For decades, MBAF has been assisting clients with all of their assurance reporting requirements including expert guidance and attestation services for service organizations.

Companies (service organizations) that provide services to other companies (user entities) are often asked to provide proof that their internal controls are working effectively so that their clients’ auditors and regulators can obtain annual assurance. Today, the preferred assurance mechanism to efficiently handle these audit requests is more than likely a SOC (Service Organization Controls) report. There are presently three SOC reports: SOC 1, SOC 2, and SOC 3.

The professional standards used to assess the internal controls or trust principles of a service organization and issue a service auditor’s report are issued by the AICPA. Examples of service organizations are employee benefits plans, payroll processors, insurance and medical claims processors, trust companies, hosted data centers, cloud service providers, managed security providers, credit card processing organizations and clearinghouses. The correct SOC report is determined by the user entity’s requirements and the impact of service organization’s controls. Our team can help you determine which report is right for your service organization.

At MBAF, our advisors have extensive SOC experience serving large companies familiar with audit processes and smaller companies without prior audit or SSAE 18 (formerly SAS 70) attestation experience. We understand the significant changes and responsibilities placed upon service organizations with the new SSAE 18 standards. Our Attestation Services Group combines the experience and expertise of certified public accountants and certified information systems auditors with active knowledge of accounting, audit, and internal controls.

We will help you navigate the complexities of SSAE 18 attestation, so you can focus on serving your customers and growing your business.

SOC Readiness Assessments

Our SOC Readiness Assessment assists service organizations determine their readiness to undergo a successful SOC 1, SOC 2, or SOC 3 Attestation engagement. We help clients determine the appropriate report, scope, and criteria. This determines the scope of the control objectives and helps us review the related controls and procedure to ascertain the adequacy of these controls and whether they address all of the major aspects of the control environment that may be relevant to the specific type of report.

SOC 1 Report

Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting

This meets the needs of user entities’ managements and auditors as they evaluate the effect of a service organization’s controls on a user entity’s financial statement assertions. These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of compliance with laws and regulations and for when user entity auditors plan and perform financial statement audits.

SOC 2 Report

Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2)

For those who need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality or privacy. These reports can play an important role in oversight of the organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight. Stakeholders who may use these reports include management or those charged with governance of the user entities and of the service organization, customers, regulators, business partners and suppliers, among others.

SOC 3 Report

Trust Services Principles, Criteria, and Illustrations

Designed to accommodate users who want assurance on a service organization’s controls related to security, availability, processing integrity, confidentiality or privacy but do not have the need for the detailed and comprehensive SOC 2 Report. It can be used in a service organization’s marketing efforts.

Which SOC Report is right for you?

Will report be used by your customers and their auditors to plan/perform an audit of their financial statements?


SOC 1 Report

Will report be used by customers/stakeholders to gain confidence and place trust in a service organization’s system?


SOC 2 or SOC 3 Report

Do you need to make report generally available?


SOC 3 Report

Source: Copyright © 2014 American Institute of CPAs.

Our approach

Our approach to completing a SOC engagement has been developed and fine-tuned through decades of professional practice to minimize the impact on your resources and increase the effectiveness of your engagement. Our approach includes:

  • Perform risk assessment
    • Evaluate the accuracy of the description of the system
    • Assess factors that may cause the control objectives to fail
    • Assess management’s assertions for ensuring that the controls are operating effectively
    • Assess the availability of evidence that the controls are operating effectively
  • Perform walkthrough of the controls
  • Design and communicate test plan
  • Perform test of controls design and operating effectiveness (for Type 2)
  • Remediate findings
  • Re-test failed controls
  • Prepare and issue report

 Our expertise with SOC Reports is vast and we’d love to put our knowledge to work for you. Don’t hesitate to contact us now.