As the use of third-party service providers has grown exponentially in recent years, so has the demand for System and Organization Controls (SOC) auditor examinations and related reports. PKF Mueller’s SOC team has been performing these examinations since their origination in 2011, which now include SOC 1, SOC 2, SOC 3, and most recently, SOC for Cybersecurity reports. PKF Mueller’s dedicated SOC team includes a group of professionals with over 30 years of combined experience in preparing, reviewing, and relying on hundreds of SOC reports. Our team combines financial statement audit, IT audit, cybersecurity audit and internal controls skills with extensive experience across many industries.
SOC Service Offerings
SOC READINESS ASSESSMENTS: Your big prospect demands a SOC report and you don’t know where to start. PKF Mueller is here to help. With a SOC readiness assessment you get the benefit of our internal control expertise without the pressure and anxiety of an immediate audit. The PKF Mueller SOC team will work closely with your personnel to document existing controls and identify potential gaps and weaknesses. Our SOC readiness assessment services will allow you to establish a roadmap to remediate your internal control gaps before the audit begins; providing you with peace of mind and confidence as you undergo your first SOC audit.
SOC 1: Formerly SAS 70, this is an examination of internal controls over financial reporting that is based on AICPA’s guidance for auditors, SSAE 18. This is intended to be an “auditor to auditor” report.
SOC 2: This is an examination of operational or compliance controls (not solely financial reporting) that is focused on one or more key system attributes of security, availability, processing integrity, confidentiality, and privacy (Trust Services Criteria), depending on what is relevant and important to your customers. This is intended to be a report from company management to customer management (not auditor to auditor).
SOC 3: These examinations are the same as SOC 2 with the exception that the report does not include management’s detailed description of processes and systems, and the company can place a publicly visible SOC seal on its website with a link to the report on the stated key system attributes of security, availability, processing integrity, confidentiality, and privacy.
SOC FOR CYBERSECURITY: Concerns over cybersecurity are on the rise in many organizations and there is a growing need for businesses to demonstrate that they are effectively controlling this threat. In 2017, AICPA developed a new cybersecurity risk management reporting framework that helps organizations communicate about and CPAs report on cybersecurity risk management programs.
PKF Mueller utilizes industry-leading engagement workflow software that provides a centralized communication platform that includes secure file transferring. This software allows increased efficiency, tracking, and effectiveness of communication specific to audit flow and requests as well as notifications and dashboards showing engagement progress.
PKF Mueller's SOC Service Values:
- PKF Mueller’s SOC team is close-knit, specialized, and dedicated. This contributes to many gained efficiencies throughout the different engagements
- PKF Mueller prides itself on providing the same personnel and team structure from start to finish, year after year
- Because of the close-knit team, the overall audit approach and methodology is also consistently applied year over year
Collaborative Approach & Continuous Improvement
- Client facing and interaction focused
- Entity Risk-Based Approach to meet defined SOC objectives/criteria
- Constant feedback and communication of best practices
- Recommendations for improvement throughout the engagements
- Flexibility to meet Client needs and schedules
National Presence With Local Touch
- Clients across the United States including California, Texas, Louisiana, and North Carolina to name a few
- Perform SOC audits ranging from managed security service providers and securities trading platforms to payroll and insurance claims processing organizations
- Onsite presence available during engagements regardless of location
- Fully remote engagements also available
- PKF Mueller performs all scheduling related to planning and final fieldwork of the engagements, on average, 6 months ahead of time
- At minimum, weekly open item follow ups and updates with clients to ensure timely completion and issuance of SOC reports
- Interim and final request lists issued, on average, at least 2 months before as of/period end dates
- Niche established within PKF Mueller when service organization attestation reports first started (SAS 70)
- Members of the niche are highly focused on performance of SOC audits
- All members of the SOC niche are Certified Public Accountants (CPAs)
- Management and above are Certified Information Systems Auditors (CISAs)
Who We Serve
We see that System and Organization Controls examinations are typically relevant to companies that provide outsourced services such as:
- Payroll Processing
- Claim Processing
- Collections Processing
- Medical Billing
- Employee Benefit Plan Administrators
- AR/AP Processing
- Data Centers
- Application Hosting Firms
- Co-location Center Firms
- Professional-Law & Accounting Firms
- Managed Security Service Providers (MSSP)
- Cloud-based Software-as-a-Service (SaaS) Providers
Our Membership Association