) for the company, Kevin serves as Cadence's liaison to the PCI Security Standards Council, and oversees the operations of the PCI compliance practice.

kevin@thecadencegroup.com

801.358.5748

Need a Compliance Expert?

From assisting with simple audit adjustments to developing large compliance solutions, we’ll take care of your process and compliance needs. Contact us today to learn how we’ll make your business more successful.

Contact Us