top of page


All SOC examinations are not created equal.
While all companies providing SOC services follow the same AICPA guidance, (SSAE 18 for SOC 1 and TSP 100 Trust Services Criteria) for SOC 2, approaches to conducting the examination can differ significantly.


GRAYCPA works with clients throughout the United States and within multiple industries and technology platforms.


GRAYCPA is one of the few firms in the country specializing in SOC examinations. Our SOC professionals bring over 25 years of Big 4 and regional firm experience to the SOC process.


GRAYCPA is deadline driven with SOC professionals delivering the highest quality reports in the most cost-effective manner.


Our final reports are delivered to clients within 4-6 weeks from the completion of our testing and fieldwork phase. Some firms make this claim but few deliver.  We do not miss deadlines!



GRAYCPA utilizes a customized methodology  focused on providing our clients with a seamless process and framework to complete your SOC examination in the most effective and cost-efficient way possible.


The GRAYWAY consists of four phases to complete the SOC examination: 1) Planning, 2) Readiness Assessment, 3) Testing, and 4) Reporting


While these phases are fairly common among most firms, it is what we do within each phase to facilitate the process that sets GRAYCPA apart from other firms, our secret recipe so to speak.

While SOC examinations are not considered a certification, GRAYCPA provides a specially designed seal to show your company’s compliance with contractual obligations and completion of the SOC examination by a Certified Public Accountant.

SOC 1 Logo - Transparent Background-01.p
SOC 2 Logo - Transparent Background-01.p





While the overall approach does not vary greatly from firm to firm with regards to performing SOC services, you receive personalized attention, enjoy the ease of the readiness assessment process, timely delivery of the report, and the turnaround time from SOC examination beginning to report issuance.

Our number one goal is to provide our clients with a true partnering experience resulting in a quality SOC report that is cost-effective and fully embraced by all client stakeholders.

GRAYCPA’s national expertise is derived from working with clients throughout the United States and within multiple industries and technology platforms.


GRAYCPA provides a team of experts solely dedicated to your needs. We never miss a deadline and we complete our process efficiently with unmatched quality.


GRAYCPA has developed an extensive internal controls database across multiple industries and information system platforms that enables us to streamline our engagements and customize our engagement framework to meet the specific needs of our clients.


At GRAYCPA, we fully appreciate the challenges of managing the increasing costs of doing business, understanding that all SOC costs cannot be passed on to the customer.


We focus on reducing these costs while providing you with opportunities to grow your market.



(SSAE 18)


SOC 2+



SOC 1/SSAE 18 examinations provide assurance that your business has adequate and effective control objectives and corresponding controls related to processes that impact customers’ financial reporting.

(TSP 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)

SOC 2 examinations address your business’s controls that impact security, availability, confidentiality, processing integrity, and privacy in accordance with AICPA Trust Services Criteria. SOC 2 reports are designed for your customers.

The SOC 2+ report provides clients the opportunity to include other regulatory and compliance requirements/frameworks into their SOC to meet the needs of specific entities. We can integrate FISM/NIST standards, HIPAA, HITECH, IRS standards, and most any other compliance standards into the Trust Services Criteria to provide a more robust report.

SOC 3 examinations address operation controls pertaining to suitability of design and operating effectiveness in accordance with selected Trust Services Criteria. SOC 3 reports are an extension of SOC 2 reports and can be distributed for public access to your SOC reporting status.

In 2017, the AICPA introduced its cybersecurity risk management reporting framework as an essential addition to the System and Organization Controls (SOC) suite of service offerings. SOC for Cybersecurity reports provide a description of your cybersecurity risk management program and a set of benchmarks that we will evaluate your program against. They are designed to help organizations communicate meaningful information about the effectiveness of cybersecurity risk management programs and controls in the form of a CPA firm’s independent attestation report. Users may include senior management, boards of directors, analysts, investors, and business partners.

