Service Organization Controls 2 (SOC 2)


Service Organization Controls 2 (SOC 2)

Manage and monitor the risks related to your service providers appropriately

Overview of SOC 2 reports


Businesses are increasingly dependent on third parties to provide critical services. A large proportion of these services are related to information technology (IT), including managed IT services, software as a service (SaaS), and security as a service. These third-party services can help businesses remain competitive globally, grow in the market, or reduce costs while increasing quality.

However, this growing usage of a complex network of third-party suppliers also increases IT corporate governance concerns, such as cyber and security threats, data quality issues, privacy legislation and regulatory requirements. Each company, whether regulated or not, is ultimately responsible for the risk related to these engagements; therefore, they must manage and monitor the risk appropriately.

Today, more than ever, organizations need to ensure the security, availability, privacy, process integrity and confidentiality of their data and the underlying systems—independent from being insourced or outsourced. Deloitte Luxembourg’s Information & Controls Assurance services specialize in identifying risks affecting internal systems, business processes, projects, applications, data and third parties, focusing on the areas of blockchain, cloud and IT security, as well as the controls addressing the identified risks.

The SOC 2 reporting standard is an audit opinion report over internal controls related to many areas including but not limited to organizational structure, IT, human resources, and third-party management, while focusing on the trust principles of security, availability, integrity of processing, confidentiality, and privacy. As emerging technologies like cloud computing, security as a service, and blockchain have matured and economic conditions have driven organizations to increase efficiencies through outsourcing, the need to answer questions regarding the integrity, availability and confidentiality of information managed by third parties has grown.

Even for companies not using third parties, stakeholder and regulatory requirements around internal controls are increasing. A SOC 2 report can help companies address these questions and provide more assurance regarding their service providers’ internal controls to address the identified risks.

Back to top


Benefits of a SOC 2 report


A SOC 2 report follows an extensible framework that allows service auditors to incorporate various industry standards (e.g., ISO27001, NIST, and CSA) into a unique report. SOC 2 reports are highly valued by all types of companies as well as their customers.

The benefits for companies are significant, as service auditors can issue one report instead of replying individually to hundreds of individual audit requests, customer questionnaires, and requests for proposals. Moreover, a SOC 2 report shows a strong commitment by the company’s management of their internal control framework, as well as the company’s compliance with common control frameworks and solid governance over internal controls.

SOC 2 reports provide a standardized format for meeting a broad range of regulatory and industry control requirements, enabling third-party service providers and other companies to undergo only one audit and provide responses to several addresses. The trust criteria relate directly to the core service obligations and commitments of companies in the areas of cloud computing (e.g., infrastructure as a service [IaaS], platform as a service [PaaS] and SaaS), blockchain, and managed IT services. These cannot be sufficiently covered by a SOC 1 report, which covers the controls at a service organization that are relevant to user entities' internal control over financial reporting.

SOC 2 reports are also highly appreciated by the customers of outsourcing service providers, as these reports can help reduce the number of resources required for third-party oversight controlling. Customers can receive independent assurance over controls operated by the service provider and obtain a comprehensive view of the process and controls in place.

The SOC 2 report also clearly describes the controls the user entity must perform regarding the third-party service provider to ensure the user entity’s internal control framework is complete and addresses all relevant requirements.

Lastly, by reviewing a SOC 2 report, a customer can gain insight into a service provider’s control gaps related to the relevant controls and design. They can then implement a timely response to these gaps to stay compliant with regulations, as well as their own customers’ requirements and the company’s internal control.

Back to top


Deloitte Luxembourg’s service offering

As an independent third-party service auditor, Deloitte Luxembourg assists companies to:

  • Prepare for a SOC 2 report attestation, which covers the identified areas necessary to comply with SOC 2’s relevant methodological requirements, as well as other industry standards ; and
  • Perform control testing in light of the applicable standard and signs the audit opinion accordingly.

As part of Deloitte’s global network of member firms, Deloitte Luxembourg has the depth and breadth to deliver leading practices on SOC 2 matters. We work with our clients to proactively identify value-added business insights, provide suggestions for improvement throughout the engagement, and ensure a smooth and consistent process.

Deloitte Luxembourg has developed a comprehensive and structured approach for SOC 2 reporting services. Our methodology for preparing and delivering SOC 2 reports follows a phased approach, customized to meet the specific business needs of our clients that provide cloud computing, blockchain and IT managed services.

Our approach incorporates a risk-centric focus, while also identifying the effective and efficient methods for identifying scope, testing controls, and executing the tasks and activities associated with SOC 2 reporting. We tailor our service to your needs, reducing the effort needed to gather the required information while helping you and your staff gain a clearer understanding of the SOC 2 requirements.

We provide a carefully selected project team with in-depth industry knowledge and experience, as well as experienced service auditor professionals. We are familiar with the relevant frameworks including ISO27001, CSA, and COBIT, and have the required certifications.

Back to top

Insert CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.


Roland Bastin

Roland Bastin

Partner | Forensic & Risk Advisory

Roland is a partner within the advisory and consulting department and joined the Risk Advisory practice of Deloitte in 2001. He is responsible for IT audit, IT security, IT regulatory compliance, Data... More

Stéphane Hurtaud

Stéphane Hurtaud

Partner | Cyber Security Leader

Stéphane is a partner within our Risk Advisory practice. He has over 21 years of experience in the IT risk, Information Security and IT audit fields, with a strong focus on the financial services indu... More

Bert Glorieux

Bert Glorieux

Director | Risk Advisory

Bert is Director in Governance, Risk & Compliance with an international experience of over 15 years in internal, operational and IT audit, financial audit and consulting. In particular, he worked in t... More