Quick Links

Legal & Sitemap

Home > Services > Consulting > SOC Audit

SOC Audit & SOC Compliance

SOC Audit Services Phases Banner

Armanino has extensive experience with Type 1 and Type 2 SOC reports in order to fulfill all your SOC Audit and SOC Compliance needs.

Our Approach

Companies in a wide range of industries—from credit card processing to SaaS—face growing market pressure to prove the quality of their controls. Our service organization control (SOC) assurance services help our clients demonstrate a strong control environment to their customers. 

The word “audit” is too often associated with risk, expense and a significant time commitment from CFOs and finance teams who need to stay focused on driving their business forward. That is why Armanino has invested in a dedicated SOC practice based on methodology designed to ensure your SOC audits are extremely efficient, while adding value.

Our dedicated SOC team provides you with deep expertise and experience—whether you’re a Fortune 1000 company, a newly minted start-up or somewhere in-between. You’ll receive an efficient audit that adheres to our core principles:

  • Transparency: Our customized audit plans provide you with the required assurance over your control environment, while effectively managing your risk through frequent transparent communication.
  • Efficiency: We leverage our many years of SOC experience so you can reduce your internal and external audit costs.
  • Reliability: Our focus on quality and proactive adoption of new audit requirements ensures that your audit report addresses the needs of your clients, their auditors and specific SOC compliance requirements.

Our Services

The standard for outsourced processes includes three separate types of SOC reports that address assurance for service organizations. For each type of report, there is an accepted professional standard under which the audit will be performed. This allows for a common nomenclature when referring to reports going forward while allowing for a more frequent update of the professional standards:

  • SOC 1 Report: This reports on the controls at a service organization relevant to a user entity's internal control over financial reporting. This report is typically used by the service organization’s customers to satisfy Sarbanes-Oxley compliance requirements. This report is performed under the Auditing Standards Board’s Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization.
  • SOC 2 Report: This reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy. This report is typically used by the service organization’s customers to gain comfort over selected operational controls tested at the service organization. This engagement is performed under the AT 101, Attest Engagements standards.
  • SOC 3 Report: This is a Trust Services Report which essentially covers the same subject matter as SOC 2, but the report does not include the same level of detail as the SOC 2. This report enables the service organization to publish a seal on their website indicating their compliance. This engagement is performed under the AT 101, Attest Engagements standard.


Our approach is designed to ensure your SOC compliance reports are seen as a value-add to your business. Part of that value is ensuring you have answers to some of the frequently asked questions related to SOC reports and SOC readiness.

What are the different types of SOC reports?

See the “Our Services” Tab above.

What are the differences between a Type-1 and Type-2 report?

Type-1 reports describe the service organizations controls at a point in time. This report focuses on the design of the controls to achieve the related control objectives and does not include any testing of the operating effectiveness of those controls. The report includes the service auditor’s opinion, management’s assertion and the description of the system.

Type-2 reports focus on both the design and operating effectiveness of controls over a period of time of at least six months. The report includes all of the information in a Type-1 report with the addition of the auditor’s testing of the operating effectiveness of those controls. From an auditor’s perspective, only the Type-2 report provides assurance over a service organization’s controls relative to its client’s financial transactions.

What are the key differences between the different types of SOC reports?

Applicable Standard


Report Distribution

Report Content



Controls relevant to user entities financial statements (general IT controls and applicable financial controls)

Restricted use report

  • Description of service organization’s system
  • CPA’s opinion on fairness of presentation of the description, suitability of design and in a type 2 report, the operating effectiveness of controls
  • A type 2 report includes a description of the CPA’s tests of controls and results



Controls related to security, availability, processing integrity, confidentiality or privacy

Generally a restricted use report

  • Description of service organization’s system
  • CPA’s opinion on fairness of presentation of the description, suitability of design and in a type 2 report, the operating effectiveness of controls
  • A type 2 report includes a description of the CPA’s tests of controls and results



Controls related to security, availability, processing integrity, confidentiality or privacy

General use report (with a public seal)

  • An unaudited system description used to delineate the boundaries of the system
  • CPA’s opinion on if the entity maintained effective controls over its system
What is a SOC readiness assessment?

A SOC readiness assessment is intended to assist service organizations in determining preparedness for a SOC 1, 2 or 3 audit. It is important to identify any weaknesses that may exist in the control environment in advance of any audit and a readiness assessment will provide time to remediate issues before the audit period. A readiness assessment is a detailed analysis of the current control environment to determine which controls are in place to meet the SOC audit objectives. Through this process, a report of findings and recommendations is generated to assist service organizations in ensuring that the SOC audit process runs as smoothly as possible.

