SOC 1 & SOC 2 Audit Services | AICPA CPA Firm

We are a fully licensed CPA firm that specializes in SOC 1 and SOC 2 audits. With over 25 years of hands-on cybersecurity and compliance expertise, Lazarus Alliance combines deep technical knowledge with professional attestation authority. Our team of certified information security and risk management experts has guided organizations across technology, finance, healthcare, government, and fintech through successful SOC examinations.

SOC reports give your customers and prospects independent assurance that your systems and controls meet the highest standards of security, availability, processing integrity, confidentiality, and privacy. Far from being just another “audit,” a clean SOC 1 or SOC 2 report removes sales friction, shortens procurement cycles, and builds lasting trust, turning compliance into a true competitive advantage.

SOC 1 vs SOC 2 Comparison

Aspect	SOC 1	SOC 2
Purpose	Controls over financial reporting (ICFR)	Trust Services Criteria (security & operations)
Framework	SSAE 18 / AT-C Section 320	AT-C Section 205 + 5 Trust Services Criteria
Control Criteria	Custom control objectives	Standardized 5 Trust Services Criteria
Mandatory Elements	None (all custom)	Security (mandatory); others optional
Typical Use Cases	Payroll processors, loan servicers, and accounting platforms	SaaS, cloud providers, MSPs, data centers, fintech
Primary Audience	Clients’ financial auditors	Customers, prospects, partners
Report Distribution	Restricted use	Restricted use (SOC 3 is public)
Observation Period (Type 2)	Point-in-time or period	Minimum 6 months (most choose 12)
Key Benefit	Assurance on financial controls	Demonstrates strong security & operational trust

Source: AICPA Standards | Lazarus Alliance – Licensed CPA Firm

SOC 1

SOC 1 does not have an equivalent to the five Trust Services Criteria (TSC) used in SOC 2.

Instead, SOC 1 reports (issued under SSAE 18 / AT-C Section 320) are built around custom control objectives that your organization defines specifically for the engagement. These are tailored to how your services could affect your clients’ internal control over financial reporting (ICFR).

What “Control Objectives” Look Like in a SOC 1 Report

These are high-level statements (usually 10–30+, depending on scope) that describe what your controls are designed to achieve.
Examples:
- “Controls provide reasonable assurance that transactions are initiated, recorded, and processed completely, accurately, and timely.”
- “Controls ensure that access to financial applications and data is appropriately authorized and segregated.”
- “Controls safeguard against unauthorized changes to financial data or processing logic.”
Each control objective is supported by specific controls, which the auditor (Lazarus Alliance) then tests for design and/or operating effectiveness.

Lazarus Alliance helps you:

Identify the right control objectives during scoping.
Map your existing processes, policies, and IT controls to those objectives.
Build or strengthen the evidence needed for the examination.

This is why SOC 1 scoping is more collaborative and organization-specific than SOC 2 (which has the ready-made TSC checklist).

Key Takeaway for Your Lazarus Alliance Engagement

If you need SOC 1 (e.g., because your customers’ auditors require assurance on financial controls), you won’t be working against the five TSC.
You’ll work against a set of control objectives that Lazarus Alliance will help you document and refine so they are relevant, complete, and audit-ready.

SOC 2

The five Trust Services Criteria (TSC), formerly known as the Trust Services Principles, are the foundation of an AICPA SOC 2 report. They define the controls a service organization must have in place to protect the systems and data it uses to provide services to customers.

These five criteria (often still called “principles” in casual conversation) are:

Security: (mandatory for every SOC 2 report) The system is protected against unauthorized access (both logical and physical), unauthorized disclosure of information, and damage to systems that could compromise the security of information or systems. This is the “common criteria” (CC series) and forms the core of every SOC 2 examination. It covers logical and physical access controls, system operations, change management, risk assessment, and monitoring — essentially the foundation of information security.
Availability: Information and systems are available for operation and use to meet the entity’s objectives and the commitments made to customers. This includes controls for system uptime, backup and recovery, business continuity planning, and disaster recovery so authorized users can access the system when they need it.
Processing Integrity: System processing is complete, valid, accurate, timely, and authorized. This criterion ensures that data is processed correctly and reliably — no missing transactions, no unauthorized changes, and outputs are what customers expect. It is especially relevant for organizations that perform calculations, data processing, or transaction services.
Confidentiality: Information designated as confidential is protected to meet the entity’s objectives. This covers the protection of sensitive business information (such as intellectual property, financial data, or client contracts) throughout its lifecycle — from creation to storage, transmission, and final disposal.
Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with the generally accepted privacy principles. This focuses specifically on personally identifiable information (PII) and how it is handled to protect individuals’ rights and meet regulatory expectations.

