• 1000

SOC Reports – An overview

Organisations increasingly rely on third-party service providers to handle customer-facing operations or support internal processes. This dependence exposes them to various risks that must be managed as part of a risk management programme. An essential component of such a programme is ensuring that robust internal controls are in place within the service provider’s environment. Consequently, an effective internal control framework is critical for service providers, as they bear the responsibility of implementing and reporting on internal controls to meet customer requirements. Through the issuance of System and Organisation Control (SOC) reports, a comprehensive view of the effectiveness of internal controls, not only in financial reporting but also in operational, security, and privacy aspects is provided to the service providers as well as their customers.

The SOC reports serve a dual purpose: they attest to the design and operational effectiveness of internal controls and offer a singular, unified document that communicates this information to multiple customers simultaneously. This is particularly beneficial for service organisations that cater to various entities, as it simplifies the process of conveying the state of their internal control systems.

Moreover, SOC reports extend beyond financial safeguards to encompass a wider scope of risk management. They address potential operational, security, and privacy risks, thereby offering a holistic view of the organisation’s risk posture. This makes SOC reports valuable tools for all stakeholders involved, including management, auditors, regulators, business partners, and customers, ensuring that all parties are informed about the organisation’s commitment to maintaining a secure and controlled environment.

How can we help? Our service offering

KPMG in India offers IT Attestation/Assurance reporting services to assist service organisations in reporting the effectiveness of their internal control environment to organisations. We provide holistic wide-ranging services that includes readiness assessment as well as independent IT Attestation/Assurance services. Our approach is tailored to meeting the specific requirements of each project.

Our diversified service portfolio in IT Attestation/Assurance and combined experience of having supported businesses from start-ups to complex global organisations in their SOC reporting journey is bound to provide significant benefits to service organisations. Our team of practitioners includes subject matter specialists for domains such as privacy, continuity, cloud security etc. and offering objective support across the spectrum of assurance requirements.

SOC 1

SOC 1 reporting is designed for organisations that provide services relevant to users’ financial controls. It is a detailed report for users and their auditors and has a defined scope that can include the following:


  • Classes of transactions
  • Procedures for processing and reporting transactions
  • Accounting records of the systems
  • Supporting Information Technology general controls.

Some of the examples include service providers providing finance and accounting services, payroll processors and medical claims processors. SOC 1 reports address common control-related questions from multiple user auditors. The control objectives are defined by the service provider and may vary depending on the type of services provided.


SOC 1 is crucial for financial reporting and compliance with regulations such as Sarbanes Oxley Act. SOC 1 plays a vital role in maintaining trust in financial reporting processes.

SOC 2 and SOC 3

SOC 2 attestation is a rigorous assessment process that evaluates a service organisation’s controls related to the security, availability, processing integrity, confidentiality, and privacy of a system. The attestation is based on the Trust Services Criteria (TSC) established by the American Institute of Certified Public Accountants (AICPA). The trust principles are selected by the service organisations. The outcome of a SOC 2 attestation is a detailed report that provides assurance to clients, partners, and stakeholders that the service organisation is managing and protecting data with due diligence. Increasingly, SOC 2 reports are being used by the end customers as a critial component of their Third Party Risk Management Programme/ Vendor Risk Management Programme to get visibility on the controls implemented by the service provider and results of the audit.


SOC 3 is a short report based on TSCs mentioned above. This report does not contain all the details that are there in a SOC 2 report; but, would provide the required information for certain stakeholders for example, a potential customer.

Readiness assessment

To enable a smooth transition to a robust internal contropls environment and an effective SOC reporting model, we also offer SOC readiness assessment services. SOC readiness offers a thorough assessment of the service organisation’s control posture that provides insights into control design, implementation as well as control deficiencies. A thorough readiness assessment and subsequent remediation of deficiencies is extremely beneficial for subsequent SOC reporting and provides a robust control framework demonstration.

SOC 2 for cloud

For service organisations that offer their services through a cloud arrangement model including infrastructure as a service, platform as a service as well as software as a service can leverage KPMG in India’s SOC 2 for cloud services to effectively report on their internal controls framework. For these cloud providers, having a SOC 2 compliance demonstrates their commitment to safeguard customer data and provides assurance to customer that the service providers have implemented effective measures and controls to mitigate the risks associated with breach of confidentiality, privacy and data security.

SOC 2+: An integrated setup

SOC 2 may offer assurance on the TSCs for certain customers or stakeholders. However for industries such as healthcare which are subject to additional specific regulations such as HIPAA, require adaptable tools that integrate various frameworks and standards into third party assurance reporting. SOC 2+ is such a tool which can help with such additional regulations or demands of industries. SOC 2+ can integrate multiple frameworks such as HITRUST, ISO27001, NIST, CSA etc.

The goal of SOC 2+ is to provide a more robust assurance to stakeholders about the organisation’s commitment to protecting sensitive data and adhering to industry-specific regulations. It’s particularly useful for service organisations that handle data requiring stringent security measures due to regulatory demands or business.

HITRUST services

Why KPMG in India?

KPMG in India is one of the recognised, well reputed leader in providing IT Attestation/Assurance services. With our global experience across a cross-section of clients and sectors, we deliver over 250 SOC1/SOC2/SOC3 reports annually. Our well established methodology along with seasoned leadership uniquely positions us to provide our clients with the right consultation and enable them to meet their reporting objectives. We have more than 500 skilled and trained team members who are accredited to perform SOC examinations.

Our select credentials

A Global Custodian Service Provider

KPMG in India issues ISAE 3402 report to a leading global custodian service provider covering Custody and Fund Administration Services

A Global Investment Bank

KPMG in India performed ISAE 3402 examination with over 50 team members, across 14 locations helping the client to consolidate their global attestation reviews over key securities and fund services business into approximately 11 regional / product reports.

A Global Administrative Service Provider

KPMG in India issues ISAE 3402 report to a global company for their Fund Accounting, Registrar & Transfer Agency Services.

A Leading Bank

KPMG in India performed ISAE 3402 examination for a leading bank for their Custody, Fund Accounting and PCM Services

A Leading Cloud based FinTech Company

KPMG in India performs ISAE 3402 engagement Type 2 for the last four years for their finance platform.

A Leading Financial Services Company

KPMG in India performed 15+ SOC 1 examinations based on the AICPA ISAE, and AUASB standards across multiple products for more than 50 years.

Multinational Financial Services Company

Providing 14+ SOC 1 and SOC 2 attestation for one largest multinational financial services

A leading BPO Organisation

KPMG in India issues several ISAE 3402 reports to a leading BPO service provides covering Passenger and Cargo Revenue Accounting Services.

A Global Investment Bank

KPMG in India performed ISAE 3402 examination with over 50 team members, across 14 locations helping the client to consolidate their global attestation reviews over key securities and fund services business into approximately 11 regional / product reports.

Key Contacts

To know more about how we at KPMG in India can help you address your SOC reporting requirements, please connect with us.