System and Organisation Controls (SOC) reporting

Providing assurance over outsourced IT / business process provision.

The SOC assurance landscape 

The SOC assurance landscape offers a range of standards or reports, depending on focus such as controls over financial reporting (commonly referred to as SOC 1);  IT and operational controls (most commonly SOC 2) or anything in between, including ESG assurance reporting. 

We have a dedicated team that can guide you through the assurance jargon and help you find the right standard for you and your stakeholders. 

To find out more, please contact our SOC specialists using the form below.  

Contact our SOC team today

The main types of reporting options

  • Assurance over financial reporting - reports over controls that impact the financial reporting of user entities. Typically performed under the Attestation Standards (American Institute of Certified Public Accountants Standards (AICPA) and are also called SOC 1; and the ISAE3402 standard, issued by the International Auditing and Assurance Standards Board (IAASB).  
  • Assurance over non-financial information - SOC 2 and SOC 3 based on AICPA’s Trust Services Criteria for Security, Confidentiality, Availability, Processing Integrity, and Privacy; and ISAE 3000, Assurance Engagements Other than Audits or Reviews of Historical Financial Information, issued by the International Federation of Accountants (IFAC). 

Our SOC reporting services

SOC reporting offers a range of benefits to both the user organisations and service organisations.

The benefits for user organisations include

  • Manage risks in the third-party / vendor relationship.   
  • Meet the company’s multi-purpose reporting requirements, including operational and financial reporting.  
  • Valuable information - an independent assessment of whether the controls of the service organisation were in place, suitably designed and operating effectively.  
  • Cost savings - avoiding additional costs in sending the auditors of the user entity to the service organisation to perform audits.  
  • Maintaining compliance with industry, governmental and other relevant regulatory requirements.  

The benefits for service providers   

  • Commercial advantage - a method to differentiate a service organisation from its peers/competitors and proactively demonstrate that good practice controls are in place.   
  • Cost savings - providing reports issued by the service auditor rather than customer audits - Savings on answering questionnaires. This frees up service organisation resources to complete more value-added activities.  
  • Broad assurance - provides reasonable assurance to a broad range of clients with a single report.  
  • Compliance requirements - demonstrates to regulatory bodies that controls are in place and operating effectively.  
  • Improve overall control awareness - generates increased awareness within the organisation of the importance of controls and embeds a strong control culture. 

If you are a provider or user of outsourced services and would like to explore SOC Assurance reporting, reach out to us. We would love to hear from you. We are passionate about SOC – this is what we do. 

Contact our SOC team today

Why look towards our SOC services

Many companies have found that they are able to function more effectively through the outsourcing of tasks or entire functions to service organisations. It is vitally important that such organisations have a verifiable and reliable system of internal controls in place. 

Organisations increasingly focus on their core competencies and enter into an outsourcing relationship for the areas that are not core to their business where cost or value efficiencies can be gained, allowing them to focus on their strengths. But it does expose them to risk due to the uncertainty and lack of transparency over the outsourced processes and controls – as the adage goes “you can outsource a process but not the risk.” 

How do outsourcing organisations know that their service providers have adequate controls in place over the processes undertaken on their behalf? Conversely, how do the service provider’s clients gain the comfort they need over the controls they operate on their behalf? 

This has prompted organisations to demand that service providers provide them with Service Organisation Control (SOC) or Service Auditor reports.  

SOC reporting seeks to provide greater transparency and comfort to the user organisation and its stakeholders whereby the service organisation engages an independent service auditor to test its controls and provides an independent assurance opinion in accordance with a recognised standard that can be shared with the user organisations and their stakeholders such as their auditors or regulators. 

Forvis Mazars is regularly engaged by service organisations to test their controls and provide an independent assurance opinion, which can then be shared with their customers, potential customers and other stakeholders, including their auditors.

Get in touch

Contact our SOC team