Delivering Assurance and Structure

In order to be in compliance with the Sarbanes–Oxley Act of 2002, public companies must maintain an effective system of controls over all financial reporting and auditing. In response, many of these companies choose to work with vendors that can attest the same and request from them a System and Organization Controls (SOC) report.

A SOC report is a verifiable auditing report completed by a Certified Public Accountant designated by the American Institute of Certified Public Accountants (AICPA). A SOC report will outline if financial audits are performed, if audits are done as per the controls defined by the serviced company, and the effectiveness of the audits performed.

SOC reports are valuable tools for your organization to provide assurance to your customers.

SOC Readiness Assessment

If you need a SOC report for the first time, we recommend starting with a SOC readiness assessment. During a readiness assessment we will evaluate your preparedness through reading policies and procedures, assess the design of your system, and determine if controls have been implemented to meet each of the control objectives or trust services criteria. You will then have time to remediate any deficiencies prior to commencing a SOC engagement.

SOC 1, SOC 2 and SOC 3 Reports

SOC 1 reports provide your customers with assurance over the financial controls in place at your organization. There are two types:

  • Type I report is that of an audit held on a specific date
  • Type II report is more rigorous and is based on the testing of controls over a period of time

SOC 2 reports provide your customers with assurance over the controls in place at your organization relevant to security availability, and the processing integrity of the systems your organization uses to process users’ data as well as the confidentiality and privacy of the information processed by these systems. There are also two types:

  • Type I confirms that controls are in place
  • Type II confirms that controls are in place and effective

SOC 3 is a summarized report of the SOC 2 Type 2 report, but it is less technical and contains less detail.

Key Benefits of a SOC Report or Assessment

  • Builds trust with customers and prospects
  • Can be utilized to gain a competitive advantage
  • Streamlines your processes
  • Identifies deficiencies in your systems, processes, and controls

AICPA - SOC logo

System & Organization Controls (SOC) Reports Team

Director Rosemary Rehner Headshot Rosemary Rehner CPA, CEPA · Director
Ryan Bidlack Headshot Ryan N. Bidlack · IT Principal
Ryan P. Arlia CPA · Senior Manager
NC99 Logo 2022 color
2022_IPA 300_PNG