• SOC and attestation report services

Increase customer trust

Contact an expert

Better respond to and meet the expectations of entities. Coalfire Controls – a fully licensed, accredited CPA firm and affiliate of Coalfire – can help you examine and report on controls.

Demonstrate your commitment to security

A System and Organization Controls report (SOC 1, 2, or 3) is a widely recognized examination that helps promote trust and confidence in your organization’s security and financial controls performance. SOC reports conform to the guidance prescribed by the American Institute of CPAs (AICPA) Statement on Standards for Attestation Engagements (SSAE).

Coalfire is uniquely qualified to help organizations build an internal controls environment that complies with the requirements of the SOC examination. Our methodology involves assigning experienced SOC advisors and auditors based on your organization’s industry, services, size, and locations.

SOC assessment services

Readiness assessments

During a readiness assessment, we dive into the intricacies of SOC reporting and help you determine any gaps that need to be remediated prior to pursuing your SOC attestation.


A SOC 1 attestation focuses on controls and processes that could impact a company’s financial reporting. If your system or services impact your customer's financial statements or internal controls over financial reporting, then the SOC 1 attestation may be right for your organization.


SOC 2 is an attestation that addresses a service organization’s system controls related to the AICPA’s Trust Service Categories (TSCs) of security, availability, processing integrity of a system, or the confidentiality or privacy of the information processed by that system.


SOC 3 is a redacted SOC 2 Type 2 report that removes any proprietary and/or confidential information so it can be made publicly available. It is often utilized as marketing collateral.

Other frameworks (SOC + reports)

Leveraging our expertise across a wide variety of frameworks and Compliance Essentials, we can examine and report on controls, including SOC 1, SOC 2, SOC 3, CSA Star, and C5 attestations, with other efforts to reduce audit fatigue and provide a combined report.

SOC assessment graphic
SOC attestation graphic

Other attestation services

In addition to SOC 1, SOC 2, SOC 3, SOC for Cybersecurity, and SOC for Supply Chain, we provide support for the following attestations:

  • Cloud Security Alliance’s Security Trust & Assurance Registry (CSA STAR) attestation
  • C5 attestation
  • Microsoft SSPA
  • Agreed-upon procedures: For other subject matter, we can issue reports based on agreed-upon procedures under SSAE standards.

SOC advisory services

Core documentation construction

We meet with your governance, risk, operations, and compliance teams to determine the required artifacts related to SOC attestation.

Policy and procedure development

We augment your organization’s internal process owners to establish appropriate policies and procedures that meet security or privacy control objectives within your internal control environment, as appropriate.

Risk assessment

We define the objectives within your in-scope system to perform a risk analysis.

Internal audit

We execute an independent, periodic internal audit against the security or privacy requirements and deliver an internal audit plan and report.

Governance review

After the completion of the risk assessment and internal audit inputs, we facilitate the resulting governance review with senior and operations management personnel who are key interested parties to the program’s establishment.

External audit support

We help your organization identify and select an accredited CPA firm that will assess your organization against in-scope requirements.

SOC advisory graphic

What can you expect from our SOC compliance services?

Deep expertise

We have more than 20 years of cybersecurity and service compliance expertise, assessing more than 2,000 organizations and completing more than 400 SOC assessments annually.

Focused team

Our dedicated team of SOC specialists ensures we provide the best guidance to handle the most complex scenarios.

Proficient in cloud security

We work with the industry’s largest cloud service providers (e.g., Google, Amazon, IBM, Microsoft), and 75% of our SOC engagements are facilitated for cloud service providers (e.g., SaaS, IaaS, PaaS).

Industry leaders

We are a member of the AICPA Peer Review Program and hold a role in the Colorado Society of Certified Public Accountants.

Compliance Essentials

By coordinating assessments across more than 50 compliance frameworks, you can eliminate duplicate activities and maintain a state of continuous compliance with Compliance Essentials.

Frequently asked questions about SOC compliance

What is Type 1?

We conduct a formalized SOC examination and report on the suitability of design and implementation of controls as of a point in time. This is a starting point for demonstrating controls.

What is Type 2?

We conduct a formalized SOC examination and report on the suitability of design and operating effectiveness of controls over time (typically at least six months). SOC Type 2 reports are commonly required by customers to ensure entities maintain controls that support their security and trust requirements.

Can Coalfire Controls help with Coalfire Advisory services to attest my SOC program?

Independence must be maintained by your SOC auditor. For specific questions, please discuss this with your engagement team.

What is a SOC for Cybersecurity?

This SOC report on an entity’s cybersecurity risk management program is meant for investors, boards of directors, and senior management.

How long should I expect to take to stand up my SOC program and receive attestation?

Coalfire SOC advisory has an experienced team that can work in tandem with client needs to expedite SOC readiness. Typically, our engagements take six to nine months for completion (if all advisory pillars of work are selected).

What is a SOC for Supply Chain?

To help entities better assess and manage supply chain risk, this examination and SOC report can provide an audited track record for customers, business partners, and other interested parties to show an entity’s commitment to these stakeholders.

Since I already have a CSA STAR attestation, how quickly can I upgrade to version 4.0?

Our advisory team can perform an assessment for you within a gap analysis and provide a roadmap for short-term uplift to version 4.0.

Ready to fuel your success with unmatched cybersecurity solutions?

Secure your business’s future with our technical expertise, innovative technology, and compliance consulting.