Attestation and Certification – ISAE3402/SOC1/SOC2
Business processes can be outsourced, related risks cannot. It’s logical, but not always that easy. It’s perfectly normal that your clients request proof that their processes and data are secured and managed by you in line with best practices and/or applicable regulations. This type of assurance can be provided through a System & Organisation Controls (SOC) report. In practice, we find two variants under the title of SOC reports: SOC1 (also known as ISAE3402) with a main focus on financial service providers and SOC2, applicable to providers of non-financial services.
Being a service provider, a SOC attestation will give you a powerful commercial tool that you can use to convince your clients of the quality of your services, and that you have underpinned the key risks in relation to the service offered. In black and white.
In safe hands
Yes, you’ve got it right. A SOC attestation offers indisputable advantages. The attestation provides insight into all processes, how these processes (and related risks) are managed, and whether security measures and regulatory requirements are in line with best practices and/or applicable regulations. For example, the General Data Protection Regulation (GDPR) entered into force in 2018 which resulted in a significant increase of questions from customers in relation to data privacy and how you as a service provider ensure compliance with this regulation.
In short, these types of attestations will give your clients all the assurance they need, allowing them to confidently place their processes and data in your hands.
Suppose you are a service provider (IT service, Software as a Service provider, payroll processing provider, asset manager, etc.). How can you provide your client(s) peace of mind? Separate audits may offer solace, but they are expensive and put unnecessary pressure on the efficiency of your organisation. On top of that, the workload and costs for these individual audits per customer or service can quickly reach sky-high proportions - for both you and your client. With a SOC report in place, these individual audits are rolled into a single audit and aim to share insights into each process and the manner in which you manage and report risks with your clients. The goal ultimately being to address as many of your customers’ questions as possible, if not all of them.
Right to play
SOC1 and SOC2 are currently the international standard for the certification of outsourced processes and systems. ISAE3402 is issued by the International Federation of Accountants and consequently has a global reach and international recognition.
Due to the systematic rise in the number of compliance requirements for organisations, the market increasingly expects you as a service provider to be able to provide these types of certificates.
This increasing demand for “assurance” by service providers is currently the most prevalent among organisations active in the financial and public sectors, and among listed companies. In these sectors, specifications or RFPs (Request for Proposal) systematically contain a requirement in relation to the these certificates and thus has become a “right to play”. This will most likely be extended to other sectors in the future, e.g. the medical sector.
For more information on SOC reports, please consult our general SOC brochure as well as our brochure on Data Privacy Attestations, which specifically addresses the GDPR regulation introduced in May 2018.