GRC

SOC Examinations

Clear, thorough, and cooperative SOC examinations.

Provide a higher level of confidence to clients and prospects with one of the System and Organization Controls (SOC) examinations (formerly Service Organization Controls). With a clear, thorough, and collaborative approach, experienced auditors work with clients to consult and document processes that adhere to guidelines for the various types of SOC examinations. A SOC examination allows clients to project confidence and provide independent assurance to current customers, prospects, and their financial statement auditors that processes and controls are sound.

SOC for Service Organizations

These internal controls reports provide valuable information that users of outsourced services need to assess and respond to the risks over services provided by service organizations.

Key issues like security, availability, confidentiality, processing integrity, and privacy are reviewed and documented.

  • SOC 1:  SOC for Service Organizations – Internal Control over Financial Reporting. The performance and reporting requirements for an examination of controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting.
  • SOC 2:  SOC for Service Organizations – Trust Services Criteria. The performance and reporting requirements for an examination of controls at a service organization relevant to one or more of the following principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
    • SOC 2 for HITRUST: Designed for service organizations that desire to use the SOC 2 reporting framework to leverage both the SOC 2 Trust Services Principles and the HITRUST Common Security Framework (CSF). See our other HITRUST Services.   
  • SOC 3:  SOC for Service Organizations – Trust Services Criteria for General Use Report. The performance and reporting requirements for an examination of controls at a service organization relevant to one or more of the following principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy resulting in a general use report.

SOC for Cybersecurity

The performance and reporting requirements for an examination of an entity’s cybersecurity risk management program and related controls based on the AICPA cybersecurity reporting framework. The SOC for Cybersecurity report provides information to a broad range of stakeholders. See our other Cybersecurity Services.

SOC for Vendor Supply Chains - Coming soon!

The SOC for Vendor Supply Chains will provide customers of manufacturing and distribution companies an understanding of the cybersecurity risks in their supply chain. This reporting framework will be released in early 2018.

Featured Expertise

Robert D. Cedergren, CPA, CGMA, CITP, CISA, CISSP, CISM, CGEIT, CCSFP

Bob is the leader of Wipfli’s risk advisory services practice. Leveraging his 20+ years of experience, Bob provides consulting services to clients in the areas of risk management and is a frequent speaker and author on risk management-related topics including risk assessments, business continuity planning, and management of internal controls.

Kenneth P. Demerath, CPA

Ken's area of expertise is in financial institutions and service organizations. He leverages over 30 years of experience when providing SOC examinations, operational reviews, and other services for clients.

Torpey White, CPA, CITP, CISA, CGMA

Torpey has more than 25 years of experience in public accounting and the private sector.  He applies his extensive experience in risk advisory services to assist clients in protecting and tailoring their business environment to mitigate risk, identify trends, increase efficiencies, and gain a competitive advantage.

Featured Insight

The Business Associate's Path to SOC 2 + HITRUST CSF Certification

Both SOC 2 and HITRUST CSF fit well together. And by obtaining both, organizations reduce the inefficiencies and costs associated with multiple reporting requirements. Learn more by downloading this whitepaper. 

Featured Insight

Verify Third-Party Security: The Role of SOC 2 Reports

SOC 2 reports are intended to meet the needs of a broad range of users who need information and assurance about the controls designed and implemented at third-party vendors.