Coalfire Controls, LLC, a fully licensed, accredited CPA firm and affiliate of Coalfire Systems, Inc., helps service organizations examine and report on their controls, so that they can respond to and meet the needs of user entities, we offer the following services to help you with your SOC reporting needs.
- Gap assessments – during a gap assessment, we help you identify and document your controls, determine any gaps that need to be remediated prior to pursuing a Type 1 or Type 2 report, and provide recommendations on how to remediate the gaps identified.
- Type 1 reports – we conduct a formalized SOC examination and report on the suitability and design of controls as of a point in time.
- Type 2 reports – we conduct a formalized SOC examination and report on the suitability, design, and operating effectiveness of controls over a period of time (typically at least six months). A Type 2 report requires that we sample test several controls (e.g., HR functions, logical access, change management) to ensure that the controls in place were operating effectively during the examination period.
- Other frameworks (SOC+ reports) – with our expertise in a variety of other frameworks, we can couple your SOC report with other efforts to reduce your audit fatigue and even provide a combined report (e.g., SOC and HIPAA or SOC and CSA STAR).
Types of attestations
- SOC 1 – focuses on business process or financial controls at a service organization that are relevant to internal control over financial reporting.
- SOC 2 – a more “traditional” GRC type of report that addresses controls at a service organization’s system related to the Trust Service Categories (TSCs) of security, availability, processing integrity of a system, or the confidentiality or privacy of the information processed by that system.
- SOC 3 – typically is a redacted form of a SOC 2 report, removing any proprietary and/or confidential information, so it can be made publicly available (on a website).
- SOC for Cybersecurity – a report on an entity’s cybersecurity risk management program meant for investors, boards of directors, and senior management.
Agreed-upon procedures services
For subject matter outside of SOC, we can issue reports based on agreed-upon procedures under SSAE 18 standards. Our objectives in conducting an agreed-upon procedures engagement would be to:
- Apply procedures that are established by the specified parties.
- Issue a written practitioner's report that describes the procedures and findings.