How to build trust and confidence in technology through assurance reporting

Five takeaways from the 13th annual EY System and Organization Controls (SOC) conference.

In brief

• Assurance professionals must adjust to the evolving landscape influenced by AI technologies to strengthen trust and protect data integrity.
• Regular assessments of internal controls and cyber incident response plans can help organizations identify and mitigate potential risks.
• SOC reports and ISO certification communicate transparently with stakeholders to build greater assurance.

The integration of artificial intelligence (AI), generative AI (GenAI) and agentic AI is transforming how organizations operate, bringing about improved data quality, enhanced detection and more efficient processes. While advanced technology also introduces potential risks, assurance and attestation reports that demonstrate the use, reliability and security of these systems provide stakeholders with confidence in AI-driven processes.

1. Service organizations must adjust to the evolving landscape influenced by AI technologies to strengthen trust and protect data integrity.

As AI technology reshapes how organizations operate, organizations will need to continuously monitor their objectives and performance, and adapt their controls. Leading companies are engaging auditing firms to help them navigate the complexities and governance of AI.

To start, organizations must clearly define how AI is used within their processes and how it impacts their controls, which may be a part of SOC attestations or support financial reporting.

Data quality and a strong governance framework are essential. AI can enhance efficiency by capturing information once and using it multiple times, but that data must be reliable, free from bias and of high quality. Agentic AI systems bring new challenges and additional opportunities. Capable of making decisions and taking actions independently, these systems operate with a high degree of autonomy, reducing human involvement and oversight.

2. Strong identity access management (IAM) practices are needed to increase system protection.

Effective IAM through the lifecycle of a user profile helps the organization maintain security of systems and data and supports compliance with SOC reporting expectations. Having a clear understanding of data access is critical information to management and auditors. If something goes wrong, forensic investigators will need to know who had access, what systems were compromised, and the timeline.

However, organizations run into challenges because formal IAM practices are not always implemented effectively or efficiently, observed Scott Rau, Senior Manager, Technology Risk, Ernst & Young LLP. Commonly, we see instances where employees move into new roles while retaining access and passwords from a previous job function. To prevent users from receiving excessive access to systems and data, some organizations implement a “back-to-birthright” approach. Email and basic access privileges remain, but the user must obtain new permissions for all business applications.

Management must “avoid rubber-stamping access to privileged accounts and role-based privileges,” said Sarthak Jain, Senior Manager, Technology Consulting, Ernst & Young LLP. As-needed access can be granted in real time using vaulting tools. Additional approaches to strengthen security include reducing shared and service accounts and using multifactor authentication.

Eddie Foster, Technology Risk, EY US Central SOC Leader, urged organizations to keep open lines of communication between the identity management and human resources teams. IAM automation can assist organizations with timely de-provisioning, provisioning and access review.

An EY survey of more than 2,000 SOC reports supporting customers’ 2024 and 2025 financial audits found logical access-related deviations, indicating the need for a heightened focus in this domain.

3. The American Institute of Certified Public Accountants (AICPA) continues to enhance SOC reporting.

SOC reports instill trust between service organizations and users (i.e., customers) through transparent reporting and examination of business operations and controls. The AICPA produced its latest updates to the 2025 edition of the SOC 1 Guide and is regularly addressing SOC reporting guidelines while also convening other working groups to explore SOC 2 enhancement, cybersecurity, AI practices, sustainability and digital assets as stakeholder expectations continue to evolve.

Among the biggest changes for SOC 1 reports within the new SOC 1 Guide has been the focus on whether a service provider meets the definition of a “subservice organization” and their effect on internal controls over financial reporting risks. Software as a Service (SaaS) applications/IT tools and cloud-related systems often warrant consideration as subservicers, rather than vendors in your report.

The AICPA’s focus for SOC 2 reports is to make them consistently of higher quality and more accessible to users, acknowledging that every organization won’t have the same controls. These reports offer customers insights on internal controls designed to meet service commitments and system requirements for security, availability, confidentiality, processing integrity and privacy based on the AICPA Trust Services Criteria (TSC). “Reports should clearly articulate your service offerings, processes and controls, giving the users the right amount of context,” Miller advised.

