SOC Reporting

Our Expertise

Gain confidence and insight into your internal controls

As cybersecurity incidents increase and regulatory requirements become more restrictive, many organizations find they need to ensure, with a high level of confidence, the effectiveness of their internal controls. SOC reports give you the ability to offer independent third-party assurance that your controls are designed properly and operating effectively — and demonstrate your commitment to the trust and security of your clients. But with multiple SOC reports and types, it can be difficult to know which one best fits your needs.

All SOC reports have two types: Type 1 and Type 2. Type 2 reports involve a longer evaluation period and are generally more rigorous than Type 1, but they may be necessary for organizations that are subject to more stringent compliance requirements. Our AICPA SOC specialists work across all industries and can help you identify which SOC report is right for your specific business and technology environment. From there, we’ll perform readiness assessments to identify control weaknesses and develop recommendations for remediation prior to undergoing the formal SOC examination. Our goal is to streamline the SOC process as much as possible and reduce the costs and difficulties encountered with a project of this magnitude. A SOC report offers more than peace of mind for your vendors, business partners, management, and stakeholders — it’s a competitive advantage.

Finding the right SOC services for you

Our clients range in size and complexity from large publicly traded companies to small technology startups. Drawing from our expertise serving such a diverse client base, we can assist with a variety of compliance frameworks to ensure your organization stays competitive and compliant.

We can help with:

SOC 1 reports generally cover internal controls over financial reporting (ICFR) and the related IT general controls. You should consider a SOC 1 when you’re looking to provide assurance to management, existing clients, and your client’s auditors over controls related to ICFR, such as outsourced accounting functions.
SOC 2 reports examine controls related to security, availability, processing integrity, confidentiality, and privacy. If you’re looking to assure management, as well as existing and prospective clients, about operational subject matter such as these, a SOC 2 report may be the right choice.
SOC 2+
SOC 2+ reports include controls related to security, availability, processing integrity, confidentiality, and privacy. If your organization is also subject to other frameworks or regulations, such as HIPAA, NIST, etc., we can add this into a SOC 2+ report.
A SOC 3 report covers the same controls as SOC 2 — security, availability, processing integrity, confidentiality, and privacy— but it’s intended for public use and consumption.
SOC for cybersecurity
SOC examinations can be conducted for enterprise-wide cybersecurity risk management programs and include cybersecurity controls specifically. These can be used to assure your management, board of directors, audit committee, investors, business partners, and other key stakeholders of the effectiveness of your cybersecurity risk management program. As the SEC and other regulators continue to emphasize the importance of managing cybersecurity risks, the need for a SOC for cybersecurity may increase over time.
SOC for supply chain
Supply chains can be fragile, impacted by global trends, speed-to-market pressures, and other outside forces. As a result, your stakeholders may want information over the system that you use to produce, manufacture, or distribute products and the effectiveness of controls within that system. This examination is also based on the trust services criteria over security, availability, processing integrity, confidentiality, and/or privacy. A SOC for supply chain examination can provide customers or business partners with information they may use to identify, assess, and manage the risks that arise from their relationship with your company, and provide peace of mind for multiple end users.
SOC readiness
Are you ready to undergo a formal SOC examination? After we determine which report you need, we’ll develop a well-rounded understanding of the boundaries of your system and controls in place with interactive, in-person interviews and meetings. From there, we’ll provide defined deliverables with suggested control improvements. Upon completion of our assessment, you and your team will be fully prepared for a SOC examination.


More insights
Return to top of section

Client Experience

Your on-the-ground resource for SOC examinations

Our cybersecurity practice has been providing consulting services for more than 30 years. We have the expertise you need to deliver value and peace of mind to your stakeholders. We’re also involved with the AICPA SOC committees, which provides us with an advanced view of upcoming issues and changes and allows us to advocate for our clients when SOC-related professional pronouncements are being updated. And we don’t just talk the talk. We also undergo an annual, third-party-administered SOC 2 examination, for which we’ve continuously received a passing rating, meaning we don’t have any gaps in our security controls — a high standard we’ll pass on to you.