Back To Top

SOC Reporting Services

Providing Assurance to Your Controls

YHB’s Risk Advisory Services Team has been providing Service Organization Controls (SOC) , and its predecessor SAS70, engagements for over 15 years. We work with companies that range from just a handful of employees to companies with thousands of employees. Our expertise in recognizing and testing controls for organizations of all sizes bring international clients to YHB. We work with our clients to make sure they provide the users of their services with an accurate description of the controls they have in place.

Who We Serve

Business Consulting

Our team works with a variety of organizations all over the globe. Over the years we have developed an expertise in providing SOC audits to the following:

  • Business Process Outsourcing Companies
  • Customer Support Call Centers
  • Public Relations and Earned Media Software Companies
  • Cloud Based Communication Centers and Businesses
  • Managed Security Providers
  • Co-Location Data Centers
  • Software as a Service (SaaS) Providers

Flexible Scheduling Site Work


We come out when it’s convenient for you and your staff, not just when it’s good for us. We also keep up with the latest in technology, meaning we can cut down onsite time. You can get back to focusing on your business!

Because our turnover is low, you’ll be served by many of the same professionals throughout an engagement and over the years. This means you won’t have to explain what your organization does to new staff each year.

Still not sure what SOC Report you need? Let us help.

SOC Audit Solutions

If a SOC 2® engagement is the right one for you, we bring 17 years of experience working with the Trust Services Principles (TSP). We have been using the TSP framework to provide IT Audits (SysTrust) for many of our financial institution clients even before SOC 2® engagements existed.


When you are considering your first SOC engagement, you need a firm that can help you identify which controls matter. We help you describe your environment in an efficient and effective way, allowing your clients to easily understand the quality service you provide. Our approach to first year engagements is to perform a Readiness Assessment before the audit period begins. The Readiness Assessment helps you create the description of your control environment, identify the appropriate controls to fit your control objectives (SOC 1®) or the TSP (SOC 2®), and test the controls to make sure they are working as described. Once we have identified the controls and any weaknesses in them, we help you through the remediation process, preparing you for your first SOC audit.

Your relationship with YHB does not end when the report is issued. We continue to be a resource to you as changes in your environment or your industry force changes in your controls and processes.

YHB’s Risk Advisory Services Team can help you provide your clients with assurance of the controls you have in place to protect them and their customers.

Need help determining what type of SOC engagement you need?

New call-to-action

discover more

What Are SOC Engagements?

Service Organization Control (SOC) engagements have become the gold standard for examining, assessing and reporting on internal controls at service organizations. SOC engagements were developed by the CPA profession, which has long been a thought leader in assurance engagements. CPAs are the premier providers of SOC reports for service organizations that must reassure users about their systems.

Organizations like yours receive requests from customers for assurance on a number of fronts, including assurance about your systems’ controls over financial reporting (SOC 1® also known as SSAE16 engagements) and the controls you employ to protect the privacy and confidentiality of users’ data, as well as the security, availability and processing integrity of your systems (SOC 2® and SOC 3® engagements).

SOC 1® Report (SSAE18)

Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting

SOC 1® meets the needs of user entities’ management and auditors as they evaluate the effectiveness of a service organization’s controls on a user entity’s financial statement assertions. These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of compliance with laws and regulations and for when user entity auditors plan and perform financial statement audits.

SOC 2® Report

Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®)

For those who need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality or privacy. These reports play an important role in oversight of the organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight. Stakeholders who use these reports include management or those charged with governance of the user entities and of the service organization, customers, regulators, business partners and suppliers, among others.

SOC 3® Report

Trust Services Principles, Criteria, and Illustrations

Designed to accommodate users who want assurance on a service organization’s controls related to security, availability, processing integrity, confidentiality or privacy but do not have the need for the detailed and comprehensive SOC 2® Report. It can be used in a service organization’s marketing efforts.

SOC for Cybersecurity

Examination of an Entity’s Cybersecurity Risk Management Framework.

