Service Organization Controls Reporting (SOCR)

In Consulting

EY offers services for independent assessment and attestation of the system of internal controls by leading attestation and reporting standards such as SOC 1, SOC 2, SOC 3, ISAE 3000 and ISAE 3402. Service organization control reporting (SOCR) brings value to an organization that provides services, and to its customers who want to be sure that their supplier's control environment meets the requirements of these internationally recognized standards.

Related topics Technology Consulting Cybersecurity Risk

The team

Dmytro Lazuchenkov

Dmytro Lazuchenkov

Partner, Technology Risk Consulting Leader

Pavlo Pavlenko

Pavlo Pavlenko

Senior Consultant, Technology Risk Consulting

What EY can do for you

EY is a global SOCR leader, issuing more than 3,000 SOC reports to more than 900 clients each year. We have been helping our clients understand the value and benefits associated with high-quality SOC examinations since 1993. We are also leaders in the technology, financial services and healthcare sectors. We audited almost half of the largest global technology companies and one third of the Russell 3000 health companies, and we worked with nearly all the top 25 global asset managers.

We bring all this experience to help companies address an ever-more complex and fast-changing environment. Customers and regulators are looking for more assurance in areas such as privacy and security, and they expect management to be able to provide answers.

In their turn, management are recognizing an increased dependence on suppliers and partners, and want assurance that these organizations are managing their risks and will continue to be reliable suppliers in the future.

All of this is creating increased demand for independent assurance from companies throughout the supply chain. SOCR helps companies build that trust with their partners by providing an independent opinion on the extent to which their controls are designed to address key risks and allow them to operate effectively.

The benefits of providing independent assurance include:

  • Building trust with existing customers
  • Demonstrating the quality of controls as part of bidding for new contracts – including building credibility where start-ups are looking to win contracts with larger entities
  • Undergoing one audit rather than multiple customer audits
  • Focusing on key controls, with the opportunity to challenge other control activities

What we do

We provide control attestation services to our clients, using several generally recognized reporting systems and control frameworks:

  • SOC 1 / ISAE3402

    • SOC 1 reporting is used for processes related to financial reporting
    • The standard is designed to meet the needs of organizations and accountants who review financial statements and is an assessment of the effectiveness of internal controls of a service organization
    • There are 2 types of SOC 1 reporting: Type I (attestation of controls for a certain date) and Type II (attestation of controls for a certain period of time)

  • SOC 2 / ISAE3000

    • SOC 2 reporting is used for non-financial reporting processes, including privacy and GDPR processes and controls
    • SOC 2 defines the criteria for managing customer data based on five "principles of trusted service" — security, availability, data integrity, confidentiality and protection of personal data
    • There are 2 types of SOC 2 reporting: Type I (attestation of controls for a certain date) and Type II (attestation of controls for a certain period of time)

  • SOC 3

    • SOC 3 reporting is used for non-financial reporting processes and is intended for a wide audience (publicly available)
    • Unlike SOC 2 reports, SOC 3 reports do not contain a detailed description of the auditor's audited controls, test procedures and results of test procedures
    • There is 1 type of SOC 3 reporting: Type II (attestation of controls over a certain period of time)

  • SOC for Cybersecurity

    • SOC reporting for cybersecurity is used to certify an organization's cybersecurity risk management programs
    • There are 2 types of SOC reporting for cybersecurity: Type I (attestation of controls for a specific date) and Type II (attestation of controls for a specific period of time)

  • SWIFT CSP

    • ISAE 3000 reporting is used for the annual attestation of SWIFT CSP controls
    • SWIFT's Customer Security Program (CSP) helps financial institutions provide modern and effective defenses against cyber attacks and protect the integrity of the wider financial network
    • Attestation of SWIFT CSP controls takes place on a certain date

  • SOX (Sarbanes-Oxley Act)

    • Public companies that place their shares on the American stock exchange must comply with SOX regulation in both the financial and IT spheres. The work of the IT function in companies has changed due to SOX, as the regulation has changed the way corporate electronic records are stored and processed
    • SOX internal security controls require data security practices and processes and full visibility of interactions with financial data over time

  • ETSI (European Telecommunications Standards Institute)

    • ETSI – creates and maintains global standards for information and communication technology (ICT) systems, applications and services used in all sectors of industry and society
    • ETSI develops standards in key global technologies such as: GSM, TETRA, 3G, 4G, 5G, DECT
    • The ETSI EN 319 standard contains requirements for generating cryptographic key certificates, managing them and issuing them

Why EY?

Our team has huge experience in the implementation of various reporting projects on the controls of service organizations, including the release of SOC 1, SOC 2 and ISAE 3000 reporting for SWIFT CSP, as well as the implementation and testing of SOX controls and ETSI EN 319 controls. The Ukrainian team performed more than 10 such projects over the past 5 years for leading local and international companies in their field (for example, for leaders of the Ukrainian IT market and leading international companies in the financial and telecommunications sectors).

Other technology risk services

Contact us

Like what you’ve seen? Get in touch to learn more.