SOC reporting services

Whether you’re preparing for your first SOC examination or making significant changes to your in-scope environment, a readiness assessment helps you define scope and – most importantly – identify and address any issues before a formal examination.

A SOC 1 report focuses on how your internal controls affect your customers’ internal control over financial reporting (ICFR) and is primarily intended to support your customers’ financial statement audits. A SOC 1 report is most relevant for services involving clients’ financial transactions or reporting.

A SOC 2 report evaluates how you manage and protect data based on the American Institute of CPAs Trust Services Criteria. A SOC 2 report is applicable to any service and any type of data and is designed to address one or more of the following areas: security, availability, confidentiality, processing integrity, and privacy.

A SOC 2+ report builds on a standard SOC 2 report by incorporating additional control requirements, such as those in National Institute of Standards and Technology (NIST) standards or the Health Insurance Portability and Accountability Act (HIPAA). It’s useful for addressing multiple compliance obligations or showcasing alignment with industry standards within a single report.

A SOC 3 report provides high-level assurance based on the same trust services criteria as a SOC 2 report but without disclosing detailed control information. A SOC 3 report is well suited for sharing with prospects and supporting marketing and sales efforts.

A SOC for Cybersecurity report evaluates the effectiveness of your cybersecurity risk management program. In contrast with a SOC 2 report’s focus on specific services and customer information, a SOC for Cybersecurity report offers a broader view of how your organization manages cybersecurity threats at the enterprise level.

A custom controls examination provides an independent opinion on your controls, similar to a SOC report but with added flexibility related to the control areas. This allows organizations to focus on specific industry frameworks (similar to a SOC 2+ but without requiring the SOC 2 trust services criteria) or to address unique contractual requirements related to areas like security or processing.

An AUP engagement offers the highest level of customization, focusing on a specific set of procedures defined by you and your stakeholders. Unlike a SOC report or custom controls examination, an AUP engagement does not include an opinion on controls – it provides only a factual report of the procedures and results. For this reason, an AUP engagement typically is designed for a single stakeholder who is responsible for evaluating the sufficiency of the procedures for the stakeholder’s needs.