System and Organization Controls (SOC)

Man leaning on desktop with laptop and charts on desk

If you’re a service provider that processes customer data or hosts their systems, an independent third-party attestation report is more than a requirement of doing business; it’s a vital opportunity to:

Streamline business processes

Build trust and mitigate risk

Comply with regulatory requirements

Developed by the AICPA, Service and Organization Control (SOC) reports (formerly SAS 70) attesting to effective internal controls show customers that you have managed their data securely and with integrity.

Only Certified Public Accountants in good standing can deliver SOC reports. At Anderson ZurMuehlen we are a licensed CPA firm and in good standing with the American Institute of Certified Public Accountants (AICPA).


SOC 1 reports are restricted to service organization management, the service organization’s user entities (its clients), and user entities’ financial auditors. These reports replaced the SAS70 reports as of June 15, 2011. For reports not specifically focused on internal controls over financial reporting, SOC 2 and SOC 3 reports should be used.


SOC 2 reports meet the needs of a number of users for information on security, availability, processing integrity, confidentiality, or privacy. These reports are intended for use by stakeholders (customers, regulators, business partners, and suppliers) that need an in-depth understanding of the service organization and its internal controls structure.


These reports are designed for users who need assurance on controls at the service organization but do not require the depth of information provided in a SOC2 report. Since SOC3 reports are for general use, they can be freely distributed and even posted on the service organization’s website with the appropriate seal.

Wondering if your business should have a SOC report? Contact us for a no obligation consultation to review your unique situation.

Meet the SOC team

Mike Sangray
Mike Sangray, Cyber Security Engineer, CISSP, CISA
Bill Mills
Bill Mills, CPA, Shareholder