Coalfire Controls is a fully licensed, accredited CPA firm and affiliate of Coalfire that helps organizations examine and report on controls, allowing you to better respond to and meet the expectations of user entities. Our team offers the following related services:

• Readiness assessments: During a readiness assessment, we help you identify and document your controls, determine any gaps that need to be remediated prior to pursuing a Type 1 or Type 2 report, and provide recommendations on how to remediate the gaps identified.
• Type 1 reports: We conduct a formalized SOC examination and report on the suitability of design and implementation of controls as of a point in time.
• Type 2 reports: We conduct a formalized SOC examination and report on the suitability of design and operating effectiveness of controls over a period of time (typically at least six months). A Type 2 report requires that we sample test several controls, such as HR functions, logical access, change management, to ensure that the controls in place were operating effectively during the examination period.

• Other frameworks (SOC+ reports): Leveraging our expertise across a wide variety of frameworks, we can couple your SOC 2 report with other efforts to reduce your audit fatigue and even provide a combined report (e.g., SOC and HIPAA or SOC and CSA STAR).

What is SOC 1?
SOC 1 focuses on business process or financial controls at a service organization that are relevant to internal control over financial reporting.

What is SOC 2?
Considered a “traditional” governance, risk, and compliance (GRC) report type that addresses controls at a service organization’s system related to the AICPA’s Trust Service Categories (TSCs) of security, availability, processing integrity of a system, or the confidentiality or privacy of the information processed by that system.

What is SOC 3?
Most commonly a redacted form of a SOC 2 report, removing any proprietary and/or confidential information so can be made publicly available, such as on a website.

SOC for Cybersecurity
A report on an entity’s cybersecurity risk management program; meant for investors, boards of directors, and senior management.

SOC for Supply Chain
A report to help entities better assess and manage supply chain risk. This examination and report can provide an audited track record for customers, business partners, and other interested parties to show a commitment by the entity to these stakeholders.

CSA STAR Attestation
The SOC 2+ CSA STAR report was developed as a collaboration between the CSA and the AICPA to provide guidance for CPA firms to conduct STAR Attestations using criteria from the AICPA TSCs and the Cloud Control Matrix (CCM). This assessment utilizes the SOC 2 framework to report on the suitability of the design and operating effectiveness of a Cloud Service Provider’s (CSP’s) controls relevant to the applicable TSCs, which include Security, Availability, Confidentiality, Processing Integrity, and Privacy, and the suitability of the design and operating effectiveness of its controls in meeting the criteria in the CSA CCM.

C5 attestation
A report on controls that addresses the cloud computing compliance criteria catalogue (C5) developed by the Federal Office for Information Security in Germany (Bundesmat fur Sicherheit in der Informationstechnik, or BSI). CSPs can decide whether they are looking to meet the basic criteria of the catalogue of controls, or they can add the additional criteria if necessary. At a minimum, the catalog consists of 121 criteria across 17 objectives or areas.

Agreed-upon procedures
For subject matter outside of the above, we can issue reports based on agreed-upon procedures under SSAE standards. Our objectives in conducting an agreed-upon procedures engagement would be to:

• Apply procedures that are established by the specified parties.
• Issue a written practitioner's report that describes the procedures and findings.