System and Organization Controls (SOC) Reports

System and Organization Controls (SOC) Reports

System and Organization Controls (SOC) reports are a suite of reports designed to provide customers and other key stakeholders with insight into the design and operating effectiveness of system-level controls of a service organization or entity-level controls of other organizations.

Your Internal Controls in the Spotlight

The world of SOC reports can be a place of confusion, technical terminology and stringent requirements. It is also an area of growing importance as organizations struggle to meet the growing need from customers for assurance regarding the security, confidentiality and privacy of the information processed by their systems.

From payroll, billing and credit processing companies to insurance and medical claims processor, hosted data centers, cloud computing providers, SaaS providers and internet retailers, organizations are facing increased pressure to provide evidence of adequate controls and safeguards when they host or process data belonging to their customers. In fact, many are even finding that obtaining a SOC report is quickly becoming a contractual requirement for doing business.

The Benefits of a SOC Report

  • Demonstrates a committed investment in mitigating customers’ exposure to risk
  • Builds trust with customers and prospects
  • Validates an organization’s risk management program
  • Affords the opportunity to identify and shore up gaps in an organization’s controls and/or enhance its controls
  • Imparts operational clarity in decision making and resource utilization planning
  • Provides a competitive advantage in a crowded market of service providers
  • Contributes to an organization’s overall brand image

Which SOC Report is Right for Your Organization?



Designed to report on controls at a service organization relevant to a user entity’s internal control over financial reporting.


Designed to report on non-financial controls controls that are relevant to the security, availability and processing integrity of the systems used by service organizations to process user entities' data.

Can also be used to address the need for assurance on the confidentiality and privacy of the information processed by these systems.


A scaled down version of a SOC 2 report.

Intended to provide “general” information on non-financial controls.


Designed to report on the effectiveness of an entity’s cybersecurity risk management program.


MFA: The Clear Choice for Your SOC Reporting Needs

MFA’s deep audit and assurance knowledge, along with our solid SOC engagement track record, extensive SOX work and IT and internal controls consulting expertise demonstrate the strength and range of our SOC reporting solutions. The exceptional knowledge base and vast experience amassed over the years puts us in the unique position of being a single source for regulatory, technical and operational guidance. When you partner with MFA, you gain access to the input of truly seasoned professionals.

With MFA, It’s More Than Just a Report

At MFA, it’s more than just delivering a SOC report. As part of our comprehensive SOC reporting process, we also strive to identify the root cause of systemic breakdowns and offer our recommendations for practical, pragmatic solutions to improve an organization’s internal controls and operating efficiencies.

The resulting deliverables allow our clients to confidently demonstrate that their infrastructure, applications and processes are appropriately designed and operating effectively, paving the way for them to build trust with their customers.



Michelle Kupka Audit Partner (978) 557-5342
Michelle Mackey Partner – Performance & Controls Practice (978) 569-2909


Contact Us