Skip to main content
Services angle Audit and Assurance angle SOC Reporting and Internal Controls

System and Organization Controls (SOC) Reporting Services and Internal Controls

If your customers are looking to you for outsourcing of their business processes, they may ask for a current SOC Report. Your customers may also require a SOC Report from you as part of their Sarbanes-Oxley (SOX) compliance program, their system of internal controls, or to meet requirements of Governmental or other regulatory bodies. Mueller Prost can provide you with SOC reporting and remediation services that will fulfill this requirement for your clients and prospective clients.

Our process follows standards set by the American Institute of Certified Public Accountants (AICPA), covering relevant frameworks for addressing internal controls over financial reporting, trust services criteria, and cybersecurity. We can also report on compliance with other frameworks and regulations such as NIST, HIPAA, and more, depending on your specific needs.

We bring a level of transparency and consistency to the SOC reporting process, bringing you the outside perspective you need to verify your internal processes. It’s an opportunity not only to fulfill your contractual obligations, but also to add credibility to the services you provide to your customers.

System and Organization Controls (SOC) Reporting Services and Internal Controls


We offer a range of SOC reporting services and can work with you to find the report that best meets your needs.

SOC 1 Reports: ICFR Evaluation

SOC 1 Reports are designed for service organizations that handle or store large amounts of financial data. We will evaluate the effectiveness of your Internal Control over Financial Reporting (ICFR) systems and processes. Our report will describe your systems in detail and the results of our tests.

You may elect to restrict the use of these reports to your customers and their CPAs.

Examples of organizations who may use this type of SOC report include:

  • Third-Party Administrators (TPAs)
  • Payroll Service Providers
  • Other Service Organizations That Process or Store Financial Data

SOC 2 Reports: Trust Service Principles

SOC 2 Reports go further, reporting on your ability to meet one or more of the five Trust Service principles: Security (required), Availability, Processing, Integrity, and Confidentiality/Privacy. You can also add additional frameworks for HIPPA compliance and cybersecurity, including NIST guidance.

You can restrict use of these reports to your customers and others for risk management, corporate governance or regulatory oversight.

Examples of organizations who may use this type of SOC report include:

  • Cloud Computing
  • Software as a Service (SaaS)
  • Software Development Organizations
  • Data / Call Centers
  • Web Hosting / Managed Services Providers

SOC 3 Reports: Third-Party Risks

SOC 3 Reports apply the same framework to evaluating other third-party risks. SOC 3 reports are generally less detailed, providing background on your organization. However, the report may not include detailed information about specific controls in place. As such, their use is unrestricted. You can share your SOC 3 report with anyone who needs confidence your organization has the right controls in place.

People at a Glance

Get in touch with a leader who knows your industry inside and out.
Talk to an advisor