Service Organization Controls (SOC I, SOC II, and SOC III)

Triangle Graphic

The outsourcing of core and non-core functions to third party service providers is helping businesses increase their efficiency and profitability. With this, the growing concern over enterprise risks that are difficult to identify, manage, and monitor has prompted organizations to require third parties provide them with Service Organization Control (SOC 1, 2, or 3) reports. These reports are intended to help organizations understand the internal controls present at third party service providers.

Tevora’s consultants provide extensive security knowledge and have the ability to test against both strategic and technical concepts to ensure your SOC report is defensible and accurate.

Reports include:


SOC 1 reports follow the guidance from AICPA’s statement on Standards for Attestation Engagements No. 18 (SSAE 18, formerly SSAE 16). They focus solely on controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting and are potentially used in an audit of a user entity’s financial statements.


SOC 2 reports follow AT Section 101. They address controls at a service organization related to the Trust Service Principles (TSPs) of security, availability, processing integrity, confidentiality, and/or privacy.


SOC 3 reports address the same subject matter as SOC 2 reports but the use of these reports is not restricted. These reports may be used by anyone and can be posted on a website under a seal. To allow for public use the report is typically redacted to remove any proprietary and/or confidential information.

We do this through a three-phased approach:

1. Readiness Assessment

Establishes the scope of the attestation, evaluates the current-state verses to-be state, and provides treatment recommendations.

2. Remediation

Whether it is writing security policies, implementing the security controls or provide business process reengineering recommendations, we partner with you to ensure the right controls and processes are in place to be successful.

3. Attestation and Reporting

Tevora Consultants will assess adherence to the SOC control requirements and work with you to ensure the report reflects the right system boundaries, tone, design and implementation of processes.