SOC and SSAE reporting services

Connect with us

A System and Organization Controls report (SOC 1, 2, or 3 report) is a widely recognized way to ensure trust and confidence in your security and financial controls posture. SOC reports follow the guidance from the AICPA’s Statement on Standards for Attestation Engagements No. 18 (SSAE 18, formerly SSAE 16).


Improve your compliance standing

Coalfire Controls, LLC, a fully licensed, accredited CPA firm and affiliate of Coalfire Systems, Inc., helps service organizations examine and report on their controls, so that they can respond to and meet the needs of user entities, we offer the following services to help you with your SOC reporting needs.

  • Gap assessments – during a gap assessment, we help you identify and document your controls, determine any gaps that need to be remediated prior to pursuing a Type 1 or Type 2 report, and provide recommendations on how to remediate the gaps identified.
  • Type 1 reports – we conduct a formalized SOC examination and report on the suitability and design of controls as of a point in time.
  • Type 2 reports – we conduct a formalized SOC examination and report on the suitability, design, and operating effectiveness of controls over a period of time (typically at least six months). A Type 2 report requires that we sample test several controls (e.g., HR functions, logical access, change management) to ensure that the controls in place were operating effectively during the examination period.
  • Other frameworks (SOC+ reports) – with our expertise in a variety of other frameworks, we can couple your SOC report with other efforts to reduce your audit fatigue and even provide a combined report (e.g., SOC and HIPAA or SOC and CSA STAR).

Types of attestations

  • SOC 1 – focuses on business process or financial controls at a service organization that are relevant to internal control over financial reporting.
  • SOC 2 – a more “traditional” GRC type of report that addresses controls at a service organization’s system related to the Trust Service Categories (TSCs) of security, availability, processing integrity of a system, or the confidentiality or privacy of the information processed by that system.
  • SOC 3 – typically is a redacted form of a SOC 2 report, removing any proprietary and/or confidential information, so it can be made publicly available (on a website).
  • SOC for Cybersecurity – a report on an entity’s cybersecurity risk management program meant for investors, boards of directors, and senior management.

Agreed-upon procedures services

For subject matter outside of SOC, we can issue reports based on agreed-upon procedures under SSAE 18 standards. Our objectives in conducting an agreed-upon procedures engagement would be to:

  • Apply procedures that are established by the specified parties.
  • Issue a written practitioner's report that describes the procedures and findings.

Why choose Coalfire for your SOC and SSAE reporting needs?

  • We apply our expertise in cybersecurity and cloud technology to SOC reports to ensure clients address cyber risk while satisfying vendor management requests.
  • Our SOC practice performs more than 200 SOC engagements annually, and our SOC experts individually perform more than 30 SOC assessments a year.
  • To streamline the SOC process, we developed a methodology that ensures only experienced assessors lead the on-site engagement, minimizes time spent on-site, and expedites report delivery.

Showcase your security posture

See a return on your compliance investment and grow market share with our market development services

Learn more
Top