SOC & Attestation Services

Companies today are increasingly using external service providers to perform key business functions. As a result, there is greater need for transparency in system and organization controls. Warren Averett’s System and Organization Control reports are tailored to ensure external service providers receive the highest level of assurance over the effectiveness of their internal controls. We work with service providers to understand the requirements of their stakeholders and customers to determine the right solution to meet their needs.

Since it is not in the best interest of our clients to have a service organization control examination performed prematurely, we offer Readiness Assessments that assist management in assessing their company’s readiness for an SOC examination.


SOC 1®
SOC for Service Organizations: ICFR

SOC 1 examinations focus solely on a service organization’s controls that are likely to be relevant to their customer’s internal controls over financial reporting. Common examples of service organizations that would be candidates for an SOC 1 include trust departments, payroll processors, retirement recordkeeping services, actuary services, and many others that provide outsourced services for which the controls are relevant to the user’s internal controls related to financial reporting.

SOC 2®
SOC for Service Organizations: Trust Service Criteria

Instead of focusing on financial reporting, SOC 2 examinations follow Trust Services criteria established by the AICPA, which includes security, confidentiality, processing integrity, availability and privacy. SOC 2 reports are required to cover at least one of these Trust Services criteria. These criteria are integrated with the COSO Internal Control – Integrated Framework (2013) principles.


With the increasing pressure to demonstrate the management of threats from cybersecurity, organizations have to be able to show processes and controls related to detection, remediation and recover from such security events. The AICPA has developed this risk management reporting framework, complete with descriptive Criteria that allows senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations’ efforts around protecting against cybersecurity risks.

SOC 3®
SOC for Service Organizations: Trust Services Criteria for General Use Report

Trust Service Criteria for General Use Report Similar to an SOC 2 report, the SOC 3 report addresses one or more of the AICPA Trust Services Principles and criteria related to security, confidentiality, processing integrity, availability, and privacy. An SOC 3 is primarily performed for e-commerce service organizations, such as online retailers, who perform transaction processing over the Internet. The report is a general-use report that usually includes a public seal over the website or software.

Type I – Type I reports describe the service organization’s description of controls at a specific point in time. They do not include any tests of operating effectiveness, making them limited-use reports. They are most commonly used as first year SOC reports.

Type II – Type II SOC reports not only include the system and organization’s description of controls, but they also include tests of operating effectiveness. These reports generally cover a minimum of a six month period (although most are annual reports). The Type II offers the highest form of assurance of the SOC reports.

Meet Our SOC & Attestation Team

Learn more about our team members’ expertise, insights and how we can help you thrive.