Quick Facts (in the context of your SOC 2 engagement with Lazarus Alliance)

Security is always required.
The other four criteria (Availability, Processing Integrity, Confidentiality, Privacy) are optional and are included only if your organization makes relevant commitments to customers or if they are applicable to the services you provide.
Lazarus Alliance helps clients determine the right scope during the free SOC Scope Questionnaire and then builds the controls, evidence, and testing around whichever criteria you select.

These five criteria are detailed in the official AICPA 2017 Trust Services Criteria (with 2022 revised points of focus), which Lazarus Alliance uses in every engagement.

SOC 1 or SOC 2 Audit Timeline: What to Expect with Lazarus Alliance

Lazarus Alliance's role in conducting SOC 1 and SOC 2 audits is to provide independent, objective assurance on the controls of a service organization, ensuring they meet the standards set by the American Institute of Certified Public Accountants (AICPA). Below is a concise explanation of their roles for each audit type:

SOC 1 Audit

A SOC 1 audit focuses on controls relevant to a service organization's financial reporting, particularly for clients whose financial statements are affected by the service organization's controls (e.g., payroll processors, data centers).

Lazarus Alliance's Role:

Planning and Scoping: Assess the service organization’s processes, identify controls relevant to financial reporting, and define the audit scope (e.g., specific systems or services).
Risk Assessment: Evaluate risks that could impact the reliability of financial reporting and determine key controls to test.
Testing Controls: Perform procedures (e.g., inquiries, inspections, observations, or reperformance) to verify the design and operating effectiveness of controls (Type II) or only the design (Type I).
Evidence Collection: Gather documentation, such as policies, procedures, and system logs, to support findings.
Reporting: Issue a SOC 1 report, including the auditor’s opinion on whether controls are suitably designed and, for Type II, operating effectively over a period. The report includes a description of the system, controls, and test results (if applicable).
Advisory (Optional): Provide recommendations for improving controls, though this is separate from the audit to maintain independence.

SOC 2 Audit

A SOC 2 audit evaluates controls related to security, availability, processing integrity, confidentiality, and/or privacy, based on the AICPA’s Trust Services Criteria. It’s relevant for organizations handling sensitive data (e.g., cloud service providers, SaaS companies).

Lazarus Alliance's Roles:

Planning and Scoping: Work with the organization to define the scope, including which Trust Services Criteria to evaluate and which systems or services are included.
Risk Assessment: Identify risks related to the selected criteria and assess the design of controls to mitigate those risks.
Testing Controls: Conduct tests to evaluate the design (Type I) and operating effectiveness (Type II) of controls, using methods like sampling, walkthroughs, and reviewing system configurations.
Evidence Collection: Collect and analyze evidence, such as access logs, incident reports, or encryption protocols, to validate control effectiveness.
Reporting: Issue a SOC 2 report with an opinion on the controls’ design and effectiveness, a system description, and, for Type II, detailed test results. The report is typically restricted to authorized users (e.g., clients or regulators).
Advisory (Optional): Offer guidance on addressing control gaps or improving security practices, while maintaining auditor independence.

Key Differences in Roles

Focus: SOC 1 addresses financial reporting controls, while SOC 2 focuses on operational and compliance controls (security, availability, etc.).
Audience: SOC 1 reports are primarily for clients’ financial auditors, while SOC 2 reports are for clients, regulators, or partners concerned with data security and privacy.
Criteria: SOC 1 uses control objectives defined by the service organization, while SOC 2 uses standardized Trust Services Criteria.

General Responsibilities for Both

Independence: Maintain objectivity and avoid conflicts of interest, adhering to AICPA standards.
Expertise: Apply knowledge of IT systems, internal controls, and industry standards to ensure a thorough audit.
Communication: Engage with the service organization to clarify expectations, discuss findings, and ensure accurate reporting.
Compliance: Follow AICPA’s SSAE 18 (for SOC 1) or AT-C standards (for SOC 2) to ensure the audit meets professional requirements.

The AICPA SOC (System and Organization Controls) Assessment Timeline with Lazarus Alliance typically follows AICPA standards (SSAE 18 for SOC 1 or AT-C Section 205 for SOC 2) and is designed for service organizations seeking SOC 1, SOC 2, or SOC 3 reports.

Lazarus Alliance is a fully licensed CPA firm and AICPA-accredited assessment organization with over 25 years of cybersecurity and compliance expertise. They handle the full lifecycle—including optional readiness/gap assessments, remediation support, and the formal examination—using their proprietary IT Audit Machine™ software and Critical Path Methodology.

