Why is it important?

Companies are increasingly outsourcing systems, business processes, and data processing to external service providers in an effort to focus on core competencies, reduce costs, and quickly deploy new functionality. As a result, businesses are updating their processes for monitoring their outsourced vendor relationships and managing the risks associated with outsourcing. SOC1, SOC2 and SOC3 reports are aimed at providing reasonable assurance on controls at service organisations.

How we can help

KPMG has solid experience conducting SOC engagements. We have a mature and experienced team that will oversee the quality of work, and ensure on-time report delivery. We apply a proven ‘no-surprise’ approach, to deliver engagements on time and within budget and without any issues, while being flexible to your need. We use early alerting reporting should we uncover significant exceptions to prescribed controls, which may lead to a qualified opinion.

What we do 

• We can conduct an SOC readiness assessment, which includes a review of the current situation and provides high-level observations and recommendations on any gaps in the control environment that may lead to qualification of further SOC assurance reports. 
• We conduct attestation audits and prepare SOC 1, SOC 2 and SOC 3 reports, to provide assurance on controls at service organisations. The selection of report type depends on the clients’ requirements:
  • SOC1 is a report focused on risks and controls on preparation of financial reports. It is commonly requested by organisations to satisfy the requirements of third parties as part of the audit of their IT environments. This report is limited to processes and systems that relate to financial reporting and is intended for both users and their auditors.
  •  SOC2 is a report that concentrates on operational controls, focusing on security, availability, confidentiality, processing integrity and/or privacy. This report may be provided for any process or system. This report is intended for users, their auditors and specified third parties. If you are a service provider (e.g. data center, cloud service provider, web-hosting company, telecom operator, outsourcing company, etc.) that collects, stores, transmits and operates any kind of client data, you will need this report to satisfy your clients that appropriate security safeguards are in place for their data.
  • SOC3 is a short report with a high-level overview of the information presented in an SOC2 report, with specific and confidential information on systems and controls removed. This document can be widely distributed and demonstrates to current and potential clients that the attested organisation maintains the required levels of controls demanded by an SOC2 assurance report.

What you get

Service providers and their clients have the confidence that controls are in place to make sure that their information is properly processed, kept secure and that transactions are processed accurately. In today’s crowded marketplace this provides a clear USP and a competitive advantage. The independent review of operations that we provide helps our clients to identify any weaknesses and to improve and streamline their processes.