SOC Reports System and Organization Controls


As the use of third-party service providers has grown exponentially in recent years, so has the demand for System and Organization Controls (SOC) auditor examinations and related reports. PKF Mueller’s SOC team has been performing these examinations since their origination in 2011, which now include SOC 1, SOC 2, SOC 3, and most recently, SOC for Cybersecurity reports. PKF Mueller’s dedicated SOC team includes a group of professionals with over 30 years of combined experience in preparing, reviewing, and relying on hundreds of SOC reports. Our team combines financial statement audit, IT audit, cybersecurity audit and internal controls skills with extensive experience across many industries.

SOC Service Offerings

SOC READINESS ASSESSMENTS:  Your big prospect demands a SOC report and you don’t know where to start. PKF Mueller is here to help.  With a SOC readiness assessment you get the benefit of our internal control expertise without the pressure and anxiety of an immediate audit. The PKF Mueller SOC team will work closely with your personnel to document existing controls and identify potential gaps and weaknesses.  Our SOC readiness assessment services will allow you to establish a roadmap to remediate your internal control gaps before the audit begins; providing you with peace of mind and confidence as you undergo your first SOC audit.

SOC 1: Formerly SAS 70, this is an examination of internal controls over financial reporting that is based on AICPA’s guidance for auditors, SSAE 18.  This is intended to be an “auditor to auditor” report.

SOC 2: This is an examination of operational or compliance controls (not solely financial reporting) that is focused on one or more key system attributes of security, availability, processing integrity, confidentiality, and privacy (Trust Services Criteria), depending on what is relevant and important to your customers.  This is intended to be a report from company management to customer management (not auditor to auditor).

SOC 3: These examinations are the same as SOC 2 with the exception that the report does not include management’s detailed description of processes and systems, and the company can place a publicly visible SOC seal on its website with a link to the report on the stated key system attributes of security, availability, processing integrity, confidentiality, and privacy.

SOC FOR CYBERSECURITY: Concerns over cybersecurity  are on the rise in many organizations and there is a growing need for businesses to demonstrate that they are effectively controlling this threat. In 2017, AICPA developed a new cybersecurity risk management reporting framework that helps organizations communicate about and CPAs report on cybersecurity risk management programs.


PKF Mueller utilizes industry-leading engagement workflow software that provides a centralized communication platform that includes secure file transferring. This software allows increased efficiency, tracking, and effectiveness of communication specific to audit flow and requests as well as notifications and dashboards showing engagement progress.

PKF Mueller's SOC Service Values:


  • PKF Mueller’s SOC team is close-knit, specialized, and dedicated. This contributes to many gained efficiencies throughout the different engagements
  • PKF Mueller prides itself on providing the same personnel and team structure from start to finish, year after year
  • Because of the close-knit team, the overall audit approach and methodology is also consistently applied year over year

Collaborative Approach & Continuous Improvement

  • Client facing and interaction focused
  • Entity Risk-Based Approach to meet defined SOC objectives/criteria
  • Constant feedback and communication of best practices
  • Recommendations for improvement throughout the engagements
  • Flexibility to meet Client needs and schedules

National Presence With Local Touch

  • Clients across the United States including California, Texas, Louisiana, and North Carolina to name a few
  • Perform SOC audits ranging from managed security service providers and securities trading platforms to payroll and insurance claims processing organizations
  • Onsite presence available during engagements regardless of location
  • Fully remote engagements also available


  • PKF Mueller performs all scheduling related to planning and final fieldwork of the engagements, on average, 6 months ahead of time
  • At minimum, weekly open item follow ups and updates with clients to ensure timely completion and issuance of SOC reports
  • Interim and final request lists issued, on average, at least 2 months before as of/period end dates


  • Niche established within PKF Mueller when service organization attestation reports first started (SAS 70)
  • Members of the niche are highly focused on performance of SOC audits
  • All members of the SOC niche are Certified Public Accountants (CPAs)
  • Management and above are Certified Information Systems Auditors (CISAs)

Who We Serve

We see that System and Organization Controls examinations are typically relevant to companies that provide outsourced services such as:

  • Payroll Processing
  • Claim Processing
  • Collections Processing
  • Medical Billing
  • Employee Benefit Plan Administrators
  • AR/AP Processing
  • Data Centers
  • Application Hosting Firms
  • Co-location Center Firms
  • Professional-Law & Accounting Firms
  • Managed Security Service Providers (MSSP)
  • Cloud-based Software-as-a-Service (SaaS) Providers


Growing Demand for SOC Audits

Are you spending all of your time completing client security assessments?

As outsourcing to specialty service providers has grown exponentially
in recent years, so has the demand for System and Organization
Controls (SOC) auditor examinations and related reports.
A SOC report is an examination and report over internal controls at a
service organization.

Read More

Podcast: SOC Report Overview, Choosing Your Auditor & The PKF Mueller Approach


You need a SOC examination.

At PKF Mueller, we understand that finding the right SOC audit partner for your Company can be an intimidating process, but it is also an important decision to ensure a successful SOC examination experience and satisfied new and potential clients.

Read More

On Demand Webinar

Nick Padron, RSI Security’s Senior Security Consultant, teamed up with Mueller Partner, Drent Shields, and Audit Manager, Kyle Wehrli, to talk about SOC 2 topics.

Our experts help demystify the entire SOC 2 reporting process so that you can assure your customers and business partners that your data management practices are secure.

Watch On Demand

Our Membership Association

Contact Us For More Information