Compliance Services

SOC Reporting Services

SOC Reporting Services

For organizations new to the SOC process or organizations interested in reviewing high risk areas that may have emerged since their last audit, Compass Assurance & Advisory Group offers the SOC Readiness Assessment. This solution assists organizations in identifying the necessary internal controls, documentation, and gaps within their business, information technology, and security programs. SOC audits can be a daunting and intimidating task for organizations of any size. Our team of certified professionals has extensive experience in helping organizations navigate the complex requirements needed to complete a SOC audit successfully.

Compass Assurance & Advisory Group, LLC, a certified affiliate firm of Compass IT Compliance helps organizations across all industries examine and improve their data privacy and compliance controls to meet evolving customer, partner, industry, and regulatory requirements. While maintaining independence from our IT security and audit practice, you will continue to receive the one-stop-shop benefits that only the Compass team can provide!

Services are performed by skilled professionals who have extensive experience in risk and control-oriented audits and information security to validate, prior to an actual service audit, the different criteria for the 5 Trust Services Criteria (TSC) defined in conjunction with an independent CPA firm. Our SOC Readiness Assessment is a multi-step process outlined below:




This approach ensures your preparedness and future success for this type of engagement and reduces the possibility of a qualified opinion or reporting exception. Contact us today to learn more and discuss your unique situation!

What is a SOC Report?

System & Organizational Controls (SOC) reports are internal control reports that outline the services that are being provided by a service organization and the controls related to the service that is being offered. This provides valuable information to potential customers and allows the service organization to build trust and confidence around their service offerings. A Service Auditor's Report can help a service organization to:

  • Build trust with customers
  • Be a key differentiator to prospective clients
  • Ensure that all requests from user organizations and their auditors rely on the SOC report

SOC reports are intended to build consumer trust, and are required or beneficial for organizations such as: Data Centers, Loan Servicing, Payroll, Medical Claims, SaaS, Software Developers, etc. Not all SOC reports are alike. These documents come in the following variations:


SOC 1 Report

A SOC 1 report examines internal controls at a service organization that impact a user entity’s (your customers) controls over financial reporting. This report is only to be issued when an auditor of your customer needs to gain comfort with your controls to be able to issue audited financial statements. This report can only be used by the auditors of user entities and user entities’ management.

SOC 2 Report

The SOC 2 report deals specifically with controls related to Security, Confidentiality, Privacy, Availability, and Processing Integrity and are known as the 5 Trust Services Criteria (TSC). SOC 2 reports provide organizations with a broad range of information and assurance in regards to the controls and organization has in place for their systems that deal with the information processed by these systems.

SOC 3 Report

The SOC 3 report is intended to be publicly shareable, and can be provided to clients or posted on an organization's website to boost consumer confidence in the organization's controls, whereas the SOC 1 & 2 can't be publicly shared. SOC 3 covers the same areas as SOC 2, but the report removes confidential information and details.


These reports can be performed as either a Type I or Type II:


Type I Report

The Type I report is a report on management's description of the system(s) in scope and the suitability and design of the controls related to the Trust Services Criteria (TSC) at a point in time.

Type II Report

The Type II report is more detailed. The Type II report includes the statements above, related to a Type I report, but takes it a step further to outline the operating effectiveness of the controls in place over a period of time, not less than 6 months.


SOC Blog Posts

Contact Us