Service Organization Controls has been saved
Solutions
Service Organization Controls
Why businesses need Service Organization Controls (SOC) reporting
Businesses are increasingly dependent on third parties to provide critical services, especially services related to information technology (IT). Third-party services can help businesses remain competitive globally, grow in the market, or reduce costs while increasing quality.
However, increased usage of a complex network of third-party suppliers also increases IT corporate governance concerns, such as cyber and security threats, data quality issues, privacy legislation and regulatory requirements. Each company – whether regulated or not – is ultimately responsible for managing and monitoring the risk related to third-party relationships.
One of the most effective ways that organizations can communicate about their risk management and internal control environment is through Service Organization Controls (SOC) reporting.
Optimizing SOC reporting
Optimizing third-party assurance reporting on Service Organization Controls has significant advantages:

Broad-based assurance:
Assure a diverse range of clients with a single report.

Integrated requirements:
"Test once" and apply results across multiple reports and internal requirements like the SEC’s Sarbanes-Oxley Act (SOX).

Time and cost savings:
Reduce “one-off” requests from customers and their auditors.

Customer value creation:
Differentiate from competition by demonstrating market flexibility and ability to quickly meet customer compliance.

Business process improvement:
Streamline controls and processes and eliminate redundant activities.

Rapid tailoring:
Customize reports for both existing and prospective clients.

Enhancing trust:
Strengthen client trust through a well-structured reporting process.

Improved ability to cross-sell:
Communicate your full range of services through structured reports to pave the way for additional service requests.
How Deloitte can help
Assurance over financial reporting (SOC1)
Reports on controls that impact the financial reporting of your customers. Typically performed under SSAE18 SOC1 standard (issued by the American Institute of Certified Public Accountant or AICPA) or ISAE 3402 (issued by International Auditing and Assurance Standard Board or IAASB)
Assurance over Trust Service Criteria (SOC2)
Non-financial report based on one or more of the Trust Service Criteria (security, availability, processing integrity, confidentiality and privacy) performed under SOC2/SOC3 standard (issued by AICPA)
Assurance over other framework (SOC2+)
Report used to demonstrate compliance with a wide range of regulatory and industry framework such as ISO27001, CSA, COSO, CSSF compliance, Blockchain and COBIT. Typically performed following enhanced SOC2 (also called SOC2+) standard SOC for Cybersecurity standard (issued by AICPA) or ISAE 3000 standard (issued by International federation of Accountants or IFA)
Agreed-upon procedures
Report on specific procedures on subject matter and report the findings without providing an opinion or conclusion. Typically performed under ISRS 4400 standard (issued by the IAASB)
Readiness assessment
A Deloitte readiness assessment of SOC reports can evaluate how ready you are to address risks or needs associated with your outsourced services. Readiness assessment reports can be used for all SOC report types mentioned above
We can assist you in selecting the most relevant solution for your SOC reports and pave the road for successful risk management. To learn more about how Deloitte’s Third-Party Assurance services can help your organization, contact us.