System and Organisation Controls (SOC) Reporting

Providing assurance over outsourced IT/business process provision

Organisations continue to outsource business and IT operations to focus on core business objectives and nearly every organisation has some element of outsourcing in place. The outsourcing landscape has reshaped itself and outsourcing organisations or outsourcers have become a part of the broad ecosystem. Customers, partners, agents, affiliates, vendors, and service providers now make up the ecosystem, many with operations around the world. The ecosystem gives companies access to a broad range of capabilities, creating new and exciting market opportunities. 

At the same time, growing use of outsource service providers (OSPs), has increased concerns over greater enterprise risk exposure. Shareholders, governance committees, senior management, investors and regulators require organisations to assess and manage enterprise risks. They understand that increased reliance on OSPs exposes organisations to risks that are difficult to identify, manage, and monitor. You outsource a service but the risk will also stay with the organisation.  

This has prompted organisations to demand that OSPs provide them with Service Organisation Control (SOC) or Service Auditor reports. These third-party assurance (TPA) reports help OSPs build trust and confidence in their service delivery processes and controls through the attestation from an independent certified public accountant. 

Mazars is regularly engaged by the user or service organisation, as the auditor who provides an independent attestation opinion. TPA engagements are undertaken by the service auditor to provide an independent report on the service organisation’ (Service Provider) internal control environment. The report is used by the management of user organisation (Outsourcer), user entities (Customers, Prospects) and/or their auditors and reduced the need for customers to conduct thier own audits.  

The two types of reporting options are: 

  • Assurance over financial reporting - reports over controls that impacts the financial reporting of user entities. Typically performed under SSAE18, issued by American Institute of Certified Public Accountants (AICPA), also called as SOC 1 and ISAE3402, issued by International Auditing and Assurance Standards Board (IAASB) standard. 
  • Assurance over non-financial information - SOC 2 and SOC 3 based on AICPA’ Trust Services Criteria for Security, Confidentiality, Availability, Processing Integrity, and Privacy, and ISAE 3000, Assurance Engagements Other than Audits or Reviews of Historical Financial Information, issued by International Federation of Accountants (IFAC). 

TPA or SOC reporting provides a range of benefits for users and providers of outsourced services. 

Benefits - Outsourcer/User Organisation  

  • Manage risks in the third-party/vendor relationship  
  • Meet the company’s multi-purpose reporting requirements, including operational and financial. 
  • Valuable information - independent assessment of whether the controls of the service organisation were in place, suitably designed and operating effectively. 
  • Cost savings - avoiding additional costs in sending the auditors of the user entity to the service organisation to perform audits. 
  • Maintaining compliance with industry, governmental and other relevant regulatory requirements. 

Benefits - Service Providers  

  • Commercial advantage - a method to differentiate a service organisation from its peers/competitors and proactively demonstrate that good practice controls are in place.  
  • Cost savings - providing reports issued by the service auditor rather than customer audits - Savings on answering questionnaires. This frees up service organisation resources to complete more value added activities. 
  • Broad assurance - provides reasonable assurance to a broad range of clients with a single report. 
  • Compliance requirements - demonstrates to regulatory bodies that controls are in place and operating effectively. 
  • Improve overall control awareness - generates increased awareness within the organisation of the importance of controls and embeds a strong control culture. 

Get in touch

To find out more, please contact us using the form below:  

Contact us today