September 2014
Service Organization
Controls Reporting
SOC 1
Meeting your clients’ compliance and audit needs
Benefits to you
lient retention and acquisition
•C
our clients must meet specific compliance and audit requirements.
Y
A SOC 1 report is one more component of your services, helping you
achieve your client satisfaction goals. It also provides you with an
advantage over your competitors who do not have a similar report
prepared.
ecreased costs
• D
Organizations without a SOC 1 report may be subject to testing
by clients’ internal and external auditors. This disrupts operations
and requires the redeployment of scarce resources to assist these
auditors.
• Improved risk management and control
You focus on providing your clients’ services in an efficient and
effective manner, but this may not be enough. Your clients also
need to:
nderstand controls over the processes they have outsourced
•U
and their effect on their internal controls
valuate the design of those controls
•E
ave confidence that the controls are functioning as intended
•H
Service Organization Controls (SOC) reports are prepared in
accordance with the International Auditing and Assurance
Standards Board’s (IAASB) International Standard on Assurance
Engagements (ISAE) 3402 or the American Institute of Certified
Public Accountant’s (AICPA) Statement on Standards for Attestation
Engagements (SSAE) No. 16. These standards allow independent
auditors to issue reports that help meet the compliance and audit
needs of your clients.
An experienced independent audit team evaluates your processes
and controls to help identify opportunities for improving them.
Survey question: why do you provide independent
assurance to your user organizations?
The SOC 1 report
Seen as providing competitive advantage
in winning work (competitors do not provide
this independent assurance)
71%
Contractual or compliance requirement to
provide independent assurance
84%
In a survey of more than 75 members of leading service
organizations across Europe, the Middle East, India and Africa
(EMEIA), EY identified that, in addition to the compliance or
contractual requirements, a significant reason for obtaining
an independent assurance report was to have a competitive
advantage.
As an external service provider, you have designed your processes
to meet your clients’ operational and processing needs, but are you
addressing their audit and compliance needs? If not, you may be
missing a critical client need.
A SOC 1 report is an examination (similar to an audit) of a
description produced by you of the system(s) you operate on behalf
of your clients that are relevant to their internal control processes
related to financial reporting. There are two types of reports: type I
and type II. Type I reports provide:
description of your controls supported by a management
•A
assertion and an auditor’s opinion on the fairness of that
description, and whether the controls had been placed into
operation
management assertion and an auditor’s opinion on whether the
•A
controls are appropriately designed to meet the control objectives
A type II report adds a management assertion and an auditor’s
opinion on the operating effectiveness of your controls in addition
to the opinions provided in a type I report.
A practical approach to helping deliver a SOC 1
report to your clients
Our approach is focused on helping you meet your clients’ audit
and compliance requirements. It includes the following:
orking with you to understand your clients’ regulatory and
• W
compliance needs in order to develop a strategy for meeting
those needs
ssisting you in developing the control objectives for your
• A
processes
ssisting you in planning an appropriate approach to the risk
• A
assessment and identifying the basis for your assertion
elping your personnel identify the controls you have
• H
implemented to address the control objectives
esting the operational effectiveness of your controls.
• T
ssisting you in describing your controls in the SOC 1 report
• A
eporting on the results of our testing
• R
How the process works
Develop expectations
User organization:
Regulatory
Audit
requirements
Plan the SOC 1
Perform examination
Report the results
Understand the key
Evaluate system
External
business processes
design and perform
communication
and user organization
tests of operating
SOC 1 report
needs or expectations
effectiveness
for a
specified period
Plan and scope
Review results
the engagement
with management
Service expectations
Develop detailed
Summarize executive
Internal
and relationship
testing approach
management and
communication
protocols
and work program
audit committee
Management Letter
Service organization:
Regulatory
Audit
requirements
communications
Repeat in subsequent periods using lessons learned
The EY difference
►• P
erspective — your SOC 1 report is not just a tool for meeting
clients’ requirements; it is usually the single best
description of your processes and procedures that you can
provide your clients. We advise you on how to leverage this
communication to enhance your clients’ understanding of
your processes. This perspective is a major part of the EY
difference.
xperienced professionals — our global service delivery team
• E
includes dedicated professionals with significant experience
performing SOC 1 engagements. This means you will be
teaming with people who understand the issues that can
arise, and how critical your programs and projects are to your
organization’s success.
►• K
nowledge — our skilled professionals’ experience and
knowledge from working with multiple clients is leveraged to
benefit your organization directly.
Our team of professionals is focused on providing the right
services at the right time to leading organizations in both the
public and private sector. EY helps organizations achieve their
business objectives by delivering a wide range of advisory
services that are designed to help enhance risk management
activities and improve business processes. From our network
of member firms around the world, EY’s Advisory professionals
provide services that help clients assess, improve and monitor
their business risks.
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and advisory
services. The insights and quality services we deliver help build trust
and confidence in the capital markets and in economies the world
over. We develop outstanding leaders who team to deliver on our
promises to all of our stakeholders. In so doing, we play a critical
role in building a better working world for our people, for our clients
and for our communities.
EY refers to the global organization, and may refer to one or more,
of the member firms of Ernst & Young Global Limited, each of which
is a separate Legal entity. Ernst & Young Global Limited, a UK
company limited by guarantee, does not provide services to clients.
For more information about our organization, please visit ey.com.
About the EY SOC Reporting practice
Our firm plays an important role internationally in the SOC reporting
landscape. We have representatives in working groups defining the
professional standards that are used for SOC reporting. We have
over 1150 professionals worldwide whose daily work is delivering
SOC reports to our clients. All this leads to a substantial amount of
thought leadership on SOC reporting within our organization.
Thought leadership is available through our professionals that work
together on a daily basis to create an effective and efficient SOC
reporting process for our clients.
© 2014 EYGM Limited.
All rights reserved.
ED None
This material has been prepared for general informational purposes only and is not
intended to be relied upon as accounting, tax, or other professional advice. Please refer
to your advisors for specific advice.
ey.com/advisory
Visit our website for more information on SOC reporting and the services we can offer. For more information, contact:
Christophe Wintgens
Partner, Extended Assurance
Christophe.Wintgens@lu.ey.com
+352 42 124 8402
Ted Anderson
Executive Director, Third party reporting
and Financial Services Audit
Ted.Anderson@lu.ey.com
+352 42 124 8792
Pierre-Marie Boul
Manager, Third party reporting
and Financial Services Audit
Pierre-Marie.Boul@lu.ey.com
+352 42 124 8687
