Show customers they can
rely on you.

Developed by the AICPA, Service Organization Control (SOC) reports (formerly SAS 70) attesting to effective internal controls show customers you keep their data and systems secure and available. These reports also show customers that you process their transactions with integrity.

Only Certified Public Accountants in good standing can deliver SOC reports, and that’s where we come in. Not only is Perkins an independent third party with extensive SOC reporting expertise, we are a CPA firm licensed with the American Institute of Certified Public Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB).

Sizing up your SOC needs

The good news: Attestation rules and related reports are evolving to address new business and technology trends related to internal controls (e.g., cloud computing, outsourcing, heightened privacy and confidentiality requirements, etc.).

Even better news: We can help you identify and produce the SOC report that fits your needs. Consider issuing or requesting a SOC report if you provide or receive services for:

  1. 01.

    Cloud computing

  2. 02.

    Customer support

  3. 03.

    Enterprise IT outsourcing services

  4. 04.

    Event planning

  5. 05.

    Financial services customer accounting

  6. 06.

    Health care claims, management, & processing

  7. 07.

    Managed security

  8. 08.

    Sales force automation

SOC 1 Report

The SOC 1 Report provides the auditor of a user entity’s financial statements with information about controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. A Type 2 SOC 1 Report includes a detailed description of tests of controls performed by the CPA plus results of these tests.

The SOC 1 report is based on the Statement of Standards for Attestation Engagements (SSAE 16). Our methodology and tools follow the standard AICPA Guide—Reporting on Controls at a Service Organization.


Our SOC 1 engagement scope and approach includes:

  1. 01.

    Determining if management’s description of the system is fairly presented

  2. 02.

    Evaluating whether the controls have been implemented through:

    • Discussions with management and specified personnel
    • Reviews of policy and procedure manuals and other system documentation
    • Walk-throughs to observe procedures and controls
  1. 03.

    Determining if the controls meet their stated objective

  2. 04.

    Testing the controls by collecting and reviewing documentation to test the consistent operation of controls over the period under review

  3. 05.

    Obtaining written representation and consideration of management’s assertion

  4. 06.

    Assembling a draft report for management review

  5. 07.

    Issuing the final report

SOC 2 Report

The SOC 2 Report provides management of a service organization, user entities, and others (a) information about controls at a service organization relevant to the security, availability, or processing integrity of the service organization’s system, or (b) the confidentiality and privacy of the data processed by that system.

A Type 2 SOC 2 Report includes a detailed description of tests of controls performed by the CPA and results of the tests.


Our SOC 2 engagement scope includes assessing and reporting on one or more of the following principles and related criteria:

  • Security: the system is protected against unauthorized access (both physical and logistical)
  • Availability: the system is available for operation and use as committed and agreed
  • Process integrity: system processing is complete, accurate, timely, and authorized
  • Confidentiality: information designated as confidential is protected as committed and agreed
  • Privacy: personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA


  • Policies: the entity has defined and documented its policies relevant to the particular principle
  • Communications: the entity has communicated its defined policies to responsible parties and authorized users of the system
  • Procedures: the entity placed in operation procedures to achieve its objectives in accordance with its defined policies
  • Monitoring: the entity placed in operation procedures to achieve its objectives in accordance with its defined policies


  • Policies and communications: Privacy policies are written statements that convey management’s intent, objectives, requirements, responsibilities, and standards concerning privacy. Communications refers to the organization’s communication to individuals, internal personnel, and third parties about its privacy notice and its commitments therein and other relevant information.
  • Procedures and controls: The other actions the organization takes to achieve the criteria.

SOC 3 Report

Like SOC 2, SOC 3 provides assurance regarding controls that affect the security, availability, processing integrity, confidentiality, and privacy of a service organization’s internal controls—but it’s more digestible for a general audience, with no description of tests of controls and results.

SOC 3 reports can be freely distributed or posted on a website as a SysTrust for Service Organizations seal and is intended to be used for marketing purposes.

Don't take our word for it

“The best. I rely on them to get me the proper guidance to move the business forward. Changing to Perkins was one of my best decisions in the last 5 years.”

Mike Crawford
Crawford Holding Company Inc.

“I love my audit and tax teams at Perkins & Co. They are very knowledgeable, easy to work with and excellent business partners.”


Say hello!