SOC 2+



The GRAYWAY goal is to reduce the time, effort, and examination costs for delivering a quality SOC report.
GRAYCPA works closely with you to develop a successful customized framework for your SOC compliance. We follow our standard approach as detailed below to complete your SOC examination, but adjust each phase as necessary to streamline the process to fit your SOC examination needs.  For clients who have had a previous SOC examination performed by another firm, we review the process and controls documentation and are consistently able to reduce the number of control objectives by an average of 15-25%. This not only helps to reduce time, effort, and costs of the examination, but significantly increases the efficiencies associated with the business process. Clients are able to focus on the most important controls and not waste time and effort on controls that do not add value to the process, are redundant, or do not represent key controls.
For all SOC clients, we hold initial discussions prior to drafting the engagement letter to determine the specific type of report needed and the level of readiness assessment required. We analyze your key business processes and objectives to give us valuable insight as to your needs regarding SOC compliance. The cost and time of completion for Type 1 and Type 2 engagements varies significantly; therefore, understanding your business dynamics is important to provide you exactly what is needed. 
Every GRAYCPA SOC examination consists of the following four phases. The extent of work performed within each phase depends on the complexity of the system being examined.


A SOC engagement begins with a meeting with key personnel involved with the system and associated IT environment being examined.


Determine all client personnel involved in obtaining a detailed understanding of the system(s) being examined and establish a specific timeline and deadlines for completing the various SOC examination phases.


GRAYCPA knows the questions to ask to facilitate planning discussions, minimize client time, and provide a skeleton system description highlighting the new and existing controls to be examined to assist the client in developing their system description without having to start from scratch.


A detailed timeline and milestones to complete the SOC examination.


GRAYCPA performs a readiness assessment for all new client SOC engagements. The readiness assessments vary in scope and augment the overall engagement process for the actual SOC examination. It provides for a more streamlined, efficient examination and aids in mitigating any business interruption issues when conducting the SOC engagement itself. The readiness assessment provides an excellent introduction to the GRAYCPA SOC examination process to client personnel. The readiness assessment establishes expectations for the future examination with regards to the time commitment required by key client personnel.


The readiness assessment is designed to identify the controls that should be implemented or enhanced prior to the actual examination. Some companies have existing control documentation and test their controls on a regular basis. GRAYCPA can review those controls and identify improvement opportunities and in some cases reduce the number of identified controls due to redundancy or excessive non-key controls. For companies who have never identified or documented their controls, GRAYCPA has developed an extensive internal controls database that assists clients in getting started with the identification of risks specific to their business and the associated control objectives.


Utilizing customized tools and over 25 years of SOC expertise, GRAYCPA streamlines the control objective and control activity identification process by utilizing an extensive internal control database containing business process and information technology controls for multiple operating systems and applications. We quickly gain an understanding of your overall system and internal control environment and identify the key controls associated with your business process and IT environment. We assist our clients in developing a good draft of the system.


The readiness assessment provides the client with an initial draft of their system description of controls and a gap analysis, detailing the recommendations needed before the actual SOC examination testing phase can begin.


The testing phase begins when all required controls have been identified and have been in operation for a minimum of six months (four months in certain circumstances). We provide an artifact request list prior to coming on site. Our average time on site is 3-4 days depending on the complexity of the process and number of control activities.


Obtain all required documentation, artifacts, and complete testing of controls prior to and while on site. We plan the onsite visit well in advance to ensure availability of client personnel and that controls to be tested are specified. Any identified exceptions are discussed with management prior to completion of testing phase. We strive to have our testing completed by the reporting period end date.


Our years of experience enable us to quickly identify what is needed for testing and to clearly articulate those needs to our clients. We begin gathering testing artifacts and other information needed for testing as early as the planning and risk assessment phase. We establish our testing documentation in the planning phase and maintain constant communication with the client and the engagement partner to ensure there are no surprises.


A completed controls testing matrix with all potential control exceptions identified and discussed with management.  The system description is finalized and accuracy confirmed by client management.


Our customized report process enables us to quickly turn around the first report draft for management review.


Our goal is to issue the first report draft to management within two weeks of completing controls testing. Depending on management’s availability, we are typically able to issue the final report within 3-4 weeks of completing controls testing. Most firms cannot come close to that report turnaround time.


Our experience in reviewing SOC reports and our use of established report templates and input tools used to customize the report enable us to streamline the reporting process without the multiple levels of review that most firms undergo. We establish reporting review schedules in advance and ensure we stick to those deadlines.


We obtain signed management representations and assertions along with issuing the draft report.  Once all signed documentation is received from the client, we finalize the report and issue to the client for distribution to their respective stakeholders.



Thanks for submitting!

bottom of page