System & Organization Controls

System & Organization Controls

BMSS has considerable experience completing annual System and Organization Controls (SOC) reports. Formerly known as SAS 70 reports, SOC reports provide a framework for CPAs to examine controls and help management understand the related risks of outsourcing to a service provider. Building trust with customers and prospects is one of the many ways to benefit from an SOC report. The SOC engagement provides a “look under the hood” for the current or prospective user who typically uses multiple outside service providers and cannot audit each one. Companies benefit from the assurance that an SOC report provides, particularly if they rely on storing, processing or transferring private and confidential information. Having an outside review provides company management with the peace of mind to know that their controls and activities are functioning as expected.

Download Brochure

How We Serve

  • Perform SOC engagement so clients can propose on large opportunities
  • Guide clients from an SOC Type 1 report to a Type 2 report
  • Provide clients with examples and SOC case studies relevant to their industry
  • Consult prior to SOC testing to identify gaps in need of correction
  • Provide clients with a control matrix to aid in organizing control descriptions

SOC Report Comparison

  • SOC 1 reports on internal controls over financial reporting are used by management and user auditors.
  • SOC 2 reports on security, availability, processing integrity, confidentiality or privacy controls are used by management, regulators and others.
  • SOC 3 reports on security, availability, processing integrity, confidentiality or privacy controls are publicly available to anyone.


Our team members have been performing SOC engagements for more than 15 years.


Did You Know?

Public companies, which must answer to both investors and regulators, may be more likely to engage a service provider if the service provider has met the rigors of the SOC process.

Typically, an SOC report is applicable to companies providing outsourced services to user entities such as SaaS providers, payroll companies, benefits administrators, trust companies/administrators, claims processors, outsourced IT departments, application service providers, etc.

Service Relationships

  • BDO SOC Roundtable
  • Alabama Society of Certified Public Accountants
  • American Institute of Certified Public Accountants
  • Information Systems Audit and Control Association (ISACA)

Thought Leadership