IT ISAE Attestation

Stay relevant and competitive with KPMG’s expertise in SOC reports

In a world where the cloud and technology are rapidly and radically changing the game, we offer a way to remain relevant and competitive.

We help third-party service providers equip themselves with SOC reports in order to stay in control in a fast-paced environment.

Stefan Wälti

Partner, Head of Assurance Technology

KPMG Switzerland

François El Assad

Director, Assurance Technology

KPMG Switzerland

An increasing need to assurance over third parties

The continued evolution of the market, changing risk landscape and accelerated digital transformation pose constant challenges for organizations the world over. Companies that continue to outsource more and more services – from cloud to payroll to helpdesk to software-as-a-service (or SaaS) – need to obtain assurance over the controls at those service providers.

In addition, regulatory requirements are intensifying regardless of where business operations are located. 

As a response to these needs and requirements, standards such as the International Standard on Assurance Engagements (ISAE) No 3402, Assurance Reports on Controls at a Service Organization have been developed by international bodies. They are meant to allow companies to better manage risks related to outsourced services.

Annual assurance services audits of third-party providers are conducted by independent auditors, testing controls over areas such as network and access management, change management and IT operations.

The outcome is a report (e.g. ISAE 3402, SOC 1, SOC 2/ISAE3000) containing an audit opinion, details of services provided, as well as results of testing. It provides the level of transparency and information needed by customers to meet their compliance and assurance requirements.

Graphic: an increasing need to assurance over third parties

How KPMG assists service providers with SOC and ISAE reports

We assist organizations in designing, developing and issuing such attestations (both SOC reports and ISAE reports) over their internal controls. This allows them to provide third-party assurance to their customers.

Our assurance services focus on either financial reporting controls with ISAE 3402 and SOC 1 reports, or more operational and security processes with ISAE 3000 or SOC 2 reports.

The international standards underlying these reports (ISAE 3042, SSAE 18) are complex to grasp, so organizations often seek support in understanding what they need to do. That is where we play a role in enabling companies through our unique leading proposition.

Scope of reports



ISAE 3402

International Standard on Assurance Engagements (ISAE) No 3402, Assurance Reports on Controls at a Service Organization

Focuses on controls which are relevant to a company’s (user entity) financial reporting.

ISAE 3000

International Standard on Assurance Engagements (ISAE) No 3000, Assurance Engagements other than Audits or Reviews of Historical Financial Information

Focuses on controls related to compliance or operations.


Service Organization Controls Report 1

Focuses on outsourced services performed by service organizations which are relevant to a company’s (user entity) financial reporting.


Service Organization Controls Report 2

Focuses on operational risks of outsourcing to third parties outside financial reporting.
Based on five AICPA Trust Services Categories (formerly Trust Services Criteria):

  • Security (must)
  • Availability
  • Processing integrity
  • Confidentiality
  • and/or Privacy


Service Organization Controls Report 3

A SOC 3 report is based on a SOC 2 Type 2 report but isn’t as comprehensive.

Confidential information is redacted to make it appropriate for general use.

A three-phased approach enabled by technology

We have developed a proven and technology enabled three-phased approach to help service providers implement robust processes and controls over their information systems. Our risk-based methodology, our technology, the close collaboration with our clients and our understanding of the service and sector are our distinguishing factors. The approach contains the following 3 phases, aligned with the standard. 

  1. Diagnostic Review

    We review and evaluate end-to-end processes, assessing risks and identifying relevant controls.

  2. Testing

    We audit your controls following a risk-based approach in an efficient manner.

  3. Reporting

    We prepare the report in a way that is aligned with the relevant standards but also easy to understand.

Our third-party assurance experts have extensive experience in accompanying clients on this journey, focusing on the relevant risks related to their services. From the identification of risks in relevant processes to the design of controls, we offer end-to-end solutions aimed at covering the entire spectrum of requirements laid out by the standards. 

Our innovative assurance solution – KPMG Clara platform

Powered by our proprietary first-in-class KPMG Clara platform, we provide high-quality assurance services to quickly and effectively reach compliance, while maintaining the right level of quality. We develop a repeatable and scalable process allowing synergies and innovation year-on-year.

Our offer is also differentiated thanks to our multi-disciplinary model, in which we cover all relevant aspects from financial reporting to internal controls to cloud-based security.

Our SOC reports are of the highest quality and are regarded as industry-leading. We issue hundreds of them for service providers all over the world and are at the forefront of regulatory changes impacting the relevant standard. With us, you can access the most experienced sector-focus professionals, anywhere, anytime.

In addition, we support service providers in handling customer demands, thus facilitating audits and compliance reviews. Our objective and utmost priority is for all organizations to better manage risks in the most efficient and cost-effective way.

> Find out more about KPMG Clara

KPMG Clara: Audit Solution - Impressions

Contact our experts

In a world with rising customer expectations, intensifying regulatory pressures and increasing third-party reliance, SOC reports have become essential for service providers to stay competitive. So get in touch!

François El Assad

Director, Assurance Technology

KPMG Switzerland

Stefan Wälti

Partner, Head of Assurance Technology

KPMG Switzerland

Discover more

Assurance Technology

We help organizations with our risk, process and control expertise to remain agile, competitive and sustainable.

ISAE attestations as a competitive differentiator

The international market reference for IT service providers

Why is there a growing demand for SOC 2 in Switzerland?

SOC 2 reports - the current “gold” standard when it comes to providing assurance on aspects such as security, availability or privacy.