SOC Reporting

Establishing Credibility with Your Customers

If your business provides outsourced service functions like payroll, cloud computing, document management or many others, your customers may be looking for independent validation of your controls. This could be to satisfy their own Sarbanes-Oxley requirements or as part of their own internal due diligence on vendors. When many customers begin investigating your controls, you can satisfy multiple requests with a single SOC report.

High profile fraud cases come with heightened awareness of the need for internal controls. There is also increased concern over data protection as more companies offer cloud-based services in a Software as a Service (SAAS) model. We can provide an objective evaluation of how well information is protected so you can show your customers their data is in good hands.

We provide the following SOC services:

  • SOC Readiness Assessment. The AICPA allows us to help you develop your report and take an “open book test” the first time through.  We call this a readiness assessment, and it can help management ensure a smooth takeoff on your first SOC report.  This is a specialty at Barnes Dennig.  We work with you on your schedule, and can help identify new policies and procedures if needed to be able to pass your first SOC audit.
  • SOC 1 Report or Standards for Attestation Engagements No. 16 (SSAE 16). This is the replacement report for Statement on Auditing Standards (SAS) 70. There are two different SOC 1 reports that can be issued; both look at a service organization’s internal controls over financial reporting.
  • SOC 2 Report. This is an evaluation of a service organization’s controls on data security, availability, processing integrity, confidentiality and privacy.  These also may cover other established controls, the most common of which are from HITRUST and the Cloud Security Alliance.  These are referred to as SOC 2 +.  The AICPA has worked closely with HITRUST to map the HITRUST CSF (Common Security Framework) for companies complying with HIPAA, and with the Cloud Security Alliance to map controls to the Cloud Controls Matrix.
  • SOC 3 Report. Intended for public use, this is a simplified version of a SOC 2 report made available for publishing on the Internet.  These are typically offered as in incremental report in addition to a SOC 2 report.

Service Organization Controls Experience: As certified public accountants (CPAs), we uniquely understand the SOC requirements developed by the American Institute of CPAs. In addition, our team of auditors was involved in Statement on Auditing Standards (SAS) 70 and SSAE 16 reporting before it evolved into SOC reporting, and we have professionals with significant experience establishing and testing internal controls  and IT controls.

Contact us to ask about our SOC services and how a SOC report may be the seal of approval you need to show your customers that you have effective controls over their information.

If you have questions about SOC reports, what they mean and their impact on various stakeholders, be sure to check out our SOC FAQs.