Service organizations that host or process customer data, such as SaaS providers, cloud computing vendors, and managed services firms, need to demonstrate robust internal controls over data security. Our specialized team helps you define your control environment, map your systems to the Trust Services Criteria (TSC), and deliver the reliable report your clients and partners require.
A SOC 2® examination, performed under the Statement on Standards for Attestation Engagements (SSAE) No. 18, is a rigorous assessment of the controls implemented by a service organization that relate to one or more of the five Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. This examination is critical for organizations that handle sensitive customer information. The resulting SOC 2® report provides objective assurance that your service is designed and operating effectively to protect the data of your user entities.
Your SOC 2® report serves as a powerful business differentiator and trust builder, acting as a key to unlocking enterprise contracts where larger organizations mandate such reports as a prerequisite for engagement. By confirming your commitment to safeguarding customer data, the report demonstrates a robust security posture that reduces perceived risk and strengthens client relationships. This centralized verification document streamlines due diligence by eliminating the need to respond to lengthy, repetitive security questionnaires, ultimately providing a distinct competitive advantage that positions your organization as a trusted and secure provider in a crowded market.
A SOC 2® examination is not mandated by law, but it is typically a contractual or market requirement imposed by your potential and existing clients, particularly those in regulated industries (like finance, healthcare, or government) or large enterprise businesses. Failure to provide a current SOC 2® report often results in lost revenue opportunities
Completing a SOC 2® requires partnering with a certified CPA firm like Auditwerx. The overall process involves three core phases: Readiness, Testing (Fieldwork), and Reporting. The goal is to define the boundaries of the service being provided, select the relevant TSC, document the controls (System Description), test those controls, and ultimately issue a formal report detailing the findings and opinion.
If your organization has already achieved compliance or is working towards compliance with another security framework, you are likely closer to SOC 2® compliance than you think. Reporting on multiple frameworks during one examination can save you time and money.
SOC 1® / ISO 27001: Technical controls related to IT operations, physical security, change management, and user access that satisfy SOC 1® requirements or ISO standards can be directly mapped to the mandatory Security criterion (and often Availability and Processing Integrity) in your SOC 2® report.
PCI DSS: Controls related to network segmentation, vulnerability management, and restricted access to cardholder data can significantly contribute to satisfying the TSC.
The type of SOC 2® report you pursue depends on the level of assurance your clients require. We guide you in selecting the appropriate report type for your business needs.
Report Type | Focus of the Examination | Assurance Provided | Key Use Case |
Type 1 | Design of Controls | Opinion on the suitability of the design of controls as of a specified date. | Provides a quick snapshot that controls are properly designed to meet the selected TSC. Often used for first-time reporting. |
Type 2 | Design AND Operating Effectiveness | Opinion on the suitability of the design and the operating effectiveness of controls over a specified period (typically 6 to 12 months). | Provides the highest level of assurance, confirming controls were operational and effective throughout the entire period. This is generally preferred by demanding clients and partners. |
Our methodology focuses on clarity and efficiency, ensuring minimal disruption to your daily operations while securing a high-quality report.
Scoping & Control Definition:
We work with your management team to define the in-scope services and systems. You will also select the relevant Trust Services Criteria (Security is mandatory; others are optional) for your report. This is documented in the System Description.
Gap Assessment: We perform a preparatory assessment to identify controls of your current operations and where they meet the selected TSC. Through this process we identify any gaps you may have in your control environment and provide insights as to how this may impact your assessment.
Report Type Selection: We guide you in selecting the appropriate report type: Type 1 (control design as of a date) or Type 2 (operating effectiveness over a period of time).
Evidence Collection: Our team gathers evidence, including policies, procedures, change management logs, and configuration settings, that demonstrate your controls are operating as described.
Control Testing: We test samples of your control activities over the specified period (for a Type 2 report). This involves interviewing key personnel and examining evidence to verify the operating effectiveness of controls against the TSC requirements.
Report Drafting: Our senior team drafts the comprehensive SOC 2® report, which includes your management’s detailed System Description, our independent description of the tests performed, and the results of our testing.
Opinion Issuance: We issue our final opinion on the fairness of the System Description and the suitability (Type 1) or operating effectiveness (Type 2) of the controls. The final report is delivered to you for distribution to your clients and business partners.
Choosing Auditwerx for your SOC 2® examination gives you a distinct advantage. Our simple SOC 2® process makes it easy for any size organization to build trust with their clients.
We are proud to be an independent firm with no conflicts of interest in completing your report.
We focus only on controls and evidence that will score points in the final assessment.
Partner with a single firm throughout your entire compliance lifecycle. Our findings are objective and have no conflicts of interest.
Our U.S. based team of assessment professionals are never outsourced.
200+ years of collective experience translates to the most efficient path to certification, saving you time and money.
