Industries
Service Organizations
Companies that provide services to other businesses—known as Service Organization—are increasingly required to demonstrate that their internal controls are operating effectively. This assurance is critical for their clients’ auditors and regulators, who rely on these controls to support financial reporting, data security, and compliance obligations.
Examples of service organizations that benefit from SOC reporting include cloud service providers, managed security providers, payroll processors, claims processors, and data centers.
The most widely accepted method for providing this assurance is through a System and Organization Controls (SOC) report. There are three primary types of SOC reports—SOC 1, SOC 2, and SOC 3—each designed to address different user needs:
- SOC 1: Focuses on controls relevant to financial reporting (ICFR).
- SOC 2: Evaluates controls related to security, availability, processing integrity, confidentiality, and privacy.
- SOC 3: Similar to SOC 2 but intended for general public distribution.
Recent updates to the AICPA’s attestation standards—including SSAE No. 23, effective for engagements beginning December 15, 2025—introduce new terminology and clarify the roles of participating and referred-to practitioners. Additionally, the 2024 SOC 1 Guide emphasizes the importance of identifying and testing key outputs (e.g., reports and files) that are relevant to user entities’ internal control over financial reporting.
At Lanigan, we’ve built a specialized team dedicated to performing SOC audits. Our professionals are well-versed in the latest SSAE standards and actively support both public and private sector clients in achieving compliance and building trust with their stakeholders.
Core Service Offerings
for Service Organizations
- SOC Report Readiness Assessments
- SOC 1 (Type 1 and Type 2) – Internal Control over Financial Reporting (ICFR)
- SOC 2 (Type 1 and Type 2) – Trust Services Criteria
- SOC 3 – General Use Report
- SOC for Cybersecurity
