SOC Audits

Many service organizations depend on the integrity of their control environment to serve and protect their customers and business. Such services have been provided to clients in a number of industries, including application service providers, managed services companies, colocation facilities, network service bureaus, financial institutions, data processing centers, bank trust departments, credit unions, collections agencies, benefit plan administrators, third-party administrators, investment managers, hedge fund accounting services, payroll service bureaus, lockbox operations, and document solution providers.

Moss Adams provides high-quality verification of these control environments through SOC examinations. Engagements of this nature report on the effectiveness of the controls and safeguards in place, providing you with feedback that’s both independent and actionable. Our approach to staffing these audits is to combine industry-focused and seasoned auditors with operational and IT auditors capable of addressing your unique control environment requirements.

Related to our SOC service portfolio, we have extensive experience that includes:

  • SOC pre-audit gap analysis and readiness assessments
  • Coordination among management, user entities, and auditors
  • Coaching and review of client-prepared control objectives and narratives
  • Independent assistance to document client-defined control objectives and narratives
  • SOC 1, SOC 2, and SOC 3 examinations (both Type 1 and 2 audits)
  • SOC 2+ audits, including HIPAA, HITRUST, and the Gramm-Leach-Bliley Act  
  • SOC for Cybersecurity 
  • Dual reporting under AICPA attestation standards and ISAE 3402 for clients involved in international markets
  • Aligning SOC 2 and SOC 3 audits to leverage the Cloud Security Alliance Cloud Control Matrix
  • Conversion from 2014 to 2016 Trust Services Principles and the 2017 Trust Services Criteria for SOC 2 and SOC 3 audits
  • Compliance management by converging SOC, HIPAA, PCI DSS, ISO 27001, and other regulatory requirements
  • Implementation of SSAE No. 18 requirements

In addition, Moss Adams regularly provides thought leadership involving SOC audits. We sit on the AICPA Assurance Services Executive Committee (ASEC); serve on the ASEC Trust/Information Integrity Task Force, which helps update Trust Services Principles and Criteria; and participate in the development of SOC audit guides. We also frequently speak at national conferences on the topic of SOC auditing.


How service organization management can adjust to a new normal and uphold already established trust with their customers through updated SOC reporting.

Learn how a System and Organization Controls (SOC) for Supply Chain Report can help your organization reduce due diligence effort and mitigate risk.

As of December 15, 2018, the new 2017 Trust Services Criteria took effect for SOC 2 examinations. Here’s what companies need to know.

Companies that currently issue an annual System and Organization Controls (SOC) 2 report—or that plan to issue a SOC 2 report in the near future—need to be aware of the changes for any SOC 2 reports issued after December 15, 2018. In our webcast, we’ll cover SOC 2 changes and focus on areas where service organizations can expand their controls to better meet the SOC 2 criteria.

Mitigate cyber threats and build stakeholder confidence with a SOC for Cybersecurity audit.

More and more companies are outsourcing services. Ideally, a third-party vendor would exert the same level of internal controls you would.

Primary Contact