RyanSharkey Approach to SOC Reporting Projects


Working closely with your management team and other involved parties, we’ll validate the scope, clarify roles and expectations of management and RyanSharkey, determine methods of communication and establish an audit plan and schedule.

Gaining an Understanding

In this phase, we will gain an understanding of the service organization’s business process, control environment and control components, and provide guidance to management on the adequacy of its control objectives and controls. Each client is treated in a manner unique to its respective services, environment and industry. To accomplish this, we conduct walk-throughs with the main process owners and review documentation available to support these discussions.


Based on our understanding gained in the previous stages, we prepare narratives and a list of documents, reports and electronic data we will need to complete our audit procedures. During this phase, ongoing discussions are held with management to determine the final control objectives and identify the controls most suitable to achieve the control objectives.

Design and Execution of Testing

For a Type 1 report (SOC1, SOC 2 or SOC 3), we will confirm that the controls have been placed in operation as of the specified date by performing a walk-through and reviewing relevant documentation at or near the specified date.

For a Type 2 report (SOC 1, SOC 2 or SOC 3), we design our testing procedures to test the operational effectiveness of the relevant controls identified in the previous phases. Testing typically includes inquiry, observation of activities, inspection of documents and records, and re-performance of the control. Throughout the execution of our testing, we discuss our findings immediately with the main process owners. If there are exceptions to our testing, we discuss possible compensating controls with management.


In the final phase, we prepare our draft report and submit it to management for review. The report includes our opinion, the control narratives, controls, test procedures and results of the tests including any exceptions identified. A written assertion from management will also be either attached to or included in the report. As the report is being reviewed by management, the working papers supporting our testing and the report undergo a rigorous internal review to ensure the quality of the final product.

Know that you need a SOC Report? Click here to request a quote.

For more information on SOC Reporting or to contact a member of RyanSharkey’s Risk Advisory Services team, please fill out the form on this page. A member of our team will contact you.

About RyanSharkey Risk Advisory Services

RyanSharkey offers a comprehensive array of Risk Advisory Services with an emphasis on providing a personalized, partnered approach. Our services include internal audit sourcing and consulting; IT assurance (SOC reviews); IT risk and internal audit; governance, risk and compliance consulting; regulatory and contract compliance; and Sarbanes-Oxley sourcing and consulting.    

Questions? Contact RyanSharkey using the form below.

  • - -