System and Organization Control (SOC) reports are intended to help organizations understand the internal controls present at third party service providers. With growing frequency, companies are asking their service providers for an independent assessment of the integrity of the systems the provider is using to protect the organization’s data and financial reporting processes. SOC reports are a common method for service providers to give their customers the assurances they seek. 

SOC reports are issued by public accounting firms in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) promulgated by the American Institute of Certified Public Accountants (AICPA). The reports are designed to provide information on an organization’s internal controls to its existing and prospective customers. SOC reports allow report users to gain confidence in an organization’s service or system by providing a mechanism through which they can evaluate the financial reporting, security, and operational risks and associated controls. 

New to SOC?

We’ve helped many of our clients prepare for their first SOC report as well as transition between different types of SOC reports. Our SOC readiness services follow a well-defined process of facilitating discussion to help you identify and understand a solution scaled to your organization. These initial steps will include mapping existing controls to objectives or criteria, identifying control gaps, and recommending appropriate steps for remediation. We believe that a thorough readiness assessment is one of the keys to a successful SOC engagement.

SOC Process and Timing

Obtaining an annual SOC report should not be a painful experience! Our team has substantial expertise in scoping services and developing project plans with clarity and efficiency. ​Much of the engagement can be conducted remotely and will be designed around your own schedule. 

We start by identifying areas of focus and risk, interviewing key members of management, and developing a thorough understanding of the organization. Our team utilizes a secure project management platform to facilitate collaboration and filesharing as well as establish a workflow of milestones, tasks, and deadlines visible to all project participants. The HoganTaylor SOC process involves four stages: 

  1. Readiness – Assist organizations new to the SOC reporting process with initial planning or getting to know new clients who have had a SOC report before. 
  2. Planning and walkthroughs – Develop a project plan, conduct onsite walkthroughs of controls, and prepare control testing procedures. 
  3. Control testingRequest, sample, inspect, and observe evidence provided for Type 2 reports. 
  4. Reporting Generate and review the report including auditor’s opinion, management’s assertion and system description, and control test results. 



The HITRUST CSF is a framework designed to address security, privacy, and regulatory challenges facing organizations, primarily in the healthcare industry. With HITRUST certified CSF Practitioners on our Risk Assurance team, we are able to issue SOC2 + HITRUST reports covering the AICPA’s Trust Services Criteria and the HITRUST CSF Framework as well as assist your organization with HITRUST readiness and preparedness services.