Standard vs. Lazarus Alliance Timeline

Industry-standard / first-time examinations (Type 1 or Type 2): Usually 6–12 months from kickoff to final report issuance.
With Lazarus Alliance: Historically ~46% faster than traditional firms due to automation, specialized tools, and streamlined processes. Many clients achieve full SOC compliance and attestation in 5–9 months.

Key Factors Affecting the Timeline

Type 1 report — Tests the design and implementation of controls as of a specific point in time. Faster overall (no extended observation period needed).
Type 2 report — Tests both design and operating effectiveness of controls over a minimum 6-month observation period. Most organizations choose a 12-month period for stronger market acceptance and credibility with customers/prospects.

The observation period (for Type 2) is the biggest driver of total duration. The actual audit testing, evidence collection, and reporting phases are shorter.

High-Level Process & Phases (with Lazarus Alliance)

Pre-Engagement / Scoping (1–2 weeks typical)
- Complete the free SOC Scope Questionnaire (Organization info, services/system description, boundaries, in-scope systems, subservice organizations, Trust Services Criteria, etc.).
- Lazarus Alliance validates the authorization boundary, data flows, and scope.
- Kickoff meeting and Statement of Work (SOW).
Readiness / Gap Assessment (optional but recommended) (2–8 weeks)
- Identify control gaps against AICPA Trust Services Criteria (Security is required; Availability, Processing Integrity, Confidentiality, Privacy are optional).
Remediation & Control Implementation (varies, often 1–3 months)
- Implement or strengthen controls, policies, and evidence.
Observation / Testing Period (Type 2 only: minimum 6 months)
- Evidence collection, walkthroughs, interviews, sampling, and testing of controls.
Formal Assessment & Reporting (4–8 weeks)
- Final testing, auditor’s opinion, system description, and report issuance.

Many clients engage Lazarus Alliance for the entire lifecycle (readiness → remediation → examination) for the smoothest outcome.

Why the Timeline Can Be Shorter with Lazarus Alliance

Proprietary IT Audit Machine™ automation.
Dedicated Cybervisor® advisory support.
Deep SOC expertise (they are also a C3PAO for CMMC and handle FedRAMP, HIPAA, PCI, etc., so they often leverage overlapping controls).
Licensed CPA firm with full E&O coverage for attestation work.

Note: Exact timelines vary based on your organization’s size, complexity, current control maturity, scope (e.g., number of Trust Services Criteria), and how quickly evidence can be provided. First-time SOC 2 Type 2 engagements are almost always longer than renewals.

If you’re a prospective client or need a personalized timeline, the first step is completing the SOC Scope Questionnaire on our site or contacting us directly.

Why Clients Choose Lazarus Alliance for SOC 1 & SOC 2 Audits

Our clients don’t just pass their SOC audits — they finish faster, with less stress, and stronger controls. Here’s why organizations trust Lazarus Alliance as their SOC partner.

“We needed our first SOC 2 Type 2 report in under 7 months to close a major enterprise deal. Lazarus Alliance delivered it in just 5.5 months — 40% faster than our previous firm — using their IT Audit Machine™ automation. The report was clean, and our client was impressed.”

— Director of Compliance, Series C SaaS Platform

“Lazarus Alliance’s Cybervisor® team helped us close 14 control gaps we didn’t even know existed. Their proprietary tools gave us real-time visibility into our readiness score, so we walked into the formal examination fully prepared. Best SOC investment we’ve ever made.”

— VP of Information Security, Fintech Payments Company

What Sets Lazarus Alliance Apart

IT Audit Machine™ – Our proprietary automation platform cuts evidence collection and testing time by up to 46%, giving you faster reports without sacrificing quality.
Cybervisor® Advisory Services – Dedicated virtual CISO-level support that acts as an extension of your team throughout the entire engagement.
Critical Path Methodology – A proven, streamlined process developed from 25+ years of SOC experience that eliminates the typical back-and-forth with traditional auditors.
Fully Licensed CPA Firm – We issue the actual SOC attestation reports ourselves — no middleman or sub-contracted auditors.

Ready to experience the difference? Complete our free SOC Scope Questionnaire today and receive a personalized timeline and quote within 48 hours.

Get Your Free SOC Scope Questionnaire →

Frequently Asked Questions

What is a SOC examination and why do I need one?

A System and Organization Controls (SOC) examination is an independent attestation performed by a CPA firm to evaluate the effectiveness of your controls related to security, availability, processing integrity, confidentiality, and/or privacy. Organizations typically need a SOC report to meet customer contractual requirements, regulatory obligations, or to demonstrate strong internal controls to stakeholders and prospects.

