Third Party Assurance SOC 1®, SOC 2®, SOC 3®
Take control of third-party risk with a strong third-party assurance program
Professional service organizations providing professional level services should provide their customers with the benefit of reducing the risks associated with the services being provided through their expertise and focus on those services using SOC 1®, SOC 2® reports.
One of the most effective ways via which organizations (i.e. third parties) can communicate information about its risk management and controls is through third party assurance report (Service Auditor Report).
The purpose of such a Service Auditor Report is to provide clients and/or their auditors with an objective report that expresses an opinion about the control environment of a service organization (i.e. provider of services). The result is an independent and objective opinion about a standardized set of service objectives that are tested only once to minimize business disruption.
Deloitte offers a range of third party assurance services such as SOC 1®, SOC 2®, SOC 3®, reports under ISAE 3402, SSAE 18, ISAE 3000 standards.
SOC 1 report
Assurance report on controls at a service organization that impact the financial reporting of user entities.
SOC 2 report
Assurance report over non-financial information, for the controls regarding security, availability, confidentiality, processing integrity and privacy over services and processes.
Assurance report over non-financial information, for the controls regarding security, availability, confidentiality, processing integrity and privacy over services and processes which incorporates various applicable industry standards, such as NIST, ISO, CSA, GDPR and others.
SOC 3 report
Short public report over non-financial information for the controls regarding security, availability, confidentiality, processing integrity and privacy over services and processes. Report is public and can be used for marketing purposes.
SOC for Supply Chain
Assurance report over non-financial information, around security and availability of products and information from suppliers within the supply chain. It offers user entities a window into a supplier's processes and the controls in place to mitigate risks.
ISAE 3000 report
Assurance report over non-financial information for the criteria defined by the entity rather than standard: internal controls, sustainability, compliance with laws/ regulations, other requirements.
Readiness assessment engagement- readiness assessments explore how ready companies are to address risks or needs associated with their outsourced service provider programs. The readiness assessment reports can be transferrable across all third-party assurance report types (like the ones mentioned above).
- Commercial advantage - a method to differentiate a service organization from its peers/competitors.
- Cost savings - providing reports issued by the service auditor rather than customer audits - Savings on answering questionnaires. This frees up service organization resources to complete more value added activities.
- Broad assurance - provides reasonable assurance to a broad range of clients with a single report.
- Compliance requirements - demonstrates to regulatory bodies that controls are in place and operating effectively.
- Improve overall control awareness - generates increased awareness within the organization of the importance of controls and embeds a strong control culture.
- Ensuring that the expectations of the third-party vendor relationship are met.
- Ensuring that the company’s multi-purpose reporting requirements - including operational and financial - are met.
- Independent assessment - independent assessment of whether the controls of the service organization were in place, suitably designed and operating effectively.
- Cost savings - avoiding additional costs in sending the auditors of the user entity to the service organization to perform their procedures.
- Maintaining compliance with industry, governmental and other relevant regulatory requirements.