Third Party Risk Assurance

Third Party Risk Assurance

Building trust with sound controls

Building trust with sound controls

As a service provider, there are various ways in which organizations can provide assurance to their customers and other stakeholders over their control environment. One of the most effective ways is to issue a Service Organization Control (SOC) Report.

Performing an SOC review allows organizations to provide assurances to their customers that they are aware and in control of the third party risks of outsourcing and are operating a sound control environment, thereby establishing confidence and trust in the value of the services provided.

The benefits of SOC include:

  • Transparency & trust – Provide transparency on the quality of the internal control environment to enhance trust in the services provided by the service organization
  • Improvements to your control environment – Identify and provide areas to mitigate financial and operational risks in the service organization’s control environment
  • Competitive advantage – Provide positive marketing opportunities which add to the service organization’s competitive advantage

Globally, there are different types of SOC reports adopted by the industry as shown in the table below. Increasingly, organizations are using SOC 2 and SOC 3 reports for increased assurance over outsourced controls which can include security, processing integrity, confidentiality and privacy.

  Internal Control Over Financial Reporting (ICOFRI) Operational Controls
  ISAE 3402/SOC1 SOC2 SOC3
Summary International framework that focuses on financial reporting risks and controls specified by the service provider US Standard focused on security, availabilty, confidentiality, processing integrity, and/or privacy. Applicable to a broad variety of systems Similar to a SOC2 although much shorter with the option of displaying a web site seal
Applicability Most applicable when the service provider performs financial transaction processing or supports transaction processing systems Can, be useful for the financial audit of the user entity, after an evaluation of the sustainability of the criteria by the user auditor. Limited value for audit purposes. Useful for other stakeholders, with the option to show seal on website

Our services include readiness assessments to help organizations identify control gaps in preparation for attestations, and the actual audits. Examples of attestation/assurance reports include the Outsourced Service Provider's Audit Report (OSPAR) required by ABS Guidelines and independent assessment reports for Cloud Service Providers (CSPs).

Connect with us


Want to do business with KPMG?


loading image Request for proposal