A System and Organization Control (SOC) audit provides transparency about your internal control environment and assurance that the controls in place are designed and operating effectively.
Weaver works to ensure our SOC examination services also add value by helping you improve your day-to-day operations and your competitive edge. We work to provide guidance that do more than just “check the box.” Rather, we consider your business as a whole and how SOC reporting can serve as a valuable tool for achieving your long-term strategic objectives.
All SOC examinations must be performed in accordance with Statement on Standards for Attestation Engagements (SSAE), which includes multiple unique reporting channels, each tailored to provide insight on your internal control environment.
Reporting Options
All System and Organization Control (SOC) examinations must be performed in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 21. SSAE No. 21 includes multiple unique reporting channels, each tailored to provide insight on the internal control environment at the entity, service provider and supply chain levels.
SOC 1 ![]() |
SOC 2 ![]() |
|
---|---|---|
Purpose | Report on internal controls over services relevant to user entities (your customers) financial reporting. | Report on internal controls over technical subject matter relating to information security and operational risks. |
Reports | Type 1 - Point in time Type 2 - Period of time (typically 6-12 months) |
Type 1 - Point in time Type 2 - Period of time (typically 6-12 months) |
Audience | User entities of the outsourced service and their financial auditors. | User entities for internal audit, due dilligence, ongoing vendor management, and regulatory compliance. |
Note: Service organizations are those issuing the SOC report, user entities are those relying on the SOC report.
SOC 2: AICPA Trust Services Criteria
The Trust Services Criteria (the TSC) are used to evaluate and report on controls over information and systems across an entire entity, at the operating unit level, within a particular function, or for a particular type of information. The TSC are classified into five main categories:
![]() |
Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems. |
![]() |
Availability. Information and systems are available for operation and use to meet the entity’s objectives. |
![]() |
Processing Integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. |
![]() |
Confidentiality. Information designated as confidential is protected to meet the entity’s objectives. |
![]() |
Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. |
SOC 2+ Additional Criteria

Neha Patel
Partner-in-Charge, IT Advisory Services
Neha Patel, CPA, CISA, CDPSE, has more than 17 years of experience in public accounting and internal audit, with an emphasis on…

Alexis Kennedy
Partner, IT Advisory Services
Alexis K. Kennedy, CPA, CISSP, CISA, CCSFP, has more than 13 years of experience evaluating IT security in a…