EKS&H header image for audit and assurance
Audit and Assurance

SOC Audit

Service Organization Control (SOC) reports convey confidence in the internal controls of your business to your customers and their auditors. In addition to the SOC readiness assessment, we can also assist with all SOC 1, 2, and 3 audits.

SSAE 16 (SOC 1) Examination

A report on management's description of the service organization's system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date (Type 1) or throughout a specified period (Type 2).

SOC 2 Examination

A generally restricted-use report on controls at a service organization relevant to:
  • Security—Is the system protected against unauthorized access (physical and logical)?
  • Availability—Is the system available for operation and use as committed or agreed?
  • Processing Integrity—Is system processing complete, accurate, timely, and authorized?
  • Confidentiality—Is confidential information protected as committed and agreed?
  • Privacy—Is personal information collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity's privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants?
Similar to a SOC 1 Examination, a SOC 2 Examination is a report on management's description of the service organization's system and the suitability of the design of the controls to achieve the relevant Trust Services Principles and Criteria included in the description as of a specified date (Type 1) or throughout a specified period (Type 2).

SOC 3 Examination

A general-use trust services report for service organizations that provides only the auditor's report on whether the system achieved the trust services criteria (no description of tests and results or opinion on the description of the system). SOC 3 reports can be issued on one or multiple trust services principles (security, availability, processing integrity, confidentiality, and privacy).

The EKS&H Advantage

We strive for a proactive relationship that includes frequent communications with you and your team to answer and address issues as they occur, and to ensure that all your reporting deadlines are met. Our senior partners will spend significant time with you, and we will not deploy inexperienced staff with a checklist approach. As your true business advisor, we provide a report that is helpful in managing your business and internal control processes and streamlining your operations.

Should My Organization's Services Be Audited?

Angela Appleby

If your organization performs services for clients or if you are responding to client questionnaires on your IT policies or other processes, then you may be considered a "service organization" and may benefit from an independent review of security, confidentiality, privacy, etc. controls. Read more »