How frequently do service organizations need to undergo a SOC audit?

Generally, service organization’s customers will want a completed SOC audit report at least on an annual basis. It is recommended that service organizations choose a period-end that will allow for a SOC compliance audit to be completed in advance of the majority of their customer’s year-ends. Some clients decide to have a report completed more frequently than annually to coincide with their multiple customers' financial reporting year-end. 

What are some of the benefits for undergoing a SOC audit?
  • Demonstrate a strong control environment to your existing and potential future customers
  • Gain a competitive advantage when seeking to attract new customers
  • Avoid the expense and challenges of responding to multiple audit requests from your customers
  • Identify redundant or ineffective internal controls that could increase cost or risk to your business
  • Support your customers in meeting their regulatory requirements in a proactive manner


Practice Leaders

Liam Collins


Related Experts


COSO Updates ERM Framework for Sustainability Issues

As more companies voluntarily issue sustainability reports, in response to growing interest from investors and lenders, COSO has pro ...

Preparing for SOC Changes

SSAE 18 went into effect on May 1, 2017, and it superseded SSAE 16. SOC Audit Partner Liam Collins reviews the changes, as well as the change to SOC 2 reports beginning December 15, 2018.

Cybersecurity Digital Lock Feature

In the minds of many nonprofit leaders, data breaches are the plague of Fortune 500 companies—or at least the Fortune 500s of the nonprofit world. Yet size ...

Clouds Spelling Hybrid Feature

As companies move to the hybrid cloud, they must make sure their cloud vendors are following secure procedures for the services they provide.

Man Looking At Watch Feature

On July 9, 2015, the FASB officially deferred implementation of the landmark global revenue recognition accounting standard by one year; IASB followed suit on Jul ...

Leveraging SOC Reporting to Build Customer Confidence

SOC compliance requires time and effort, but it also provides an opportunity for service organizations to differentiate themselves in their marketplace.

Blue Locks With Red Lock Unlocked Feature

Cyber attacks happen across all industries, to companies of all sizes. CFOs need to build and maintain an effective cybersecurity strategy to mitigate digital ris ...

Accounting Statement Spreadsheet With Pen Article

Recent FASB guidance simplifies the way private companies account for some intangible assets in a business combination.

FASB Issues ASU on Pushdown Accounting

On November 18, FASB issued Accounting Standards Update (ASU) 2014-17, giving an acquired entity the option to apply pushdown accounting when there is a change-of-control event.

Internal Controls: Make Your List and Check It Twice

Nonprofits that don’t exercise constant vigilance in adhering to internal controls open the door for fraud.

Internal Controls Fight Technology-Related Fraud for Nonprofits

The ability to accept and make online payments and maintain databases with detailed profiles of constituents offers obvious benefits to nonprofits, but it may also be subject to fraud attempts that can dodge your traditi ...


microsoft logo squareMicrosoft Supplier Security and Privacy Assurance (SSPA) Program

The Microsoft SSPA initiative (formerly known as Vendor Privacy Assurance Program compliance) is designed to standardize and strengthen the handling of Microsoft customer, partner, and employee personal information by Microsoft vendors worldwide. Microsoft vendors who collect, store or process customer, partner or employee personal information are required to comply with the program.



Shared Assessments Program LogoShared Assessments Program


As the trusted source in third party risk assurance, the member-driven Shared Assessments Program has been setting the standard in third party risk assessments since 2005. Shared Assessments Program members work together to build and disseminate best practices, building resources that give all third party risk management stakeholders a faster, more rigorous, more efficient means of conducting security, privacy and business resiliency control assessments.


AICPA SOC for Service Organizations LogoAICPA SOC for Service Organizations


The American Institute of Certified Public Accountants (AICPA) provides information to user auditors and service auditors on understanding and performing SOC for service organization engagements.



HITRUST Certification for SOC AuditHITRUST CSF™ Assessor by HITRUST™


Armanino is approved to provide services using the HITRUST CSF™, a comprehensive security framework that addresses the multitude of security, privacy and regulatory challenges facing organizations to comply with healthcare (HIPAA, HITECH), third-party (PCI, COBIT) government (NIST, FTC) and other industry specific regulations and standards.