System and Organization Controls (SOC) Reporting

Feel confident that your internal controls are adequate, effective, and in compliance.

A SOC engagement provides assurance to client user organizations that controls have been suitably designed based on services provided, types of data processed, and the overall operating environment.

What's on your mind?

  • Systems associated with service delivery are secure, available as committed, and maintain privacy and confidentiality of data
  • Data is protected based on appropriate administrative, technical, and physical controls
  • Internal controls are adequate and effective to ensure processing integrity
  • Complying with regulatory requirements

A unique approach

Organizations that depend on external business partners to perform a segment of service delivery are becoming more diligent in evaluating the service provider’s internal control environment. A SOC 1 or SOC 2 (SSAE18) examination report (SSAE 16 and SAS 70 replacement) can provide that assurance.

From the initial readiness phase to final control testing and reporting, our professionals will collaborate with service organization personnel to recommend ways to strengthen the control environment and prepare for an attestation examination.

CliftonLarsonAllen (CLA) has the industry, accounting, audit, security, and technology management knowledge to assess internal controls and security measures and determine if business goals and service delivery may be at risk.

We have significant experience evaluating technical infrastructure controls applicable to networks, servers, workstations, and other devices as well as application system(s) and underlying database(s) that maintain client data. We also analyze controls related to the physical environment and organization management for design and effectiveness.

SOC reporting services

Whether this is your first pursuit of an assurance engagement or your service organization is looking to change service auditors, CLA can help by:

  • Determining if SOC 1, SOC 2, or SOC 3 is most appropriate to satisfy the needs of user organizations
  • Assessing design of controls to meet control objectives or principles
  • Providing recommendations to remediate control gaps
  • Documenting the system description
  • Performing tests of controls associated with attestation
  • Issuing a SOC 1 or SOC 2 or SOC 3 report that meets your needs
  • Demonstrating compliance with applicable regulatory requirements, including:
  • Blockchain and distributed ledger technology

Note: SOC (system and organization controls) was previously known as service organization controls. The AICPA evolved the definition with the introduction of SOC for Cybersecurity in 2017.