Independent examination of an organisation's controls that are relevant to financial reporting. It is specifically designed to meet the needs of user entities and their auditors who are evaluating the impact of a service organisation's controls on the user entity's own financial statements.

Examination of controls performed by a service organisation relevant to internal control over financial reporting, including financial ledgers, revenue, collections, payroll, purchasing, payments, pensions, asset management, settlement, inventory, logistics and general IT controls.

Independent examination of controls related to specific Trust Service Categories (TSC) (security, availability, confidentiality, processing integrity and/or privacy) supporting the achievement of principal service commitments and system requirements. The applicable criteria may be extended to cover compliance with other standards and frameworks, e.g. ISO 27001 in a SOC 2+.

Independent examination with the same underlying scope as a SOC 2, however with the issuance of a “slimmed down” report that is intended to be made public for general use.

Implementation and maintenance of a cyber risk management program including examination of entity’s cybersecurity capabilities (NIST CSF, ISO 27001, AICPA TSC, NCSC CAFF, CSA Cloud Controls Matrix (CCM), etc).

Direct assurance or assurance over subject matter information on a variety of subjects beyond traditional financial information. Examinations can include compliance with regulations, sustainability reports, cybersecurity controls, data privacy practices, third-party outsourcing, among other subjects.