System and Organization Controls

SOC refers to System and Organization Controls and we conduct SOC examinations following the AICPA standards referenced as AT-C. Four separate SOC engagements we perform include the following:

SOC for Cybersecurity is applicable to all entities and involves an examination of an entity's cybersecurity risk management program and related controls.

SOC 1 is for service organizations and is an examination of controls related to financial reporting. Report distribution is restricted.

SOC 2 is for service organizations and is an examination of controls relevant to security, availability, processing integrity, confidentiality, and privacy. Report distribution is restricted.

SOC 3 is for service organizations and results in an abbreviated report for general use.

A Comparison

A high level comparison of the SOC suite of attestation engagements follows:

Arnett Carbis Toothman's Cybersecurity Services

Readiness Assessment. Our professionals perform a readiness assessment evaluating your description, controls, and/or your risk management program in comparison to a defined framework, such as the applicable trust services criteria or the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), with the goal of providing management with observations and recommendations to enhance your description, controls, and/or your cybersecurity risk management program and prepare for an attestation examination and report.

Examination and Reporting. Our professionals complete the SOC for Cybersecurity, SOC 1, SOC 2, or SOC 3 examination and attestation reporting using the criteria from a defined framework, which can be provided to key stakeholders.

Why Are Controls Important?

Properly operating controls should make it easier to sleep at night - good controls are what sustain businesses and just might keep a business death event from happening.

What Are The Primary Elements of Internal Control?

There are five fundamental components of Internal Control. Their relationship to one another is depicted in the diagram below.


Those charged with governance appreciate the critical interaction of the system elements illustrated by the Systems Elements structure.


The five elements depicted along the diagram’s left side are foundational components in control systems. Activities such as balancing, reconciling and verifying are examples of system check points.

As entities continually strive toward achieving business goals, these elements are in constant interaction with operating, reporting and compliance functions.

For users of cloud computing (as an example), the AICPA SOC 1 approach, testing financial reporting controls, provides little assurance regarding key controls around availability, reliability, confidentiality, and integrity of data. Such situations may best be served through the issuance of an AICPA SOC 2 report. The AICPA SOC 3 report is designed for prospective use and it is the only one that can be disclosed widely, even on a company website.

Arnett Carbis Toothman’s understanding of these system elements remains foundational to our success in providing examinations for all types of service organizations. The ACT team uses its broad understanding of the business process and its command of technology and security applications to deliver examination reports that are accurate and thorough.

Arnett Carbis Toothman’s consulting service teams contain a wealth of experience in multiple industries. Our teams are results-driven and seek long-term solutions to the challenges facing businesses today.

We can help you with one or more of the following services targeted towards Service Organizations:

Contact an ACT Advisor

For more information, contact your Arnett Carbis Toothman advisor or one of these trusted advisors.