System and Organization Controls (SOC) Reporting

Gain the customer trust you need to grow your business with SOC reporting from Aprio

SOC 1, SOC 2 and SOC 3 examinations and other attestation-related services leverage the high audit standards of the AICPA to provide trust and confidence in your business. Partner with Aprio to get the right SOC reporting for what’s next.

Schedule a Consultation

Brett Williams


National Partner, Information Assurance Services Leader,
SOC Reporting Leader


IAS Leadership

Powell Jones , CISA, CCSFP   

Information Assurance Services | Assurance Partner, Aprio LLP

(770) 353-3157

Dan Schroeder , CPA, CISA, CRISC, CIPP/IT, PCI-QSA   

Information Assurance Services Leader | Assurance Partner, Aprio LLP

SOC reporting at a glance

Increasingly, organizations that outsource critical functions are asking for System and Organization Control (SOC) reports to better understand the service provider’s information systems and processes. The flexibility and complexity of the SOC reporting architecture can create confusion for first time reporters, mature businesses and even larger prospective customers.

Aprio’s Information Assurance team leverages 100+ years of combined experience to clarify your options and make sure you achieve the right reporting to grow your business with confidence. Here’s a quick snapshot of the various types of SOC reports, their purpose, duration, who needs them and their estimated cost. The pricing in the table below is based on the typical SOC scope of work. Cost can vary based on scope or circumstance.

 Report Type Report
Length of Report  Common
 Average # of Controls Type I
Type II
SOC 1 

Demonstrates how your control environment affects your customer’s financial reporting.

This is not over your financial reporting but your customers.

6-12 months  Managed Services affecting customer financial statements – Payroll, Mortgage Processors, Real Estate Management and Broker/Dealers  25-40   Varies – Typically $15K-$25K Varies – Typically $30K-$40K  
 SOC 2  Covers data Security, but also can cover Availability, Confidentiality, Processing Integrity and Privacy.  3-12 Months SaaS – Technology companies hosting / with access to customer data  50-60 for Security, Availability and Confidentiality (Most Common Trust Categories)  Varies – Typically $15K- $30K  Varies –Typically $35K -$45K 
 SOC 3 Short Form SOC 2 Report usually provided if proprietary information from SOC 2.   3-12 Months  SaaS – Technology companies hosting / with access to customer data  50-60 for Security, Availability and Confidentiality (Most Common Trust Categories) Minimal – Usually $2K- $3K over the cost of the SOC 2 Report   Minimal – Usually $3K-$5K over the cost of the SOC 2 Report

Other attestation options

Agreed Upon Procedures (AUP) –A company will typically work with another company to come up with a set of “agreed upon procedures” that the auditor will perform. These procedures can cover most topics as long as the procedures can be objectively performed by the auditor. An AUP is often used to demonstrate compliance over a scope smaller or different than what might be covered by a particular SOC report.

SOC for Supply Chain – SOC for Supply Chain is the most recent SOC reporting option. This report is designed to provide relevant information to organizations up and down the supply chain and is specifically designed for companies seeking to manage supply chain risks. This report is not limited to service providers and can be adopted by organizations up and down the supply chain.

SOC for Cybersecurity – SOC for Cybersecurity is another SOC reporting option. This report includes a description of your cybersecurity risk management program. This report is not limited to service providers and can be adopted by any organization even to report just internally. SOC for Cybersecurity includes the SOC 2 framework in addition to other more in-depth criteria.

Type I vs Type II

Each of these reports have the option of a Type I and a Type II. The Type I report is a point-in-time report. The Type II report covers a period-of-time, and often in the first year, covers a 6-month period moving to a 12-month period in subsequent years. Typically, you do not see SOC 1 Type II reports shorter than 6 months and SOC 2 Type II reports shorter than 3 months in the first year receiving a SOC report. If you are not in a rush, there is usually no reason to get a Type I report other than cost, but most customers expect to see a Type II report.

  Report it applies to Duration Example Duration Cost
Type I SOC 1, 2 and 3 Point-in-Time As of June 30, 20XX Less cost than a Type II. Only tests the controls at a
point-in-time, so less documentation is required.
Type II SOC 1, 2 and 3 Period-of-Time For the Period of January 1, 20XX
to June 30, 20XX 
More costly than Type I. The auditor tests controls throughout the period which means more samples and documentation required from you. 

Readiness assessment

A readiness assessment, or gap assessment, is often performed prior to obtaining your first SOC report. Through facilitated meetings, Aprio will help you identify “what you don’t know.” This includes helping you identify what controls should be in place to meet the SOC reporting requirements and the controls that still need to be put in place to fill “Design Gaps.”

Once completed we give your team a “To Do List” that includes what will be required for the audit, so that your team can effectively prepare the required documentation.

A common second phase of a readiness assessment is the “Test-of-One” where Aprio performs testing, as if it was performing an audit, to verify that your team has the correct level of documentation to pass the audit. If not, additional gaps might be identified during the audit, which could leave your team scrambling to try and produce something to pass the audit. The “Test-of-One" helps to take much of the documentation guess work out of the SOC audit.

Aprio’s SOC reporting processes

Aprio has developed standardized processes for both SOC 2 Type I and SOC 2 Type II. These processes are supported by a formal methodology and proprietary technology and designed to deliver efficiency and quality reporting.

SOC 2, Type I Approach

Phase I


Phase II

Scoping (Design)

Phase III

Testing (Test-of-One)

Phase IV

Issuance of
SOC 2 Type 1 Report

SOC 2, Type II Approach

Phase I

Planning, Scoping and
Design Meeting

Phase II

Perform Observation

Phase III

Perform Population

Phase IV

Issue SOC 2,
Type II Report

Information Assurance



Currently there are no articles for this topic. Please check back soon.

Downloadable Material

Get the right SOC report for what’s next

Schedule a Consultation