SOC Examinations

SOC Examinations Banner

McKonly & Asbury works with clients in all aspects of SSAE 18 SOC 1, SOC 2 and SOC 3 examinations.  McKonly & Asbury provides our clients with a comprehensive suite of services from pre-assessment/examination readiness, through the issuance of the service organization controls report. These comprehensive services provide our clients with the tools necessary to complete a SSAE 18 SOC 1, SOC 2 and SOC 3 examinations.

SOC 1 Examinations

SOC 1 Examinations are focused on service organizations reporting on controls relevant to internal control over financial reporting.  Service organizations reporting on controls relevant to internal control over financial reporting are required to have SOC 1 examinations performed in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18). SSAE 18, like its predecessor SAS 70, provides two types for SOC 1 reports.

Service organizations that would typically receive a SSAE 18 SOC 1 report consist of third party service providers, insurance companies,  payroll and benefits processors as well as trust departments.  In addition, any service organization that provides services to customers that directly impact the customers internal controls relevant to financial reporting. Service organizations should evaluate their needs along with their customers reporting needs prior to determining the type of SOC report that is applicable to their needs.

SOC 1 Type I
SOC 1 Type II

SOC 2 Examinations

SOC 2 and SOC 3 reports are conducted in accordance with AT Section 101 and utilize the AIPCA audit guide. SOC 2 and SOC 3 examinations are used for service organizations that are reporting on controls that are not deemed to be relevant to the user entity’s internal control over financial reporting.  SOC 2 and SOC 3 reports are attestation examinations that require the service organization’s controls meet the specified Trust Service Principles as defined by the AICPA. The AICPA has defined five separate trust services principles: Security, Availability, Processing Integrity, Confidentiality or Privacy. The AIPCA has also set forth specific trust services criteria within each principle for which the service organization’s controls must meet in order to satisfy the principle. Service Organizations receiving a SOC 2 or SOC 3 can determine the scope of their SOC report by determining the trust principles that apply to them based on the services provided to their customers.

SOC 2 Type I
SOC 2 Type II
SOC 3 Examinations

A SOC 3 report is also performed in accordance with AT Section 101 using the Trust Services Principles issued and published by the AICPA. The SOC 3 examinations are performed under the same standards as the SOC 2 examinations with the primary difference being that SOC 2 reports are restricted use reports and SOC 3 are general use reports. SOC 3 Reports can be freely distributed by the service organization and the organization can post a SOC 3 seal on their website indicating the SOC 3 report has been completed.

Service organizations that would typically receive a SOC 2 or SOC 3 report consist of datacenters, software development companies, cloud computing and data and application hosting companies.


For more information concerning the SSAE 18 SOC 1, SOC 2 or SOC 3 examinations and pre-assessment services provided by McKonly & Asbury use our contact page to reach Michael Hoffner, Partner and leader of our SSAE 16 Service Organization Controls (SOC).