SOC 1, SOC 2, and SOC 3 Audits

SOC Audits

Many service organizations depend on the integrity of their control environment to serve and protect their customers and business. Such services have been provided to clients in a number of industries, including application service providers, managed services companies, colocation facilities, network service bureaus, financial institutions, data processing centers, bank trust departments, credit unions, collections agencies, benefit plan administrators, third-party administrators, investment managers, hedge fund accounting services, payroll service bureaus, lockbox operations, and document solution providers.

Moss Adams provides high-quality verification of these control environments through SOC examinations. Engagements of this nature report on the effectiveness of the controls and safeguards in place, providing you with feedback that’s both independent and actionable. Our approach to staffing these audits is to combine industry-focused and seasoned auditors with operational and IT auditors capable of addressing your unique control environment requirements.

Related to our SOC service portfolio, we have extensive experience that includes:

  • SOC pre-audit gap analysis and readiness assessments
  • Coordination among management, user entities, and auditors
  • Coaching and review of client-prepared control objectives and narratives
  • Independent assistance to document client-defined control objectives and narratives
  • SOC 1, SOC 2, and SOC 3 examinations (both Type 1 and 2 audits)
  • SOC 2+ audits, including HIPAA, HITRUST, and the Gramm-Leach-Bliley Act  
  • SOC for Cybersecurity 
  • Dual reporting under AICPA attestation standards and ISAE 3402 for clients involved in international markets
  • Aligning SOC 2 and SOC 3 audits to leverage the Cloud Security Alliance Cloud Control Matrix
  • Conversion from 2014 to 2016 Trust Services Principles and the 2017 Trust Services Criteria for SOC 2 and SOC 3 audits
  • Compliance management by converging SOC, HIPAA, PCI DSS, ISO 27001, and other regulatory requirements
  • Implementation of SSAE No. 18 requirements

In addition, Moss Adams regularly provides thought leadership involving SOC audits. We sit on the AICPA Assurance Services Executive Committee (ASEC); serve on the ASEC Trust/Information Integrity Task Force, which helps update Trust Services Principles and Criteria; and participate in the development of SOC audit guides. We also frequently speak at national conferences on the topic of SOC auditing.


As of December 15, 2018, the new 2017 Trust Services Criteria took effect for SOC 2 examinations. Here’s what companies need to know.

Companies that currently issue an annual System and Organization Controls (SOC) 2 report—or that plan to issue a SOC 2 report in the near future—need to be aware of the changes for any SOC 2 reports issued after December 15, 2018. In our webcast, we’ll cover SOC 2 changes and focus on areas where service organizations can expand their controls to better meet the SOC 2 criteria.

Mitigate cyber threats and build stakeholder confidence with a SOC for Cybersecurity audit.

More and more companies are outsourcing services. Ideally, a third-party vendor would exert the same level of internal controls you would.

How to Prepare for a SOC Audit
Preparing for a SOC audit doesn’t have to be daunting or time consuming. During this webcast we will discuss how to determine which report (SOC 1, 2, or 3) and which type is appropriate for your organization, the nature of the controls to promote, the time commitment to anticipate, who should be involved, and how to assemble the requisite documentation.

SOC 2: Success with Implementing the Privacy Principle
Service Organization Control (SOC ) 2 reports always contained the option to include the privacy principle, but due to some gaps in the privacy criteria, this principle was often not used by service organizations. The American Institute of Certified Public Accountants recently updated the privacy principle to address feedback and make it widely accessible for the market. Implementation of the updated privacy criteria is effective December 31, 2016, with early implementation permitted. During this panel-style webcast, we explore what’s changed as well as what your organization needs to do to successfully adopt the new privacy principle.

Primary Contact