SOC Reporting

Home 9 Services 9 IT Services 9 SOC Reporting

Third Party Assurance Reportering

Many organizations outsource one or more of their activities to service organizations that have the necessary resources and expertise. This often involves activities that are not part of the organization’s core business and/or where security and continuity are crucial. Consider, for example: HR and payroll processes, financial management, IT services and data centers.

If your company acts as a service organization, chances are that your customers will ask questions about the way your internal processes are organized. After all, your customers remain ultimately responsible and wish to obtain sufficient certainty about the necessary confidentiality, integrity and availability of your services.

Moreover, these are not one-off questions from your customers, but permanent needs which you will have to meet periodically.

A System & Organization Controls (SOC) Report (e.g. ISAE3402, ISAE3000) is an efficient way for you as a service organization to communicate to stakeholders, such as your clients, the necessary assurance on how risks are managed.

Service Provider
N
Distinguish yourself as a service organisation and obtain a competitive advantage
N
Cost savings due to integrated assurance reporting
N
Assurance reporting to a broad range of clients with a single report
N
Able to demonstrate compliance requirements are in place
User Organisation
N
Assurance reporting on the design and effectiveness of controls at the service provider
N
Cost savings due to integrated assurance reporting
N
Able to demonstrate compliance requirements are in place
N
Monitoring of the service level agreements with your third party

What is an ISAE 3402/3000 (SOC) report?

ISAE reports are “System and Organization Control (SOC)” attestations to provide clients and other relevant stakeholders with an objective assessment of your service organization’s control environment.

A distinction can be made between a SOC 1 and SOC 2 report.

  • ISAE3402 (SOC 1) is an assurance report that provides reasonable assurance about a service organization’s internal controls relevant to the financial reporting of a user organization (customer). Control objectives relate to business processes and information technology (General IT Controls such as security, change management, continuity and access security).
  • ISAE 3000 (SOC 2) is an assurance report that provides reasonable assurance on the effectiveness of non-financial controls of service organizations. The audit objectives address the following criteria: security, availability, confidentiality, processing integrity and data privacy.

So which type of reporting you should choose will depend mainly on your client’s question. What does the customer want to get assurance about and for what purpose?

soc rapportering

Your expert

gorik van den bergh
Gorik Van den Bergh

News