Marco Achieves SOC 2 Type 2 Attestation Report

Posted Apr 28, 2021 9:01:42 AM

Demonstrating Our Commitment To Security

ST. CLOUD, MINN., APRIL 28, 2021 - Marco announced today it has completed a SOC 2 Type 2 examination of the Managed IT and Managed Print Services based on the Trust Services Criteria relevant to security and availability set forth in the TSP Section 100, 2017 Trust Services Criteria. This demonstrates the company’s ongoing commitment to security and clear assurances of system controls to protect and serve managed service clients.

SOC, short for System and Organization Controls, is a program established by the American Institute of Certified Public Accountants to evaluate service providers based on key criteria. Completing a SOC 2 Type 2 is a significant goal for many managed service providers.

Obtaining a SOC 2 Report required an engagement by an independent public accounting firm to verify that Marco’s management has implemented an internal control system that, in all material respects, achieves their security and availability commitments to protect client data.

“Achieving a SOC 2 Type 2 Report was a major undertaking and required significant effort across all areas of Marco,” said Mike Burgard, Chief Information Security Officer at Marco. “We are proud to have completed a SOC 2 Report for the benefit of our clients. It further shows our dedication to security and provides additional validation that we practice what we preach.”

There are two types of SOC 2 examinations, including a SOC 2 Type 1 Report and a SOC 2 Type 2 Report. While a Type 1 Report evaluates an organization on whether controls were designed to meet commitments and criteria at a point in time, a Type 2 Report evaluates an organization on whether controls were designed and operated effectively during a defined period.

“Many Managed Service Providers achieve a SOC 2 Type 1 Report,” Burgard said. “Few attain the SOC 2 Type 2 report that assesses the operation of our controls over a period of time.”

SOC 2 attestation is designed for businesses that manage customer data and systems.

“This report establishes trust and confidence that our internal controls were designed and operated effectively to protect our clients,” Burgard said. “A growing number of organizations are requiring a SOC 2 report as a minimum standard when selecting a service provider, especially in regulated industries such as health care and finance.”

The American Institute of Certified Public Accountants established the SOC internal control frameworks standards. Marco’s SOC 2 Type 2 was conducted by RSM US, LLP, one of the Top 10 public accounting firms in the United States. Marco’s SOC 2 Type 2 was based on the Trust Services Criteria for security and availability.

RSM US LLP (RSM)’s purpose is to deliver the power of being understood to our clients, colleagues and communities through world-class audit, tax and consulting services focused on middle market businesses. The clients we serve are the engine of global commerce and economic growth, and we are focused on developing leading professionals and services to meet their evolving needs in today’s ever-changing business environment.

RSM’s national practice is comprised of local and industry-focused SOC team members, providing the benefits of a boutique firm focus with the reach of an international firm. Our SOC practice covers operations in a host of countries around the world to provide accurate information about your control environment wherever you do business. Our team of SOC service providers hold a wide variety of professional certifications. These professionals—who are experienced in information systems, financial reporting processes and your specific industry—help confirm that the proper focus is placed on relevant controls and processes. As the fifth largest national audit, tax and consulting provider with more than 80 offices nationwide, we have the breadth and depth of experience to address your SOC reporting needs. SOC reports are limited use reports that are designed to be restricted to user entities of the service organization’s system, business partners subject to risks from interacting with the service organization’s system, practitioners providing services to such user entities and business partners, prospective user entities and business partners, and regulators who have sufficient knowledge and understanding of the service organization’s system. As such, users of the report should ensure that the applicable user entity controls have been designed and implemented in their control environment.

RSM US LLP is the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with 48,000 people across 120 countries. For more information, visit, like us on Facebook, follow us on Twitter and/or connect with us on LinkedIn.

Topics: Security, Technology, compliance, SOC2