Service organization audit (ISAE, SSAE, SOC2, SOC3)

Service organization audit

Organizations are increasingly apply for outsourcing services to support key business processes in order to focus on the key objectives, reduce costs and quickly implement a new application functionality. With respect to the increasing level of global competition, new threats, regulatory requirements, management responsibility for the outsourced processes, organizations are increasingly focused on monitoring and managing risks associated with the relationship with their external suppliers.

The evolution of outsourcing models introduced new standards for reporting on service organization controls (SOC1, SOC2, SOC3), designed to meet the requirements of outsourcing services consumers on the reliability of information.
SOC reporting can improve the position of the service organization on the market and attract new customers by increasing confidence in the effectiveness of internal controls on the side of the service organization, transparency and reliability of outsourced processes. SOC-certification reduces the number and scope of internal and external audit from their clients. In addition, the report on the internal control environment of the service provider is a requirement for many large companies.
SOC1: ISAE 3402 / SSAE 16 is an international standard for reporting on controls effectiveness in service organizations.

SOC2 report covers all the controls relating to one or more domains: security (optional), availability, confidentiality, integrity of data and etc.
SOC3 reports are "condensed" version of SOC2 reports, intended for free public distribution.
KPMG is capable of performing the SAS 70 / SSAE 16 / ISAE 3402 attestation audit, and prepare the required report, or can also provide advisory services in case of this will be the first audit year, and if your Company needs assistance with the implementation of the controls.


Connect with us