Gain Confidence Through a SOC Audit

In recent years, it has become increasingly popular for institutions to outsource business support, system operations and IT activities to service organizations. With that trend came new standards for reporting on service organization controls (SOC).

PBMares will help you satisfy any assurance requirements and assess the effectiveness and risks of your third-party’s controls through:

  • SOC 1

    Organizations across the board, including publicly traded companies, private companies and not-for-profits may require verification that the third-party data security experts who work on their financial statements operate under a strong set of internal controls. These verifications come in the form of various levels of System and Organization Controls (SOC) reports. The reports assure your clients and prospective clients that your internal controls are secure. Examples of service companies that may require such reports include data center companies, loan servicing companies, medical claims processors and payroll processors.

    SOC 1 reports, also known as the Statement on Standards for Attestation Engagements (SSAE) 18, focus on your organization’s business processes and IT controls. Any that are likely to be relevant to an audit of your customers’ financial statements are documented in the report.

    There are two types of SOC reports: Type 1 reports test the design of your organization’s controls as of a certain date. Type 2 reports test whether your controls are properly designed, in place and documented as well as an opinion on operating effectiveness over a set time period (usually 12 months).

  • SOC 2

    These reports concentrate on five Trust Services Principles: security, availability, processing integrity, confidentiality and privacy. SOC 2’s requirements allow data providers to decide how they want to meet the criteria. This flexibility means SOC 2 reports are unique to each company, and makes the choice of auditor particularly important. You need to choose an audit team with a deep understanding of SOC controls and best practices. SOC 2 reports may be shared under an NDA with the organization’s management, regulators or select other parties.

  • SOC 3

    Similar to SOC 2 reports in that they examine the same five Trust Services Principles, the results of the audit are publicly available.

  • SOC Readiness Assessments

    These assessments provide an overview of your organization’s preparedness for a successful SOC 1, 2, 3 or Cybersecurity audit. At the end of the assessment, our experts will let you know what control gaps or observations identified need to be addressed and remediated in order for your SOC audit to be successful.

What Our Clients Say

PBMares brings the knowledge and industry experience necessary to thoroughly evaluate Service and Organization Controls (SOC). They successfully advised our company on control measures needed to satisfactorily comply with SOC audit requirements. PBMares professional services have proven to be a huge enhancement to our compliance program as well as a positive marketing tool for new prospective clients.

Christopher A. Plyler, CPA  – Chief Financial Officer – CREDIT CONTROL CORPORATION

Take Advantage of Our Experience

AICPA Cybersecurity Advisory Services CertificateOur experienced cyber risk professionals have been performing IT audits and risk assessments for 15 years, and unlike standard IT providers, as CPAs and consultants, we have an intimate understanding of your organization’s unique processes and operations. You can rely on us for complete cybersecurity services and solutions tailored to your risk profile and network. .

Focusing on Protecting Your Company from Risk?

Certain industries, like financial institutions, are a natural fit for cybersecurity and other risk control services. However, the need for this type of help spans virtually every business including those in construction, government contracting, state and local governmenthospitality and not-for-profit.


Antonina K. McAvoy, CISA, CISM, QSA, PCIP

Senior Manager, Cybersecurity & Control Risk Services Team Leader