Resilience sector insights - Systems and Organisation Controls (SOC)

This depends on the maturity of the OSP. Smaller service providers often do not yet have an embedded or mature controls environment that can stand up to outside scrutiny, and whilst they may be quite agile, their processes are often not formally documented. This can potentially close the door to them for opportunities to bid for work with larger corporations and consequently a lack of access to market opportunities.

Increasingly user organisations require a certain level of assurance before agreeing to start business with OSPs. Quite often the bidding processes will require them to complete a questionnaire, but increasingly vendors require formal evidence of assurance over their control environment. This could be in the form of a certification, such as ISO27001, or increasingly an assurance standard such as a SOC report.

User organisations use SOC reporting for their initial vetting but also require it for ongoing assurance, thus giving them visibility over the rigor of the vendors’ control environment and any gaps that may be exist. 

The Digital Operational Resilience Act (DORA) is a European framework introduced to ensure organisations are holding the appropriate processes and controls needed to establish IT and cyber resilience. The important thing is that organisations will need to be able to demonstrate this. They will need mechanisms in place to ensure they’re compliant with regulations. Otherwise, OSPs can be fined, and this could result in them losing business.

These sorts of regulations benefit the user organisations as well as OSPs. It means user organisations will have more visibility of the control environment they have outsourced and so their operations will be more secure and resilient.

Demands of customers are increasing around security and technology. It is important that OSPs stay aware of these demands and keep updated in how to evolve their systems and controls to fit around them.

An assurance opinion can be provided in accordance with a recognized standard which can be shared with user organisations and stakeholders (such as their auditors or regulators).

There is a range of standards and reports available within the SOC assurance landscape, such as ISAE 3000, ISAE 3402, SOC1 or SOC2.

The choice of standard is informed by stakeholder requirements, e.g., cloud providers are often more interested in a SOC 2, whereas those more interested in controls over financial reporting would ask for an ISAE3402 or SOC 1 report. The type of report is further informed by the OSPs level of maturity.

For those just embarking on their SOC journey a Type I may be more appropriate as it only opines on the existence and design of controls at a point in time, whereas more mature organisations would aim for a Type I, which also includes the effectiveness of controls over a period, typically six to 12 months.

Through our international operations, we can provide the assurance you need using professionals highly experienced in delivering such assignments. We offer:

• Guidance on how to adopt these standards.
• The preparation of documentation for audit.
• Dedicated client managers.
• Consistent and experienced teams; and
• Working practices which are flexed to your unique needs.

If you would like to understand more about managing your system and organisational controls, please contact us for an initial conversation.