System and Organization Controls (SOC) Reporting Services

Build trust and transparency with your clients…

System and Organization Controls (SOC) Reports

Is your organization demonstrating its commitment to maintain effective internal controls and safeguards to protect not only yourself but your customers?Outsourced services users and their auditors increasingly are requesting more information than ever before about the effectiveness of controls at the service organizations they use, or are considering using, for outsourced business functions.

Using the BRCCPA’s various System and Organization Control Report offerings, BRC can provide assurance reports that provide your users the valuable information they need to assess and address the risks associated with the outsourced services you provide, helping build trust and transparency.

BRC deploys multidisciplinary teams composed of licensed CPAs and information technology and security specialists to ensure a comprehensive and thorough evaluation of controls related to the services you provide.

Cloud Computing. Outsourced Functions. Competition. Cybersecurity. Compliance.

What are System and Organization Control Reports?

System and Organization Control Reports are internal control reports, which independent CPAs provide, on the services a service organization provides.

Why are they useful?

• Useful for evaluating the effectiveness of controls related to the services performed by a service organization
• Appropriate for understanding how the service organization maintains oversight over third parties that provide services to customers
• Help reduce compliance burden by providing one report that addresses the shared needs of multiple users
• Enhances the ability to obtain and retain customers

Which SOC Reports does BRC provide?


Why Choose BRC CPA?  Education, Experience, and Expertise.

The education, experience and expertise of the BRC Team position them as the  premier providers of System and Organization Report services.

  • Knowledge of relevant IT systems and technology, including mainframes, networking, firewalls, network management systems, security protocols and operating systems
  • Understanding of IT processes and controls, such as management of operating systems, networking and virtualization software and related security techniques; security principles and concepts; software development; and incident management and information risk management
  • Experience with common security and cybersecurity publications and frameworks
  • Expertise in evaluating processes, control effectiveness and providing advisory and assurance services relating to these matters
  • Multidisciplinary teams that incorporate certified information security professionals such as Certified Information Systems Security Professionals (CISSP), Certified Information Systems Auditors (CISA) and Certified Information Technology Professionals (CITP®)
  • Proficiency in measuring performance against established criteria, applying appropriate procedures for evaluating against those criteria and reporting results
  • Strict adherence to service-specific professional standards, professional code of conduct and quality control requirements
  • Holistic understanding of entity’s industry and business, including whether the industry in which the entity operates is subject to specific types of or unusual cybersecurity risks and uses specific industry technology systems
  • Objectivity, credibility and integrity
  • Independence, professional skepticism and commitment to quality
  • Strong analytical skills
  • International perspective for global organizations

SOC Report Comparison:

Who Are the Users



SOC 1*

Users’ controller’s office and user auditors Audits of f/s Controls relevant to user

Financial reporting

SOC 2*




GRC programs


Due diligence

Concerns regarding security, availability, processing integrity, confidentiality or privacy

SOC 3*

Any user with need for confidence in service organization’s controls Marketing purposes;

detail not needed

Easy-to-read report on controls


Which SOC Report is Right for You?

Will report be used by your customers and their auditors to plan/perform an audit of their financial statements?

Will report be used by customers/stakeholders to gain confidence and place trust in a service organization's system?

SOC 2* or SOC 3* Report

Do you need to make report generally available?


Download Information Summary Sheet

Ben Hunter

Ben Hunter, III CISO, Advisory Services Principal, CPA/CITP, CISA, CRISC, CDPSE, CISM

Ben is the Chief Information Security Officer for BRC and is a Principal in our Firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit training […]