IT and specialized assurance services


IT and specialized assurance services

Build stakeholder trust in a digital ecosystem 

We assist organizations in understanding risks associated with information technology (IT) and emerging technologies. Start gaining assurance on controls of internal, regulatory, and extended enterprise requirements.

Our team possesses a wide range of IT skillsets and infrastructure, enterprise resource planning (ERP), custom developed applications, service organisation controls, evolving digital technologies, and other industry and sector specific capabilities.

How we can help:

Third party assurance

Outsourcing operations does not transfer the risk associated with that process. The organization that is outsourcing (user entity) continues to remain responsible for governance, risk management and compliance for the processes / operations now managed by their service provider. Regulators and industry bodies are focused on addressing the risks arising out these changes. In this context, service providers (service organizations) build trust and confidence in the services performed and the associated controls through system and organization controls (SOC) reports.

Deloitte offers a range of third-party assurance services and also assists clients in selecting the most suitable third-party reporting option:

Assurance related reporting

We’ll provide an independent report on your user entities internal control environment for use by management of the service organizations, user entities, and/or their auditors.

  • Assurance over financial reporting process - SOC 1 reports over controls that impacts the financial reporting of user entities. Typically performed under SSAE18 (issued by AICPA) and ISAE3402 (issued by IAASB) standard
  • Assurance over operations - ISAE3000, SOC 2, SOC 3 and custom SOC reports
    • ISAE 3000 - Assurance report over non-financial processing for the criteria defined by the entity rather than standard: internal controls, sustainability, compliance with laws / regulations, other requirements
    • SOC 2 report - Assurance report on non-financial processing based on one or more of the Trust Service Principles which are security, availability, processing integrity, confidentiality and privacy
    • SOC 3 report - Short public report that can be used for marketing purpose on non-financial processing based on one or more of the Trust Service Principles
    • Customized SOC reports to meet specific industry or customer requirements, such as, SOC for Supply Chain, SOC 2+ reports for applicable industry standards such as NIST, ISO, CSA, GDPR, CMMC, FedRAMP and/or others
Factual reporting

We’ll detail our findings/observations as part of an assessment.

  • Agreed-upon procedures (AUP) report—a report of factual findings—based on specific and upfront agreed procedures performed on a  chosen subject matter or an client assertion. AUP engagements are typically performed using the ISRS 4400 or SSAE 19 standard
  • Readiness assessments to explore a company’s preparedness to address risks or needs associated with their outsourced service provider programs
IT controls assurance
  • Conduct and evaluation as a part of the organizations internal controls programs to identify and ensure the correct response to risks arising from IT and the digital ecosystem
  • IT risk assessments
  • Performing design and operating effectiveness reviews for IT general controls and automated controls across various ERPs and custom-built applications
  • Data migration reviews, interface controls reviews, access, and functional segregation assurance
IT controls advisory
  • Improving IT processes and controls to effectively identify, understand, and implement relevant internal controls methodology and processes
  • Risk intelligence on controllership, information technology, and security functions in order address risks arising out the technological changes
    • Define relevant risks and build IT controls framework to meet internal and external compliance requirements on account of process changes, ERP, and application changes or enhancements, as well as bot implementation
    • Optimize by determining the feasibility of IT controls standardization, controls rationalization, better use of automated controls through full use of standard system functionality, and recommendation of effective remediation measures basis industry and sector expertise for gaps identified
    • Embed and training programs on IT risks and controls, IT policy procedure buildout, controls remediation support, SME support to meet specific industry or technology/tool requirements

Key contact

Crawford Hastings

Crawford Hastings


Crawford is a Partner in our Risk Advisory practice who specializes in delivering technology and information risk services to clients with complex computer systems and heavily automated business proce... More