What are the main types of SOC reports Lazarus Alliance provides?

We provide all current SOC suites:

SOC 1 (ICFR – controls over financial reporting)
SOC 2 and SOC 3 (Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy)
SOC for Cybersecurity
SOC for Supply Chain

What is the difference between SOC 1, SOC 2, and SOC for Cybersecurity?

SOC 1 focuses on controls relevant to financial reporting (ICFR).
SOC 2 examines non-financial controls based on the AICPA Trust Services Criteria (most commonly Security + additional criteria).
SOC for Cybersecurity is a broader entity-wide cybersecurity risk management examination that results in a report suitable for public distribution.

How long does a SOC 2 examination typically take?

For first-time (Type 1 or Type 2) examinations, the process usually spans 6–12 months from kickoff to report issuance. A Type 2 examination requires a minimum 6-month observation period (most organizations choose 12 months for stronger market acceptance).

What is the difference between SOC 2 Type 1 and Type 2?

Type 1 tests the design and implementation of controls as of a specific point in time.
Type 2 tests both the design and operating effectiveness of controls over a period (minimum 6 months). Type 2 reports are significantly more valuable to customers and prospects.

Does Lazarus Alliance offer both readiness assessments and the actual attestation examinations?

Yes. We provide gap/readiness assessments, remediation support, and full attestation services. Many clients engage us for the entire lifecycle (readiness → remediation → examination) to ensure the smoothest and most successful outcome.

Are your SOC examiners CPA-licensed and do you carry professional liability insurance?

Yes. All of our SOC engagement leaders and examiners are licensed CPAs with extensive SOC experience, and Lazarus Alliance maintains robust professional liability (E&O) coverage specific to attestation services.

Can you issue a SOC 2 report that includes the Privacy Trust Services Criterion?

Absolutely. We commonly perform SOC 2 examinations that include Privacy alongside Security and other applicable criteria, which is especially valuable for organizations handling personal information (PII/PI) and needing to demonstrate HIPAA, CCPA/CPRA, GDPR, or other privacy compliance alignment.

Talk with one of our experts

Our Lazarus Alliance Cybervisor™ teams have experience performing thousands of assessments for organizations providing services to clients around the world.

We're here to answer any questions you may have.

Benefits of SOC Compliance

Here are the key benefits of achieving and maintaining SOC compliance (primarily SOC 1, SOC 2, SOC for Cybersecurity, or SOC for Supply Chain):

Stronger Customer Trust & Sales Advantage: A clean SOC report (especially SOC 2 Type 2) is often a mandatory requirement in RFPs and vendor questionnaires. Having one removes a major sales obstacle and shortens sales cycles.
Competitive Differentiation: Many prospects explicitly favor (or require) vendors with a current SOC 2 or SOC for Cybersecurity report. It becomes a market differentiator, especially in SaaS, fintech, healthcare, and cloud services.
Reduced Third-Party Risk for Your Customers: Your SOC report gives customers and their auditors the assurance they need without having to send you lengthy questionnaires or perform on-site audits.
Regulatory & Contractual Compliance: SOC reports help satisfy requirements or expectations from:
- HIPAA/HITECH (Security Rule & Breach Notification)
- PCI DSS (as supporting evidence)
- GDPR, CCPA/CPRA, and other privacy laws (especially when the Privacy criterion is included)
- FedRAMP, CMMC, StateRAMP, TX-RAMP, etc. (SOC 2 often used as foundational evidence)
- Customer contracts that mandate SOC attestation
Improved Internal Processes & Security Posture: The readiness and examination process forces organizations to document, implement, and test controls—resulting in fewer vulnerabilities, better change management, stronger access controls, and overall maturity.
Risk Reduction & Lower Insurance Premiums: Many cyber insurance carriers offer better terms or lower premiums to organizations that can provide a current SOC 2 Type 2 or SOC for Cybersecurity report.
Avoid Costly Duplicate Audits: Instead of undergoing separate audits for every large customer, one SOC report can satisfy dozens or hundreds of customers at once.
Enhanced Stakeholder & Investor Confidence: Boards, investors, and partners view SOC compliance as evidence of operational maturity and responsible governance.
Public Relations & Marketing Asset: SOC 3 reports and seal usage (or even mentioning a SOC 2 Type 2 in marketing) signal to the market that you take security and reliability seriously.

SOC 1 & SOC 2 Audit Services | AICPA CPA Firm | Lazarus Alliance