SOC Assessments

Fully Accredited SOC 2 and SOC 3 Audits


About The AICPA

Founded in 1887, the AICPA represents the CPA profession nationally regarding rule-making and standard-setting, and serves as an advocate before legislative bodies, public interest groups, and other professional organizations. The AICPA develops standards for audits of private companies and other services by CPAs, provides educational guidance materials to its members, develops and grades the Uniform CPA Examination, and monitors and enforces compliance with the profession’s technical and ethical standards.

SOC 2 Assessments

The AICPA defines a SOC 2 Report as a “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.” SOC 2 reports are designed to provide information on the internal controls at a service organization as they relate to one or more of the following five key system attributes:

  • Security – The system is protected against unauthorized access (both physical and logical).
  • Availability – The system is available for operation and use as committed or agreed.
  • Processing integrity – System processing is complete, accurate, timely and authorized.
  • Confidentiality – Information designated as confidential is protected as committed or agreed.
  • Privacy – Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.

SOC Assessments are performed using established AICPA direction, and are intended for use by privileged stakeholders (e.g., regulators, business partners, suppliers, and directors) of the service organization. A SOC 2 report can help drive management oversight, support vendor management, inform internal corporate governance and risk management processes, and provide regulatory oversight. As SOC 2 reports potentially contain sensitive or company confidential information related to an organization’s systems or processes, they are usually kept for internal use only.

SOC 3 Assessments

Similar to SOC 2 reports, SOC 3 reports are designed to meet the needs of service organizations that want to provide external assurance on their controls related to security, availability, processing integrity, confidentiality, or privacy — without having provide the confidential information typically contained in a SOC 2 report. SOC 3 reports are prepared using the AICPA/CPA Canada Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Because SOC 3 reports are general use reports, and do not contain sensitive or company confidential information, they can be freely distributed.

Delivering Compliant Services

Aerstone is pleased to offer SOC 2 and SOC 3 assessments to its commercial customers, through its partnership with Pioneer Financial Services. Pioneer is a registered CPA firm in good standing with the AICPA, providing fifteen years of tax and audit services to a wide range of companies in the National Capital Region. All SOC assessments conducted by Aerstone are overseen, reviewed, and signed by a Pioneer Financial certified public accountant (CPA).

Services By Type




Services By Environment



Our Experience Sets Us Apart

Aerstone is an NSA-certified vulnerability assessor, and a service-disabled veteran-owned small business.
We approach each engagement with the highest levels of professionalism, determination, and creativity, honed by years of working with
security professionals across the military, intelligence community, civilian government, and private industry.

Contact our sales team at for more information.