Skip to content

SOC Audits

When selecting McKonly & Asbury as your SOC auditor, you can be assured that you will be dealing with a strong team of professionals who know and understand all aspects of reporting on service organization internal controls. Our team of experts has diverse, technical expertise in internal controls and information technology to ensure that our clients receive the highest level of service. The valuable advice and support provided through our services offers service organizations the opportunity to develop internal control environments to meet the objectives required by their customers and industries.

We currently provide the full suite of SOC services to clients in a broad variety of industries. Our capabilities include SOC for Service Organizations (SOC 1, SOC 2 and SOC 3) as well as SOC for Cybersecurity. We perform both Type 1 and Type 2 engagements. Our clients include insurance companies, third-party providers, software developers, data centers, and data and software hosting companies.

Services We Provide

McKonly & Asbury works with clients in all aspects of executing a SOC audit. We provide our clients with a comprehensive suite of services from pre-assessment/examination readiness through the issuance of the final System and Organization Controls report. These comprehensive services provide our clients with the tools necessary to complete the examination and provide a report meeting the needs of their users and customers.

SOC Services

Contact us to discuss your needs.

SOC 1 audits are intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities in evaluating the effect of the controls at the service organization on the user entities’ financial statements. We work with the service organization to produce the report its customers are requesting.

Service organizations that would typically receive a SOC 1 audit consist of third-party service providers, insurance companies, payroll and benefits processors as well as trust departments. Broadly, any service organization that provides services to customers that directly impact the customer’s financial statements would be a candidate for such an audit. Service organizations should evaluate their needs along with their customers’ reporting needs before determining the type of SOC audit that applies to their needs.

SOC 2 and SOC 3 audits are used by service organizations to meet the needs of a broad range of users that need detailed information and assurance about the controls at the service organization relevant to the security, availability and processing integrity of the systems at the service organization, and the confidentiality and privacy of the information processed by these systems. The AIPCA has set forth specific trust services criteria within each trust services principle which the service organization’s controls must meet to satisfy the principle.

A SOC 3 audit is similar to a SOC 2 audit, with the primary difference being that SOC 2 audits are restricted use reports and SOC 3 are general use reports. SOC 3 reports can be freely distributed by the service organization and the organization can post a SOC 3 seal on their website indicating the SOC 3 report has been completed.

Service organizations that would typically receive a SOC 2 or SOC 3 audit consist of datacenters, software development companies, cloud computing companies, IT service providers, and data and application hosting companies.

In April 2017, the American Institute of Certified Public Accountants (AICPA) introduced a new examination entitled System and Organization Controls (SOC) for Cybersecurity which builds on the AICPA standards already in place over SOC examinations. The existing SOC1, SOC2, and SOC3 frameworks were directly focused on organizations providing direct or indirect services to other organizations as service providers.

SOC for Cybersecurity, however, is appropriate for virtually any type of business or nonprofit organization and is performed by the AICPA’s Cybersecurity risk management program attestation standards. It focuses on communicating information regarding the design and operating effectiveness of an organization’s cybersecurity risk management program to the organization’s management, board, and other stakeholders, allowing them to understand the processes, policies, and controls that the organization has in place to mitigate and prevent cybersecurity attacks on their information as well as determine potential gaps that are not addressed by processes, policies, or controls currently in place within the organization.

Industry Involvement

View all SOC Insights

Contact Us