Loading…

DarkLight mode

News – 18.11.24

International Men's Day - breaking the silence around men's mental health

International Men's Day - breaking the silence around men's mental health … Read more

Insight – 20.11.24

A change in US Presidency: How might it affect your finances?

In this article, we explore the potential economic and financial impacts of Donald Trump's return to power. … Read more

Upcoming event – 10.12.24

Funding innovation in the technology sector: Are the government doing enough?

Join us for an exclusive roundtable breakfast to explore the question of whether the government are doing enough to support innovation in the technology sector. … Read more

Find us quickly

130 Wood Street, London, EC2V 6DL
enquiries@buzzacott.co.uk T +44 (0)20 7556 1200

What is a SOC report and should my company have one?

SOC reports are a core part of internal governance and risk management – but what are they and who are they for? Read on to find out.

A System and Organisation Controls (‘SOC’) report is an independent assessment of the risks associated with using a service organisation (and other third parties). SOC reports are a core part of internal governance and risk management and can be used to enhance customer relationships by building confidence and trust.

There are different types of SOC reports (SOC 1, SOC 2 etc). SOC 1 reports focus on outsourced services that could impact a company's financial reporting and this is the type of report we’re focusing on in this article.

About the author

Catherine Edwards

+44 (0)207 556 1246
edwardsc@buzzacott.co.uk
LinkedIn

'SOC' is the most commonly used terminology when referring to internal control's assurance, however there are a number of different reporting frameworks in place:

ISAE3402: The international framework issued by the IAASB
SOC 1: The US framework issued by the AICPA
AAF 01/20: The UK framework issued by the ICAEW

As part of the engagement, business process and IT controls will be defined and tested. The report itself is signed off by a Service Auditor and can be either a type 1 or type 2 report:

Type 1: Point in time (assurance is provided on the design of controls)
Type 2: Over a specified time period (assurance is provided on the design and operating effectiveness of controls)

Who needs a SOC report?

Who needs an internal controls assurance report?

There is currently no statutory requirement, however, they’re commonly performed for the following activities:

Custody;
Fiduciary management;
Fund accounting;
Investment management;
Investment administration;
Pension administration;
Private equity;
Property investment management;
Property investment administration;
Transfer agency; and
Information Technology.

These types of report are often requested by organisations (user entities) that receive significant services from a service organisation. User entities need transparency and assurance that relevant risks are effectively mitigated through appropriate controls.

This is of increasing importance for organisations operating within the financial services sector where there is increased pressure to demonstrate effective and robust control environments due to the rigorous compliance regimes in place.

What are the benefits of obtaining a SOC report?

What are the benefits of obtaining an internal controls assurance report?

Obtaining a SOC/ AAF report differentiates the service organisation from its peers by demonstrating effectively designed control objectives and control activities. In many cases, the report will also satisfy the user auditors’ requirements as well as specific requests from investors or customers.

Who are the users of SOC reports?

Who are the users of these reports?

The users can be both internal and external e.g.

Internal management at the service organisation
External parties such as customers (or potential customers), investors or the external auditors of customers.

Get in touch

If you would like to find out more about our controls assurance reporting services, complete the form below.