SOC Reporting Services

Cherry Bekaert professionals provide System and Organization Control reporting services, including SOC 1, SOC 2/2+, SOC 3, SOC for Cybersecurity and SOC for Supply Chain Reports.

On this page:

Understanding SOC Reports

With more companies outsourcing financial and information technology services to third parties, it has become critical for them to be able to build trust with their clients and customers.

Our Systems and Organization Controls (SOC) services are focused on enabling you to provide your clients and customers trust, visibility, and transparency regarding the controls and processes that they rely on for the execution of their business. 

  • Trust and Transparency: Provides customers with assurance through independent validation that the organization has effective controls in place. Allows your organization to highlight the controls and processes that enable true confidence in your operations, which can lead to increased revenue and growth opportunities.
  • Risk Management: Helps in identifying potential weaknesses in the organization’s controls and processes and enables management to make decisions regarding risk mitigation.
  • Regulatory Compliance: In addition to providing your customers and clients the information they need regarding your business relationship, in many cases, a SOC 2 report can help organizations comply with various regulatory requirements and industry standards and reduce the risk of penalties associated with non-compliance.
  • Competitive Advantage: A SOC report demonstrates a commitment to security, data privacy and reliability, differentiating your organization from competitors. Furthermore, for growing companies going through acquisition, a SOC report can demonstrate compliance, reduce due diligence costs, improve valuation, and build trust.
  • Operational Efficiency: Independent validation of controls and processes encourages continuous improvement of procedures and controls, resulting in improved operational efficiency and effectiveness.

Why Cherry Bekaert for Your SOC Reporting?

  • Proven Experience: With the several hundred SOC reports issued by Cherry Bekaert every year, your executive leadership team can have the assurance that your service team has experience in understanding the nuances involved in your specific industry and, in addition, has experienced the same concerns you have as buyers of SOC services.
  • Efficient Approach: Our teams are constantly working on ways to make our SOC 2 delivery model more efficient and effective every year and drive improvement in the delivery process every time we begin a new SOC 2 report. These improvements and flexible scheduling focus on minimizing the impact of compliance on your day-to-day operations.
  • Multi-Report Ready and Capable: Many of the clients we work with are large, well-known organizations that issue multiple SOC 2 reports per year, even as many as 25+ SOC 2 attestation reports. You can rest assured our teams are knowledgeable on the nuances involved in executing on multi-report environments, minimizing the impact on your operations by finding ways to rely on controls across reports and applying “test once” approaches.
  • Cloud Security Expertise: Our cyber team is experienced in working on SOC reports deployed across the world’s largest cloud service providers and private cloud environments, understanding the risks, and utilizing automated test scripts and approaches to validate configurations.
“SOC reports instill trust and assurance to customers, investors, and stakeholders that companies have effective controls and processes in place to protect their data and ensure compliance with regulatory requirements.”
Kurt Manske
Partner and Practice Leader | Information Assurance & Cybersecurity

Not Sure Where to Start with Your SOC Report? Let Us Help!

Whether you are embarking on your first SOC report and are interested in a Readiness Assessment followed by a SOC audit or have received SOC audit reports for years but need to streamline a multiple report environment, our experienced assurance team is here to help.

Types of SOC Reporting Services

SOC Gap Assessment, Readiness, and Remediation

Adequately preparing for a new SOC audit is crucial and “sets the stage” going forward with your auditor, your clients, your customers, and in some cases, regulatory bodies. We work with you to design a control set that helps you drive trust with your clients and aligns with industry expectations.

Our teams work with you and your organization as your go-to trusted advisor throughout the gap, readiness, and remediation process, and can provide project oversight and assistance on controls design, risk assessment, policy and procedure development, and process implementation.

SOC 1 Report

SOC 1 report is a type of System and Organization Controls (SOC) report that evaluates an organization's controls related to financial reporting. These reports are typically used by service organizations that provide services that impact their clients' financial statements and are commonly referred to as the Statement on Standards for Attestation Engagements (SSAE) 18 reports, as they are based on the SSAE 18 framework.

Two types of SOC 1 reports exist, as follows:

  • Type I: A report on management’s description of a service organization’s system and the suitability of the design of controls.
  • Type II: A report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.

SOC 1 reports are a valuable tool for service organizations that need to demonstrate their commitment to financial reporting controls to customers or other key stakeholders.

SOC 2/SOC 2+ Report

SOC 2 reports focus on controls relevant to your clients and customers as a service organization and can cover, beyond the required security controls, controls for availability, processing integrity, confidentiality, and privacy. This makes SOC 2 reports more applicable to a wider range of organizations.

