SOC Reports System and Organization Controls

The guidance issued by the AICPA effective in June, 2011, along with the growing trend for companies to outsource business functions has resulted in greater demand for auditor examinations and reporting on System and Organization Controls (“SOC”).  Mueller’s SOC team includes a group of professionals with over 30 years of combined experience in preparing, reviewing, and relying on hundreds of SAS 70 reports (currently called SOC reports). Our team combines financial statement audit, IT audit, cybersecurity audit and internal controls skills with extensive experience in many industries.

SOC 1, 2, 3 Defined


Formerly SAS 70, this is an examination of internal controls over financial reporting that is based on AICPA’s guidance for auditors, SSAE 18.  This is intended to be an “auditor to auditor” report.


This is an examination of operational or compliance controls (not solely financial reporting) that is focused on one or more key system attributes of security, availability, processing integrity, confidentiality, and privacy (Trust Services Criteria), depending on what is relevant and important to your customers.  This is intended to be a report from company management to customer management (not auditor to auditor).


These examinations are the same as SOC 2 with the exception that the report does not include management’s detailed description of processes and systems, and the company can place a publicly visible SOC seal on its website with a link to the report on the stated key system attributes of security, availability, processing integrity, confidentiality, and privacy.

SOC for Cybersecurity

Concerns over cybersecurity  are on the rise in many organizations and there is a growing need for businesses to demonstrate that they are effectively controlling this threat. In 2017, AICPA developed a new cybersecurity risk management reporting framework that helps organizations communicate about and CPAs report on cybersecurity risk management programs.

Who We Serve

We see that System and Organization Controls examinations are typically relevant to companies that provide outsourced services such as:

  • Payroll Processing
  • Claim Processing
  • Collections Processing
  • Medical Billing
  • Employee Benefit Plan Administrators
  • AR/AP Processing
  • Data Centers
  • Application Hosting Firms
  • Co-location Center Firms
  • Professional-Law & Accounting Firms

Our Membership Association

Contact Us For More Information