Jason I. Miller


additional contacts >>


AICPA SOC Certified


system and organization controls (SOC)

Your Service Reporting Goals, Achieved.

Assurance your clients want. Expertise your business needs.

The System and Organization Controls (SOC) report was introduced in 2011 to replace the aging Statement on Auditing Standards (SAS) No. 70, which allowed an independent auditor to analyze a service provider's internal controls. Unfortunately, many service providers still do not realize the value that independent testing and verification can offer in today’s increasingly competitive marketplace.

As more and more companies rely on cloud computing to outsource financial and data-sensitive information, SOC reports have become an indispensable seal of approval. They offer a valuable assessment of a service provider’s ability to mitigate risk and deliver effective services through a variety of controls, processes and procedures.

If your company has not been asked to furnish a SOC report as part of a job bid or contract negotiation, it is likely just a matter of time. KSM’s experienced and knowledgeable advisors can help you facilitate all aspects of the SOC reporting process.

Customized engagements. Valuable insights. Minimal disruption.

The various SOC reports (SOC 1, SOC 2 and SOC 3) are unique products with a similar goal. At KSM, our objective in conducting each engagement is not just to assess services provided to users but to help clients gain a better understanding of their overall control environment. Many businesses find that they did not have a complete understanding of their operational risks prior to completing their SOC report.

KSM’s process is designed to enable your business to uncover key insights that will help you identify your company’s ‘risk picture’ in order to implement appropriate controls and reduce overall risk.

Demand for SOC reports is only likely to increase in the coming years as the business community continues to outsource more and more key technology services. SOC reports do require an investment, but when you have the right partner, the benefits more than outweigh the costs.

Experienced team. Personal touch.

When you consult with KSM, you’ll work with a knowledgeable, experienced advisor who can help guide you through the extensive SOC reporting process. Your KSM contacts will be the same individuals from the statement of work to well beyond the report delivery. This ensures a deep institutional knowledge and understanding of your business and SOC reporting objectives.

Because of this thorough relationship, our highly adept cross-functional team can often bring added value to other areas of your business. For KSM, communication is key. Our experienced team members will manage every aspect of the engagement, including all fieldwork, and communicate with you every step of the way.

We provide SOC services to companies in many industries, including:

  • Employee Benefits Administration
  • Third-party Administration
  • Insurance
  • Financial Services
  • Technology (including data centers, software as a service (SaaS), etc.)

SOC readiness designed around you

As one of the nation’s leading accounting, tax and consulting firms, our skilled advisors are able to provide personalized readiness assessments prior to a SOC engagement to help identify any deficiencies in business policies, procedures, and control environments.

No one likes surprises when it comes to compliance, and readiness is the key to avoiding them. KSM’s readiness assessment was created around the idea that no two clients are alike. By taking into account your organization’s unique business environment, we are able to identify key control issues and tailor solutions and best practices to fit your company’s specific needs. Compliance may be the ultimate goal, but we believe achieving it should never come at the expense of disrupting your operational efficiency.

Our highly customized approach will also save you time and frustration. Our main goal is to help you achieve your reporting objectives and navigate today’s challenging regulatory environment.


A SOC 1 engagement assesses the design of the controls that are relevant to the service organization’s internal financial reporting controls. This is the report that most closely resembles the legacy reporting standard that many businesses are familiar with (SAS 70).

A SOC 1 has two types of reporting options -- Type 1 and Type 2. Distribution and use of both reporting options is restricted to management, the user entities and their auditors.


A SOC 2 reports on controls that are unrelated to financial reporting, such as security, privacy, confidentiality, processing integrity and availability. This report may be restricted in distribution to customers, regulators and others that have an understanding of the service organization and its related controls.

Like the SOC 1 report, the SOC 2 includes both a Type 1 and Type 2 option.


A SOC 3 report is similar to the SOC 2, Type 2, but does not include certain confidential information and has no restrictions on distribution or use. It is the ideal report to share with current and prospective customers and business partners in order to demonstrate core control competency. This report can be a beneficial marketing piece.

Phase I – readiness

Phase I includes a thorough assessment of engagement objectives and a complete review of the client’s control objectives and activities. Additionally, our team will:

  • Develop an understanding of and document any regulatory and control requirements of the client’s environment.
  • Help define the scope of controls to be assessed, evaluated, tested and documented.
  • Develop a mutually agreed-upon engagement plan.
  • Educate the client on the key components of a sound internal control system.
  • Evaluate current control activities for significant deficiencies and identify gaps in risk coverage.
  • Assist in updating and establishing key control activities.
  • Review and develop a testing plan for all identified key control activities.
  • Provide a list of action items and an expected timetable for completion.

Phase II – planning

Phase II includes confirmation of engagement objectives and a thorough review of control activities. Our team will:

  • Confirm overall engagement purpose and scope.
  • Examine key control activities and controls that may have been established during Phase I by performing a walkthrough of these activities.
  • Review established test plan and available documentation for all identified key control activities.
  • Provide a client request list of requested items and an expected timetable for delivery.

Phase III – testing & reporting

Includes testing and reporting on the specific controls that are required for a SOC report. Our team will:

  • Obtain understanding of control environment and conduct walkthroughs of key control activities to determine whether design of controls is suitable to achieve the related control objectives.
  • For Type 2 - Conduct tests to evaluate the operating effectiveness of each key control during the audit period and document the results of specific tests.
  • Draft the SOC report and opinion.
  • Meet with management to review the draft report and supporting documentation and to resolve open issues.
  • Issue final SOC report.

Type 1 & 2 reports

SOC 1 and SOC 2 reports may come in two different types, depending upon whether the performance of the controls is tested and whether the report is intended to cover a period of time or a single point in time.

A Type 1 report reviews and describes the internal controls the service provider has in place and includes an auditor’s opinion on the effectiveness of the design of those controls as of a defined date.

A Type 2 report includes the information in a Type 1 report but goes one step further. It tests operation of those controls over a defined period of time (6-18 months) in order to determine whether they are operating effectively.

A SOC 3 is only offered as a Type 2 report.