SOC and attestation report services
Increase customer trust
Better respond to and meet the expectations of entities. Coalfire Controls – a fully licensed, accredited CPA firm and affiliate of Coalfire – can help you examine and report on controls.
Demonstrate your commitment to security
A System and Organization Controls report (SOC 1, 2, or 3) is a widely recognized examination that helps promote trust and confidence in your organization’s security and financial controls performance. SOC reports conform to the guidance prescribed by the American Institute of CPAs (AICPA) Statement on Standards for Attestation Engagements (SSAE).Coalfire is uniquely qualified to help organizations build an internal controls environment that complies with the requirements of the SOC examination. Our methodology involves assigning experienced SOC advisors and auditors based on your organization’s industry, services, size, and locations.
SOC assessment services
Readiness assessments
During a readiness assessment, we dive into the intricacies of SOC reporting and help you determine any gaps that need to be remediated prior to pursuing your SOC attestation.
SOC 1
A SOC 1 attestation focuses on controls and processes that could impact a company’s financial reporting. If your system or services impact your customer's financial statements or internal controls over financial reporting, then the SOC 1 attestation may be right for your organization.
SOC 2
SOC 2 is an attestation that addresses a service organization’s system controls related to the AICPA’s Trust Service Categories (TSCs) of security, availability, processing integrity of a system, or the confidentiality or privacy of the information processed by that system.
SOC 3
SOC 3 is a redacted SOC 2 Type 2 report that removes any proprietary and/or confidential information so it can be made publicly available. It is often utilized as marketing collateral.
Other frameworks (SOC + reports)
Leveraging our expertise across a wide variety of frameworks and Compliance Essentials, we can examine and report on controls, including SOC 1, SOC 2, SOC 3, CSA Star, and C5 attestations, with other efforts to reduce audit fatigue and provide a combined report.
Other attestation services
In addition to SOC 1, SOC 2, SOC 3, SOC for Cybersecurity, and SOC for Supply Chain, we provide support for the following attestations:
- Cloud Security Alliance’s Security Trust & Assurance Registry (CSA STAR) attestation
- C5 attestation
- Microsoft SSPA
- Agreed-upon procedures: For other subject matter, we can issue reports based on agreed-upon procedures under SSAE standards.
SOC advisory services
Core documentation construction
We meet with your governance, risk, operations, and compliance teams to determine the required artifacts related to SOC attestation.
Policy and procedure development
We augment your organization’s internal process owners to establish appropriate policies and procedures that meet security or privacy control objectives within your internal control environment, as appropriate.
Risk assessment
We define the objectives within your in-scope system to perform a risk analysis.
Internal audit
We execute an independent, periodic internal audit against the security or privacy requirements and deliver an internal audit plan and report.
Governance review
After the completion of the risk assessment and internal audit inputs, we facilitate the resulting governance review with senior and operations management personnel who are key interested parties to the program’s establishment.
External audit support
We help your organization identify and select an accredited CPA firm that will assess your organization against in-scope requirements.
What can you expect from our SOC compliance services?
Deep expertise
We have more than 20 years of cybersecurity and service compliance expertise, assessing more than 2,000 organizations and completing more than 400 SOC assessments annually.
Focused team
Our dedicated team of SOC specialists ensures we provide the best guidance to handle the most complex scenarios.
Proficient in cloud security
We work with the industry’s largest cloud service providers (e.g., Google, Amazon, IBM, Microsoft), and 75% of our SOC engagements are facilitated for cloud service providers (e.g., SaaS, IaaS, PaaS).
Industry leaders
We are a member of the AICPA Peer Review Program and hold a role in the Colorado Society of Certified Public Accountants.
Compliance Essentials
By coordinating assessments across more than 50 compliance frameworks, you can eliminate duplicate activities and maintain a state of continuous compliance with Compliance Essentials.
Frequently asked questions about SOC compliance
What is Type 1?
We conduct a formalized SOC examination and report on the suitability of design and implementation of controls as of a point in time. This is a starting point for demonstrating controls.
What is Type 2?
We conduct a formalized SOC examination and report on the suitability of design and operating effectiveness of controls over time (typically at least six months). SOC Type 2 reports are commonly required by customers to ensure entities maintain controls that support their security and trust requirements.
Can Coalfire Controls help with Coalfire Advisory services to attest my SOC program?
Independence must be maintained by your SOC auditor. For specific questions, please discuss this with your engagement team.
What is a SOC for Cybersecurity?
This SOC report on an entity’s cybersecurity risk management program is meant for investors, boards of directors, and senior management.
How long should I expect to take to stand up my SOC program and receive attestation?
Coalfire SOC advisory has an experienced team that can work in tandem with client needs to expedite SOC readiness. Typically, our engagements take six to nine months for completion (if all advisory pillars of work are selected).
What is a SOC for Supply Chain?
To help entities better assess and manage supply chain risk, this examination and SOC report can provide an audited track record for customers, business partners, and other interested parties to show an entity’s commitment to these stakeholders.
Since I already have a CSA STAR attestation, how quickly can I upgrade to version 4.0?
Our advisory team can perform an assessment for you within a gap analysis and provide a roadmap for short-term uplift to version 4.0.
Contact us today for your SOC assessment services needs.
Let us help you discover the right services and solutions to drive your business forward and achieve your goals. We're here and ready to assist.