Service Organization Control

Service Organization Control

BMSS has considerable experience completing annual System of Organization Control (SOC) reports. Formerly known as SAS 70 reports, SOC reports provide a framework for CPAs to examine controls and help management understand the related risks of outsourcing to a service provider. Building trust with customers and prospects is one of the many ways to benefit from a SOC report. The SOC engagement provides a “look under the hood” for the current or prospective user who typically uses multiple outside service providers and cannot audit each one. Companies benefit from the assurance that a SOC report provides, particularly if they rely on storing, processing or transferring private and confidential information. Having an outside review provides company management with the peace of mind to know that their controls and activities are functioning as expected.

Download Brochure

Industry News

  • BMSS Joins Forces with Hall Albright Garrison & Barnes
  • Update - Opportunity Zones
  • BMSS Employees Serve Local Community in Annual Initiative
Service Organization Control News

Our Services

  • Perform SOC engagement with a tight deadline so clients can propose on large opportunities
  • Guide clients from a SOC Type report to a Type 2 report
  • Provide clients with examples and SOC case studies relevant to their industry
  • Consult prior to SOC testing to identify gaps in need of correction
  • Provide clients with a control matrix to aid in organizing control descriptions

SOC Report Comparison

  • SOC 1 which reports on internal controls over financial reporting and is used by user auditors & users' controller's offices
  • SOC 2 which reports on security, availability, processing integrity, confidentiality, or privacy controls and is used by management, regulators, and others, shared under NDA
  • SOC 3 which reports on security, availability, processing integrity, confidentiality, or privacy controls and is publicly available to anyone


Our team members have been performing SOC (formerly known as SAS 70) engagements for more than 15 years.

Public companies, which must answer to both investors and regulators, may be more likely to engage a service provider if the service provider has met the rigors of the SOC process.

Professional Relationships with BMSS

  • BDO SOC Roundtable
  • Alabama Society of CPAs (ASCPA)
  • American Institute of CPAs (AICPA)
  • Information Systems Audit and Control Association (ISACA)

Thought Leadership