Under attestation services, including those based on ISAE 3402, ISAE 3000 and other standards, KPMG issues an independent opinion to the recipients of reports on the compliance of an organisation’s internal control system with agreed-upon criteria.

At KPMG, we understand the factors and risks affecting all businesses and their market environment. We ensure independence and expertise that goes beyond an auditor’s opinion, enabling each company to get a better understanding of its organisation. Our objectivity helps businesses identify emerging risks and develop appropriate solutions.

A dedicated team within our Audit Practice (Assurance and IT Audit) renders a range of such services intended for companies providing services to other entities relevant to their financial statements (service organisations). This pertains to companies such as:

  • IT service providers—data processing centres, SaaS (software as a service) providers, etc
  • Shared services centres
  • Custodian banks
  • Transfer agents/fund accounting
  • Property management companies.

Such reports are addressed not only to the company concerned, but also to its clients and (especially in the case of ISAE 3402 reports) their auditors.

The Assurance and IT Audit team also offers assurance services dedicated to providers of services where confidentiality or availability of data is crucial, e.g. cloud computing, HR data processing, and medical data processing.

These services include reports such as:

  • SOC 2 (Report on Controls at a Service Organisation Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy)—Type 1 and Type 2
  • SOC 3 (Trust Services Report for Service Organisations).

Both types of reports are prepared in accordance with ISAE 3000 (International Standard for Assurance Engagements). SOC 2 is the solution for providing more detailed information in a report restricted to customers of a company, whereas SOC 3 is designed as a short report with unrestricted access (e.g. available on a company’s website).

As an alternative to SOC 2 and SOC 3 reports, ISAE 3000 reports are prepared on the basis of other agreed criteria. If a client is only interested in personal data protection, KPMG can perform an assurance service on compliance with the requirements of Regulation 2016/679 (GDPR), resulting in an ISAE 3000 report in this area.

In addition, KPMG provides assurance services related to the reporting of non-financial data (ESG) in keeping with the guidelines found in widely recognised international standards (GRI, ISO26000, IIRC, Accounting for Sustainability).

IT audit

Under KPMG’s IT Audit Co/outsourcing service, companies can draw on the expertise and skills of KPMG’s IT Audit experts. This service allows cost-effective access to skills that may be lacking in the client’s internal teams, but are required at a particular time.

Contact us

Audit tools and webinars