System and Organization Controls (SOC) Reporting

Feel confident that your internal controls are adequate, effective, and in compliance.

A SOC engagement provides assurance to client user organizations that controls have been suitably designed based on services provided, types of data processed, and the overall operating environment.

What’s on your mind?

  • Securing service delivery systems so they are available as committed, and maintaining data privacy and confidentiality
  • Protecting data with administrative, technical, and physical controls
  • Ensuring processing integrity with effective internal controls
  • Complying with regulatory requirements 

Create opportunities with CLA

Organizations that depend on external service providers to perform critical outsourced business functions are becoming more diligent in evaluating the service provider’s internal control environment. A System and Organization Controls (SOC) for Service Organizations (SOC 1, SOC 2, or SOC 3) examination can provide that assurance.

Questions about SSAE 18? Read our FAQs about SOC reporting.

From the initial readiness phase to final control testing and reporting, our professionals will collaborate with service organization personnel to recommend ways to strengthen the control environment and prepare for an attestation examination.

CLA has the industry, accounting, audit, security, and technology management knowledge to assess internal controls and security measures and determine if business goals and service delivery may be at risk.

We have significant experience evaluating technical infrastructure controls applicable to networks, servers, workstations, and other devices as well as application system(s) and underlying database(s) that maintain client data. We also analyze controls related to the physical environment and organizational management for design and effectiveness.

SOC reporting services

Whether this is your first pursuit of an assurance engagement or your service organization is looking to change service auditors, CLA can help by:

  • Determining if SOC 1, SOC 2, or SOC 3 is most appropriate to satisfy the needs of user organizations
  • Assessing design of controls to meet control objectives or principles
  • Providing recommendations to remediate control gaps
  • Documenting the system description
  • Performing tests of controls associated with attestation
  • Issuing a SOC 1, SOC 2, or SOC 3 report that meets your needs
  • Demonstrating compliance with applicable regulatory requirements, including:
  • Blockchain and distributed ledger technology

Note: SOC (system and organization controls) was previously known as service organization controls. The AICPA changed the definition with the introduction of SOC for Cybersecurity in 2017.