We offer flexible integration with leading GRC tools, so you don't have to duplicate evidence.
The need for a SOC 2® report is driven by the handling of customer data, particularly in a cloud or managed service environment. Any organization that offers a technology service or handles sensitive, non-financial data for clients will likely require a SOC 2®.
Companies offering Software-as-a-Service platforms (CRM, HR software, marketing tools, etc.) that host client data in the cloud.
Organizations managing IT infrastructure, cloud environments, or security operations for other companies.
Providers that host the physical and environmental controls for client servers and data.
Financial technology companies (excluding those whose core service is ICFR, who may need a SOC 1®) that handle non-financial data like account details, login credentials, or security configurations.
Systems processing patient data that require strong security controls (often combined with the SOC 2®+HIPAA framework).
Companies providing the infrastructure or back-end services that handle sensitive customer data outside of credit card processing (which is covered by PCI DSS).
This depends entirely on your user entities’ needs:
Choose SOC 1® if your service directly impacts your client’s financial reporting (e.g., transaction processing, outsourced accounting).
Choose SOC 2® if your service handles sensitive customer data or provides a technology-based service where security, availability, or confidentiality is key (e.g., cloud hosting, managed security).
While a Type 1 report is often the starting point for first-time service organizations, most clients and business partners require a new SOC 2® Type 2 report annually. This annual renewal is necessary to ensure continuous assurance regarding the operating effectiveness of your controls over a specified period.
Yes, except for the Security criterion, which is mandatory. You can select the remaining four (Availability, Processing Integrity, Confidentiality, and Privacy) based on the services you provide, and the assurances required by your clients.
The Security criterion is mandatory. Beyond that, you should select criteria based on client demands and your service commitments:
Availability: If you guarantee uptime or minimum service levels.
Confidentiality/Privacy: If you handle sensitive proprietary data or Personal Identifiable Information (PII).
Processing Integrity: If your service involves complex, mission-critical calculations or transaction processing.
No. The SOC 2® report is a restricted-use document. It contains detailed information about your controls, system, and test results that are only meant for your management, your customers (User Entities), and their financial or security assurance teams. If you need a public report, you should also obtain a SOC 3® report.
The Trust Services Criteria (TSC) forms the foundational framework for every SOC 2® examination. They define the specific control objectives against which your system’s design and operating effectiveness are assessed. Management is responsible for selecting the TSC that are relevant to the services provided and committed to clients, though Security is always mandatory. The selection process dictates the entire scope of the report and the controls that will be tested.
The system is protected against unauthorized access (both physical and logical). This is the base criterion required for every SOC 2® examination.
The system is available for operation and use as committed or agreed. This covers monitoring, disaster recovery, and failover capabilities.
System processing is complete, accurate, timely, and authorized. This is critical for systems that handle transactions or data processing.
Data designated as confidential is protected as committed or agreed. This applies to sensitive company data, intellectual property, and business plans.
Personal Identifiable Information (PII) is collected, used, retained, disclosed, and disposed of in conformity with the entity’s commitments and the criteria set forth in the Generally Accepted Privacy Principles (GAPP).
…Both operations and assessment teams executed the engagement flawlessly, on-time and on-budget. The Auditwerx team provided us with the necessary guidance, tools and knowledge...We would highly recommend Auditwerx services to organizations of all sizes and requirement complexities.
...Their team has brought a level of knowledge and professionalism that has been unmatched. Our company is required to undergo a number of assessments annually with various firms and Auditwerx has truly been a pleasure to work with...
...The assessment itself was thorough, but non-disruptive. The team was highly professional and very knowledgeable. We recommend Auditwerx...without reservation.
As part of your overall compliance and assurance strategy, we offer examinations for the entire SOC report family. We can help you determine which report is right for your user base, whether they require financial assurance (SOC 1®) or security and operational assurance (SOC 2® and SOC 3®).
Identifies control gaps and provides a roadmap before the formal examination begins, saving time and money.
Assurance for financial systems like payroll, claims, or loan processing.
Expands the SOC 2® report to include testing against other compliance frameworks simultaneously.
A brief, general-use report that can be publicly distributed (it does not include detailed control testing).
Our handy guide, “Adding it Up: What Type of SOC Report Do I Need?” is a great starting point to determine what kind of SOC report best fits your company’s business and compliance needs.
When you’re ready to speak with an experienced team member about your reporting needs, Auditwerx will be here for you.
When you’re ready to start your PCI compliance journey, our experienced team will be here to walk you through the entire process, from assessment readiness to your final report.
Fill out this form to schedule a free, no-obligation consultation with an experienced team member.
Tell us a little about what you need, and our team will schedule a no-pressure conversation. No obligations, just answers you need.
Form issues? Contact us directly at [email protected].
