Service Organization Controls Reporting (SOCR)
EY offers independent assessments to test management’s assertion over business processes and controls in the IT environment and test business processes and controls against specific attestation standards, such as SOC 1, ISAE 3402 and SOC 2 reports. Service Organization Controls Reporting (SOCR) brings value to both the service organization and its customers who want assurance that their provider’s control environment meets the requirements of these globally recognized standards.
EY is a global SOCR market leader, issuing more than 3,000 SOC reports across more than 900 clients each year. We have been helping our clients understand the value and benefits associated with high-quality SOC examinations since 1993. We are also leaders in the technology, financial services and health care sectors, auditing 46% of the largest global technology companies and 36% of the Russell 3000 health companies, and working with 96% of the top 25 global asset managers.
We bring all this experience to bear in helping companies address an ever more complex environment, which is changing at an unprecedented pace. Customers and regulators are looking for more assurance in areas such as privacy and security, and expect management to be able to provide answers. In their turn, management are recognising their increased dependence on suppliers and partners, and want assurance that these organisations are managing their risks so they will continue to be reliable suppliers in future.
All of this is creating increased demand for independent assurance from companies throughout the supply chain, to provide assurance that risks are being effectively managed. SOCR helps companies build that trust with their partners by providing an independent opinion on the extent to which their controls are designed to address key risks, and are operating effectively.
Our clients tell us the benefits of providing this independent assurance to their customers and prospective customers include:
- Building trust with existing customers
- Demonstrating the quality of controls as part of bidding for new contracts – including building credibility where start ups are looking to win contracts with larger entities
- Having one audit rather than multiple customer audits
- Focusing on key controls, with the opportunity to then challenge other control activities
We provide this assurance to our SOCR clients using a range of globally-recognised reporting frameworks, including:
- SOC 1 / ISAE3402 for processes related to financial statement reporting
- SOC 2 / ISAE3000 for other processes, including privacy and GDPR processes and controls
- SOC for Cybersecurity
- SOC for Supply Chain
- ISO27001 where the need is certification of an information security management system
Sectors where we provide independent assurance, in both private and public sectors, include:
- IT outsourcers, including cloud services providers and Software as a Service (SaaS) application providers
- Business process outsourcers (e.g. payroll processors, finance processors)
- Telecoms companies
- Asset managers
- Pension administrators
- Health care
- Real estate managers
- Distribution companies