SOC for Cybersecurity provides a company with a way to demonstrate its commitment to implementing a strong cybersecurity risk management program. Combined with the independent opinion of a Certified Public Accountant, a SOC for Cybersecurity report builds trust among stakeholders including shareholders, management, customers, prospects, potential investors and the public. As a general use report, the SOC for Cybersecurity is available to any company (not just service organizations) who need to an independent attestation of the quality of their cybersecurity risk management program.

Ready to provide assurance to your controls? Contact Us

Let's Talk

Contact us when it’s time to move forward.

Bryan Newlin
About Bryan

Bryan began his career with YHB in 2005, and has been a key leader in YHB’s respected Risk Advisory Services practice since 2007. Focusing attention on two of the most well-known technology internal control frameworks –the AICPA’s Trust Services Categories and ISACA’s COBIT® framework —Bryan works across industries to help clients identify and mitigate information & technology risk.


Bryan leads the Firm’s SOC Examination Practice with specialty niches in business process outsourcing companies, contact centers, media and communications companies, and cloud-native applications. SOC Examination specialties include:

  • SOC 1 for Service Organizations: ICFR
  • SOC 2 for Service Organizations: TSC
  • SOC 3 for Service Organizations: TSC for General Use
  • SOC for Cybersecurity

Bryan also leads the IT Audit, ACH Audit and Vulnerability Assessment segments of YHB’s Financial Services Industry team, regularly speaking at banking conferences in the mid-Atlantic region about IT and cybersecurity risk in the financial services industry.



·   ·   ·   ·


What Clients are Saying


“Knowledgeable, fair, responsive.” – Jay H.

“Bryan Newlin, Brad Brosig, and their team have always been very knowledgeable and have provided excellent recommendations. Even outside of audit periods we are able to ask them questions and a response is always quick and informative.” – Anonymous

Brad Brosig
Brad Brosig
About Brad

A Western Pennsylvania native, Brad graduated from Indiana University of Pennsylvania in 2014 with bachelor’s degrees in both Accounting and Management Information Systems. He joined YHB that same year, spending the next five years focusing on the financial services industry by conducting internal and external financial audits, FDICIA/SOX compliance, IT audits, and ACH audits.

In 2019 Brad became a Certified Information Systems Auditor and shifted to focusing exclusively on IT-related auditing and consulting services, including the addition of vulnerability assessments, penetration testing, and SOC auditing to his repertoire. Brad’s primary goal is to help his clients find ways to control risk in an uncontrollable and risky world. He regards every engagement not as a transaction, but as a partnership, with his clients’ interests at the forefront. His primary goal was not just to deliver cutting-edge solutions, but to empower his clients with the knowledge and strategies to navigate the volatile landscape of IT risks confidently.


·   ·   ·   ·


What Clients are Saying


“Bryan Newlin, Brad Brosig, and their team have always been very knowledgeable and have provided excellent recommendations. Even outside of audit periods we are able to ask them questions and a response is always quick and informative.” – Anonymous

Stephen M. Weber
Stephen M. Weber
About Stephen

Stephen joined YHB in 2018 with extensive experience in IT Audit and Advisory Services.  His background includes internal and external IT Audit services for state and federal agencies and  Fortune 500 companies in retail, manufacturing and financial lending. Most recently, he was an instructor at Virginia Commonwealth University focusing on technology-related courses in the Accounting Department’s graduate and undergraduate programs.



His expertise spans financial statement audits, SOX, project management, legal and compliance and data analytics.  Stephen earned his Masters of Business Administration from the University of Richmond and Bachelors in Business Information Technology from Virginia Tech.  He is actively involved in ISACA.

Stephen also completed ISACA®’s Cybersecurity Audit Certificate Program.


ISACA’s Cybersecurity Audit Certificate Program provides security professionals with an understanding of the audit process, and IT risk professionals with an understanding of cyber-related risk and mitigating controls.