soc reporting

System and Organization Controls (SOC) Reporting

SOC reporting provides your customers with the assurance they want or require as a condition of doing business with you. In addition, a well-designed SOC program is an effective means to identify and manage financial, operational, system, and/or cybersecurity risk through one or more of the following AIPCA SOC Suite of Services:


  • SOC 1®: Formerly SAS 70 / SSAE 16, this is an examination of internal controls over financial reporting that is based on AICPA’s guidance for auditors, SSAE 18.  This is intended to be a report from the service organization’s auditor to its customers’ auditor
  • SOC 2®: This is an examination of operational or compliance controls (not solely financial reporting) that is focused on one or more key system attributes of security, availability, processing integrity, confidentiality, and privacy (Trust Services Criteria), depending on what is relevant and important to your customers.  Also based on AICPA’s guidance for auditors, SSAE 18, this is intended to be a report from the service organization’s management to its customers’ management (not auditor to auditor). 
  • SOC 3®: SOC 3® examinations are the same as SOC 2® with the exception that the report does not include management’s detailed description of processes and systems, and the company can place a publicly visible SOC seal on its website with a link to the report on the stated key system attributes of security, availability, processing integrity, confidentiality, and privacy.


Introduced by AICPA in April 2017, this report is similar to a SOC 2®, but it is intended for a broader audience (your customers and their auditors) that are interested in knowing about your company’s risk management program for cybersecurity, including information about your systems, processes and controls for detecting, preventing and responding to breaches.


Introduced in April 2017, this currently is in process of being developed by the AICPA, who indicates that this is “an internal controls report on a vendor’s manufacturing processes for customers of manufacturers and distributors to better understand the cybersecurity risk in their supply chains”. FGMK will provide additional information as it becomes available from the AICPA.



FGMK understands how critical your projects and programs are to your organization’s success. Our experience and knowledge allow us to create efficient and effective reporting processes that include the following SOC services:

READINESS – we help you identify and document controls to meet your objectives. We have the tools, templates and experience to help you right size your SOC solution according to your requirements. We leverage our deep understanding of business processes and information technology to assist you in identifying controls to mitigate risks in your environment.

EXAMINATION – we perform our SOC examination under the guidance of the American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements No. 18 (SSAE No. 18). Our experienced SOC professionals make the examination easier for you from planning through completion. We leverage our tools and templates to execute our controls testing in an efficient and effective manner so you can stay focused on running your business. We understand that SOC reports are a reflection of both your service organization and FGMK, so we focus on preparing SOC reports you will be proud to share with your customers.

TECHNOLOGY – regardless of the type of SOC report your company needs, information technology systems and security are at the core. We combine technology and IT audit skills with the knowledge necessary for a complete SOC strategy. We also draw on the resources of our technology company, Netrix, that provides complete technology design and implementation solutions.

Recent Blog Entries:

View more Thought Leadership articles from FGMK