In addition, using SOC 2+ reporting standards, we are able to incorporate other frameworks into our audit reports such as NIST 800-53 or 171, ISO 27001, HITRUST (HIPAA Compliance), Payment Card Industry (PCI), Cloud Security Alliance (CSA) and the Cybersecurity Maturity Model Certification (CMMC).

SOC 2 reports are suitable for non-financial organizations, such as technology companies, healthcare providers, and data centers, who do not require an audit of their financial reporting controls.

SOC 3 Report

Similar to SOC 2, this SOC report is based on SOC 2 standards, however, the report provides a high-level overview of the organization’s controls without disclosing testing details as it is intended for marketing purposes. SOC 3 reports are intended for a general audience and can be freely distributed to anyone.

Unlike the SOC 2 report, this report cannot be used for certification.

SOC Reporting in Multiple Report Environments

  In a multiple report environment, it is key to drive value and develop efficient, effective testing and reporting processes that have minimal impact on your operations in complex, multi-national and diverse organizational structures. By engaging a single provider, you increase transparency and assurance, strengthen compliance, simplify the reporting processes, and provide more targeted information to different stakeholders.

SOC Gap Assessment, Readiness, and Remediation

Adequately preparing for a new SOC audit is crucial and “sets the stage” going forward with your auditor, your clients, your customers, and in some cases, regulatory bodies. We work with you to design a control set that helps you drive trust with your clients and aligns with industry expectations.

Our teams work with you and your organization as your go-to trusted advisor throughout the gap, readiness, and remediation process, and can provide project oversight and assistance on controls design, risk assessment, policy and procedure development, and process implementation.

SOC 1 Report

SOC 1 report is a type of System and Organization Controls (SOC) report that evaluates an organization's controls related to financial reporting. These reports are typically used by service organizations that provide services that impact their clients' financial statements and are commonly referred to as the Statement on Standards for Attestation Engagements (SSAE) 18 reports, as they are based on the SSAE 18 framework.

Two types of SOC 1 reports exist, as follows:

  • Type I: A report on management’s description of a service organization’s system and the suitability of the design of controls.
  • Type II: A report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.

SOC 1 reports are a valuable tool for service organizations that need to demonstrate their commitment to financial reporting controls to customers or other key stakeholders.

SOC 2/SOC 2+ Report

SOC 2 reports focus on controls relevant to your clients and customers as a service organization and can cover, beyond the required security controls, controls for availability, processing integrity, confidentiality, and privacy. This makes SOC 2 reports more applicable to a wider range of organizations.

In addition, using SOC 2+ reporting standards, we are able to incorporate other frameworks into our audit reports such as NIST 800-53 or 171, ISO 27001, HITRUST (HIPAA Compliance), Payment Card Industry (PCI), Cloud Security Alliance (CSA) and the Cybersecurity Maturity Model Certification (CMMC).

SOC 2 reports are suitable for non-financial organizations, such as technology companies, healthcare providers, and data centers, who do not require an audit of their financial reporting controls.

SOC 3 Report

Similar to SOC 2, this SOC report is based on SOC 2 standards, however, the report provides a high-level overview of the organization’s controls without disclosing testing details as it is intended for marketing purposes. SOC 3 reports are intended for a general audience and can be freely distributed to anyone.

Unlike the SOC 2 report, this report cannot be used for certification.

SOC Reporting in Multiple Report Environments

  In a multiple report environment, it is key to drive value and develop efficient, effective testing and reporting processes that have minimal impact on your operations in complex, multi-national and diverse organizational structures. By engaging a single provider, you increase transparency and assurance, strengthen compliance, simplify the reporting processes, and provide more targeted information to different stakeholders.

Webinar

Watch the Latest on SOC Reporting and How To Get Started

Gain a greater understanding of SOC 1 and 2 reporting requirements, the advantages and benefits of having a report, and recent changes in SOC and third-party risk management.

Our Professionals

Connect With Us

Kurt Manske

Information Assurance & Cybersecurity Leader

Partner, Cherry Bekaert Advisory LLC

Steven J. Ursillo, Jr.

Information Assurance & Cybersecurity

Partner, Cherry Bekaert LLP
Partner, Cherry Bekaert Advisory LLC

Dan Sembler

Advisory Services

Partner, Cherry Bekaert LLP
Partner, Cherry Bekaert Advisory LLC

Contact Our SOC Reporting Team