SOC 2 service commitments and system requirements can include compliance with laws and regulations. In some situations, a process or control framework may be committed to or required by a law or regulation. We are seeing SOC 2 reports used to help evidence compliance with some of the European Union (EU) and US state regulations.

Top organizations are proactive in addressing customers’ compliance questions through their SOC 2 reports and improving their control environments. “These subtle enhancements can really differentiate your reports vs. your peers’ and also build a lot of goodwill,” said Matt Beaulieu, Technology Risk EY US East SOC Leader. “Companies that improve their control environment, address inquiries effectively, and respond proactively to concerns will stand out in the market.”

4. Organizations must enhance their cybersecurity strategies to manage increasingly sophisticated risks.

Cyber risks have implications for SOC reporting not only when something goes wrong, but even when organizations thwart a possible attack.

Sophisticated threat actors have innovated their methods with advanced tools, said Patrick Hynes, Principal, Cyber Threat Management, Ernst & Young LLP. The typical pattern is to find intellectual property and sensitive data and then hold it for extortion. Although all sectors have been pursued, health and life sciences organizations have recently been the most targeted sector. The sensitive nature of data often spurs a response, such as a ransom payout.

In the event of an attack or discovered attempt, organizations must determine the scope of the compromise, which systems were targeted or impacted, and which controls may have failed or need enhancement. The impact on SOC reporting also needs to be assessed.

A shadow investigation looks back at any compromising factors, such as IP addresses, URLs and malware, the duration of the attacker’s presence, and whether the incident reveals any deficiencies in the design or operation of SOC-related controls. It also aims to identify how the issue was found and the corrective actions taken.

Depending on the severity of the incident and what they learn about any design or operating effectiveness gaps, audit firms may need to modify the opinion of their SOC reports, restrict distribution or withdraw previously issued reports. Leaders should also know that any delays in informing customers about incidents can lead to frustration and erode trust.

It is important for auditors to generate awareness about the effects of cyber attacks on SOC reporting and attestation, and the need for audit and compliance teams to be included in cyber response planning and strategy, advised Mo Rusev, Executive Director, Technology Risk, Ernst & Young LLP. “It’s so much easier to have that conversation when there is no pressure, rather than during an active event.”

Even ransom payments require due diligence, because paying an individual in a sanctioned country can bring further trouble from the US government.

5. ISO certification can complement your SOC strategy to build greater stakeholder confidence.

The International Organization for Standardization (ISO) develops independent, international standards that outline management system frameworks in areas such as quality management, information security, business continuity, ESG, AI, and health and safety. These aim for consistency and efficiency across industries, and certifications can bring credibility and predictability into the market. One of the most widely recognized ISO standards is ISO 27001, which focuses on information security management.

Depending on their requirements, customers may request an ISO, a SOC report, or both. The efforts involved in producing them can overlap. By leveraging the synergies between ISO certifications and SOC reporting, organizations can increase efficiency, reduce testing efforts, disruption and audit fatigue, and gain better visibility of risks and controls.

When seeking ISO certification, many organizations just focus on meeting compliance risks, but that mindset does not encapsulate all the benefits of ISO, said Jatin Sehgal, EY Global Leader, EY CertifyPoint B.V.

“That’s the wrong approach,” Sehgal said. “Do it because you want to reduce the number of incidents. You want to have more information about your controls. You want to [be able to] predict when you’re going to have a system failure, or you want to be more efficient. You want to bring more discipline into your operation and have more structure. You want to bring clarity in the marketplace. You want to have better reporting. You want to have control over your supply chain. These are some of the reasons.”

Take action

1. Adopt an AI governance framework that includes how AI is used, risk mitigation and regular monitoring, in support of SOC attestation and financial reporting processes.
2. Carefully control, track and monitor who has access to resources and systems to prevent unauthorized access.
3. Enhance training programs focused on cybersecurity, specifically targeting phishing awareness.
4. Develop and implement a clear communication strategy for promptly informing customers, auditors and regulators about incidents, minimizing delays to maintain trust and transparency.
5. Understand customer and regulatory expectations and leverage the synergies between SOC reporting, ISO certifications and additional standards and regulatory frameworks to build greater assurance.