Service Organization Controls


Service Organization Controls

Why businesses need Service Organization Controls (SOC) reporting

Businesses are increasingly dependent on third parties to provide critical services, especially services related to information technology (IT). Third-party services can help businesses remain competitive globally, grow in the market, or reduce costs while increasing quality.

However, increased usage of a complex network of third-party suppliers also increases IT corporate governance concerns, such as cyber and security threats, data quality issues, privacy legislation and regulatory requirements. Each company – whether regulated or not – is ultimately responsible for managing and monitoring the risk related to third-party relationships.

One of the most effective ways that organizations can communicate about their risk management and internal control environment is through Service Organization Controls (SOC) reporting.

Optimizing SOC reporting

Optimizing third-party assurance reporting on Service Organization Controls has significant advantages:

Broad-based assurance:
Assure a diverse range of clients with a single report.

Integrated requirements:
"Test once" and apply results across multiple reports and internal requirements like the SEC’s Sarbanes-Oxley Act (SOX).

Time and cost savings:
Reduce “one-off” requests from customers and their auditors.

Customer value creation:
Differentiate from competition by demonstrating market flexibility and ability to quickly meet customer compliance.

Business process improvement:
Streamline controls and processes and eliminate redundant activities.

Rapid tailoring:
Customize reports for both existing and prospective clients.

Enhancing trust:
Strengthen client trust through a well-structured reporting process.

Improved ability to cross-sell:
Communicate your full range of services through structured reports to pave the way for additional service requests.

How Deloitte can help

Assurance over financial reporting (SOC1)

Reports on controls that impact the financial reporting of your customers. Typically performed under SSAE18 SOC1 standard (issued by the American Institute of Certified Public Accountant or AICPA) or ISAE 3402 (issued by International Auditing and Assurance Standard Board or IAASB)

Assurance over Trust Service Criteria (SOC2)

Non-financial report based on one or more of the Trust Service Criteria (security, availability, processing integrity, confidentiality and privacy) performed under SOC2/SOC3 standard (issued by AICPA)

Assurance over other framework (SOC2+)

Report used to demonstrate compliance with a wide range of regulatory and industry framework such as ISO27001, CSA, COSO, CSSF compliance, Blockchain and COBIT. Typically performed following enhanced SOC2 (also called SOC2+) standard SOC for Cybersecurity standard (issued by AICPA) or ISAE 3000 standard (issued by International federation of Accountants or IFA)

Agreed-upon procedures

Report on specific procedures on subject matter and report the findings without providing an opinion or conclusion. Typically performed under ISRS 4400 standard (issued by the IAASB)

Readiness assessment

A Deloitte readiness assessment of SOC reports can evaluate how ready you are to address risks or needs associated with your outsourced services. Readiness assessment reports can be used for all SOC report types mentioned above

We can assist you in selecting the most relevant solution for your SOC reports and pave the road for successful risk management. To learn more about how Deloitte’s Third-Party Assurance services can help your organization, contact us.


Roland Bastin

Roland Bastin

Partner | Risk Advisory & Forensic

Roland is a partner within the advisory and consulting department and joined the Risk Advisory practice of Deloitte in 2001. He is responsible for IT audit, IT security, IT regulatory compliance, Data... More

Stéphane Hurtaud

Stéphane Hurtaud

Partner | Cyber Risk Leader

Stéphane is a partner within our Risk Advisory practice. He has over 25 years of experience in the IT risk, Information Security and IT audit fields, with a strong focus on the financial services indu... More

Insert CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.