Understanding SOC & ISAE reporting
Outsourcing tasks or entire functions to third-party providers allows many companies to operate more efficiently. However, it is crucial for these providers to maintain a strong system of internal controls. Outsourced providers generally provide their clients with assurance through independent third-party audit reports such as ISAE 3402 / SOC 1 or SOC 2. These reports are increasingly required as a prerequisite for engagement and not only fulfil customer requirements but also help attract new business.
Such assurance is especially important in sectors like payroll, pension administration, investment management, fund administration, IT services, software provision, finance servicing, and financial transaction processing.
There are several types of assurance reports available, and we can help you choose the right one for your business:
SOC 1 & ISAE 3402: An assurance report that focuses on a service organisation’s system of internal controls relevant to financial reporting.
SOC 2: An assurance report that covers non-financial reporting controls related to security, availability, processing integrity, confidentiality, and privacy.
Other third-party assurance reports: Assurance reports to meet specific industry or customer requirements, such as, SOC3, SOC for Supply Chain, SOC for Cybersecurity, ISAE 3000, ISAE 3410, Agreed upon procedures (AUP), SOC 2+ reports for applicable industry standards.
How our third-party assurance team can help
As your independent auditor, we can demonstrate to your clients that you have effective controls in place. As your assurance partner, we provide smart, strategic guidance throughout the entire assurance process – from scoping to final audit.
Our third party assurance services
- Planning services: Assistance with scoping and preparing the documentation required for an ISAE 3402, SOC 1 or SOC 2 report.
- Readiness assessment: Conducting a gap analysis to identify potential issues in advance of a Type 1 or Type 2 audit.
- Type 1 audit: An audit at a point in time (a specific date) providing assurance of the design of controls. The audit process involves testing a sample of one item for each control.
- Type 2 audit: An audit which covers a period of time (typically at least six months) providing assurance on both the design and operating effectiveness of controls. The audit process involves testing multiple items per control, spread across the full audit period.
Contact us
If you require expert support and guidance for your third-party assurance reporting needs, please get in touch with Maria Gannon, Head of Third Party Assurance and Risk Management.