Cookie Settings

System and Organization Controls Reporting

SOC 1®, SOC 2®, and SOC 3®


As companies search for an effective approach to outsourcing business processes, cost is not the only key factor to consider. Today, service organizations are under increasing pressure to provide customers with greater transparency on the effectiveness of their internal controls over the collection, processing, transmission, storage, organization, maintenance, and/or disposal of customer data. Depending on the services being delivered and their customers’ needs, service organizations must choose which examination type is relevant to their clients (SOC 1®, SOC 2®, SOC 3®) to minimize inquiries and requests for specific SOC reports from those customers.

One way for a service organization to communicate the strength and reliability of its internal controls is by getting an independent examination of the system used to provide services to its customers. Although not mandatory, the SOC examination report serves as an independent verification of the service organization’s internal controls. Companies from all industries are continuing to expect these critical verification processes in order to maintain a competitive advantage. The benefits of these examinations are realized by the service organizations, as well as the customers receiving their services.

BPM provides the following System and Organization Control (“SOC”) services in accordance with current AICPA Statement on Standards for Attestation Engagements (“SSAE”):

  • SOC Readiness Assessments for Service Organizations
  • SOC 1®: Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
  • SOC 2®: Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (TSP 2017)
  • SOC 3®: Examination – General use report (issued in conjunction with a SOC 2 report)

SOC questions flowchart

Related Services