SOC Reporting icon

SOC Reporting

Companies are increasingly outsourcing business processes and IT functions to service organizations. If your business provides services to other entities, those entities may want assurance when it comes to the risks and controls associated with these services, often in the form of a service organization controls (SOC) report. This is especially true if your services include sensitive information, such as patient health data or financial transactions. SOC reports provide essential information that can build trust in processes, controls, and safeguards.

Lumsden McCormick’s team of certified public accountants can provide an efficient and affordable approach to SOC reporting. Whether your needs call for SOC 1, SOC 2, or SOC 3 reporting, we’ll design a customized approach to help your organization benchmark and compare internal controls against industry best practices.

SOC 1 Report (SSAE 18)

As an internationally recognized third-party assurance audit, a SOC 1report is designed for service organizations in order to demonstrate adequate control and integrity of financial reporting.  A SOC 1 Report is becoming an essential requirement as organizations are faced with increased regulatory scrutiny. 

Benefits of a SOC 1 Report include:

  • Instant credibility,
  • Confirmation that controls, procedures, and processes are in place the way management intends them to be,
  • Independent assessment of controls,
  • Potential to grow market share, and
  • Reduction of third-party self-assessment questionnaires.

We can help you prepare for your first SOC 1 audit by conducting readiness assessments and ensuring compliance with SSAE 18 requirements. We can also help you understand SOC Type I and Type II assurance levels.

SOC 2 Report

A SOC 2 Report will help you achieve the highest IT reporting standard and the most recognizable third-party assurance report. SOC 2 engagements use the predefined criteria of Trust Principles set by the American Institute of Certified Public Accountants including:

  1. Security — The system is protected against unauthorized access.
  2. Availability — The system is available for operation and use as committed or agreed.
  3. Processing integrity — System processing is complete, accurate, timely, and authorized.
  4. Confidentiality — Information designated as confidential is protected as committed or agreed.
  5. Privacy — Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice, and with regulatory standards.

We’ll provide assessment and reporting tools so SOC 2 engagements can be completed efficiently, effectively, and on budget. Our in-house expertise covers a range of industries and IT expertise; we can provide you with the most sophisticated level of service at a competitive fee.

Industries benefitting from a SOC 2 report include:

  • Health care service providers,
  • Government service providers,
  • Hosting providers, and
  • Production printing.

SOC 3 Reports

This report covers the same testing procedures and requirements as a SOC 2 engagement, however this report omits the detailed test results and the description of the system and is intended for general audiences and public distribution.

SOC for Cybersecurity

This report is designed to provide assurance about the effectiveness of the controls over a service organization’s cybersecurity risk management program. 

Our Audit Team has extensive knowledge of SOC reporting and will guide you to the appropriate SOC report(s) for the services you provide, with an understanding that your controls have undergone comprehensive testing.

For more information about SOC reporting, please contact Thomas Burns or complete the form below.

Services Leaders

Thomas Burns

Thomas M. Burns, CPA, CMA

Jill Johnson

Jill M. Johnson, CPA, CFE, CITP, FHFMA


Upcoming Events


Comprehensive. Proactive. Accessible.
How Can We Help?