SOC 2 Audit Reports

Ryan Sharkey’s Risk Advisory Services group offers expertise in Service Organization Control (SOC) 2 Reporting that examines the design and operating effectiveness of internal controls related to the applicable AICPA Trust Services Principles.

Trust Services Principles

The AICPA provides service organizations the flexibility to select the trust service principles (below) that are subject to the attest engagement and included in the SOC 2 report.

  • Security – The system is protected against unauthorized access (both physical and logical)
  • Availability – The system is available for operation and use as committed or agreed
  • Processing Integrity – System processing is complete, accurate, timely and authorized
  • Confidentiality – Information designated as confidential is protected as committed or agreed
  • Privacy – Personal information is collected, used, retained, disclosed and destroyed in conformity with the entity’s privacy notice and with criteria set forth in the AICPA’s Generally Accepted Privacy Principles


  • Primary: Management of user entities
  • Secondary: Parties knowledgeable about the nature of the services provides:
    • - How the service organization’s system interacts with user entities
    • - Subservice organizations and other parties
    • - Internal control and its limitations

Report Content

  • Written assertion by management of service organization
  • Description of service organization’s system
  • Type 2 Report includes description of the CPA’s tests of controls and results
  • Independent Service Auditors’ opinion on fairness of presentation of the description, suitability of design and, in a Type 2 Report, the operating effectiveness of controls
  • Complementary user entity controls and how they interact with related controls at the service organization

RyanSharkey Approach

Our approach to SOC reporting projects includes:

  • Assessment of weaknesses and vulnerabilities
  • Planning: Scope, roles and expectations
  • Documentation and definition of objectives
  • Design and execution of testing (includes Type 1 and Type 2 reports)
  • Reporting

Read about our full approach to SOC Reporting here.

Know that you need a SOC Report? FILL OUT THE FORM TO THE LEFT to request a quote.

For more information on SOC Reporting or to contact a member of RyanSharkey’s Risk Advisory Services team, please fill out the form on this page. A member of our team will contact you.