Skip to main content

Service Organization Controls

Why businesses need Service Organization Controls (SOC) reporting

Businesses are increasingly dependent on third parties to provide critical services, especially services related to information technology (IT). Third-party services can help businesses remain competitive globally, grow in the market, or reduce costs while increasing quality.

However, increased usage of a complex network of third-party suppliers also increases IT corporate governance concerns, such as cyber and security threats, data quality issues, privacy legislation and regulatory requirements. Each company – whether regulated or not – is ultimately responsible for managing and monitoring the risk related to third-party relationships.

One of the most effective ways that organizations can communicate about their risk management and internal control environment is through Service Organization Controls (SOC) reporting.

How Deloitte can help

Reports on controls that impact the financial reporting of your customers. Typically performed under SSAE18 SOC1 standard (issued by the American Institute of Certified Public Accountant or AICPA) or ISAE 3402 (issued by International Auditing and Assurance Standard Board or IAASB)

Non-financial report based on one or more of the Trust Service Criteria (security, availability, processing integrity, confidentiality and privacy) performed under SOC2/SOC3 standard (issued by AICPA)

Report used to demonstrate compliance with a wide range of regulatory and industry framework such as ISO27001, CSA, COSO, CSSF compliance, Blockchain and COBIT. Typically performed following enhanced SOC2 (also called SOC2+) standard SOC for Cybersecurity standard (issued by AICPA) or ISAE 3000 standard (issued by International federation of Accountants or IFA)

Report on specific procedures on subject matter and report the findings without providing an opinion or conclusion. Typically performed under ISRS 4400 standard (issued by the IAASB)

A Deloitte readiness assessment of SOC reports can evaluate how ready you are to address risks or needs associated with your outsourced services. Readiness assessment reports can be used for all SOC report types mentioned above

We can assist you in selecting the most relevant solution for your SOC reports and pave the road for successful risk management. To learn more about how Deloitte’s Third-Party Assurance services can help your organization, contact us.