The need for reliable reporting on internal controls in all organizations is growing rapidly: regulators are putting more pressure on organizations; internal governance bodies emphasize the importance of relevant and actionable information, customers want to mitigate their risks. In response to these pressures, the American Institute of Certified Public Accountants (AICPA) has developed reporting frameworks for System and Organization Controls (SOC). These frameworks deliver assurance to your customers, your management and – when necessary – to the regulators.

The experts at Lurie, LLP are here to guide you through the process and to create the reports you and your customers need for assurance related to your appropriate and reliable controls. We’ve performed thousands of attestation reports including SSAE 18/SOC 1 (formerly known as SSAE 16 and SAS 70), SOC 2 and SOC3 audit services for our clients in Minneapolis and throughout the country.

Kate M. Siegrist, Partner

Technology Consulting


A reporting framework that offers attestation for a service organization’s internal controls over financial reporting; it shows that your organization has controls in place to meet the financial reporting needs of your customers. Common types of organizations that might require SOC 1 compliance are:

  • Payroll
  • Insurance and claims processing
  • Government and public services
  • Financial services
  • Credit card collection and payment processing
  • Energy and utilities
  • Professional services
  • Transportation and logistics

SOC 2/3

SOC 2/3 addresses system security, availability, processing integrity, confidentiality and/or privacy; they present evidence that your controls are in place, meet appropriate pre-defined criteria, and that they are operating and effective (SOC 2). The AICPA also allows the auditor to evaluate compliance with other recognized standards such as HIPAA, ISO, HITRUST and NIST in the form of a “SOC 2 +” examination. Common types of organizations that might require SOC 2/3 compliance are

  • Anything as a service (XaaS)
  • Data centers
  • IT managed services
  • Marketing and advertising
  • Rewards and promotions
  • Printing
  • Information technology services
  • Healthcare
  • Any of the organization types listed under SOC 1

SOC for Cybersecurity

A framework through which your organizations can communicate relevant and useful information about the effectiveness of your cybersecurity risk management program – to your external and internal stakeholders.

SOC for Vendor Supply Chains

Focused on manufacturers this internal controls report reviews manufacturing processes so that  customers of manufacturers and distributors can better understand the cybersecurity risk in the supply chains.

The Benefits

Through SOC reporting you are able to speak about controls you have implemented to meet your and your customers’ demands. Delivering these insights differentiates you from your competitors providing evidence that controls are in place and are operational and offers your customers transparency, a vehicle to monitor that their security needs are being met – a competitive advantage is created.

Your organization gains flexibility and increases productivity, because the SOC reporting framework eliminates the need for customers to come onsite and for your staff to respond to multiple risk assessment questions.

Lurie, LLP is uniquely skilled to provide SOC-related services. The team is comprised of individuals with accounting, finance, MIS and computer science degrees and most have prior BIG 4 experience.  Our partners have taught the AICPA’s “SOC School” since its inception along with many other seminars regarding SOC reporting. 

Contact Us