Trust Solutions

Your risk perspective and strategy can impact the balance between eluding failure and seizing competitive opportunities

Many organisations depend on third party service providers for a range of critical services and support including hosting or managing financial and non-financial information, providing critical business functions and delivering on major infrastructure initiatives. 

You can stay competitive by using multiple customer and vendor relationships and accessing specialised solutions and skills. However, this advantage offers challenges around protecting your reputational, financial, operational and compliance requirements as your dependence on third parties increases.

Your management, board and shareholders demand confidence in the controls and compliance capabilities of suppliers, vendors and service organisations. They expect that you have the processes in place to effectively oversee third party arrangements.

Globalization and technology are today’s core business drivers, with the potential to send unprecedented risks cascading across your enterprise – or propel you toward unprecedented opportunity. By unlocking these risks you turn them into a catalyst for growth, stepping ahead of uncertainty.

SOC 1 reporting

A client or potential client may ask for a SOC 1 report. This allow them to understand and rely on the robustness of the internal controls in your organisation. Having this report to hand provides considerable competitive advantage.

A SOC 1 report is often requested as part of a contract for services or in response to an RFP. Sometimes it will be requested to allow your client to continue to outsource their business to you.

We can work with you to select the right reporting framework for your business and your stakeholders.

SOC 2 reporting

A SOC 2 report examines the IT controls in place in an organisation. Clients need to be able to trust service providers who hold their data, and a clean SOC 2 report delivers that assurance. It focuses on controls relating to security, processing integrity, confidentiality and privacy.

Organisations that hold client data or confidential information use SOC 2 reporting to give their clients reassurance that their data is safe and secure. This reporting is especially useful for SaaS and cloud-computing companies, and organisations who hold confidential client information.

Through a range of assurance reporting services—including SOC 1, SOC 2,  ISAE 3402, ISAE 3000—we can help you report on your control environment objectively and accurately.

SOC report components and types

SOC 1, SOC 2, SOC 3
 

Report components

The list of components can be tailored for each report depending on the specific SOC report your company needs. The table below presents a comparison of SOC report options depending on its content.

  • The auditor's opinion on service organisation control
  • System description of the control environment
  • A written assertion by the service organisation of the accurate system description, controls and their operation as of the date / over the period (depending on the report type)
    • Objectives of control
    • Trust Service Principles developed by the American Institute of Certified Public Accountants (AICPA)
  • Description of the tests of controls performed by the auditor
  • Outcomes of the testing of controls performed:
    • for Type I - tests of design as of the date;
    • for Type II - tests of design and operating effectiveness for the period.
  • Other information disclosed by the service organisation
     
The standards met

SSAE 18, ISAE 34022

Target audience of the report
  • Owners and management of the service organisation, clients of the service organisation and auditors of the clients’ financial statements.
  • Owners and management of the service organisation, clients of the service organisation.
  • No restrictions, may be posted to the service organisation's website.

SOC 2 reports are generally quite similar in structure with SOC 1 reports. SOC 3 reports contain less detail as they are intended for unrestricted audiences. SOC 1/2 reports may represent an assessment of control design at a point in time1, while SOC3 reports may represent an assessment of the design and operating effectiveness of control over time1.

1. There may be two types of SOC reports:

Type I report covers the design of controls and the outcomes of internal control assessment as of the reporting date. This type of report will be useful if the organisation’s internal control system has undergone significant change or lacks a sufficient operating history to establish effectiveness.

Type II report covers the design and operating effectiveness of controls over a period of time (typically 6 months or longer).

2. What standards are applied in preparation of a SOC report?

In today’s world, there is an effective way to provide assurance to your clients and other stakeholders that an effective control environment is in place by performing an independent assessment of control and issuing a System and Organization Controls report  (SOC, previously Service Organization Controls) in accordance with SSAE 18 and ISAE 3402.

SSAE 18 – Statement on Standards for Attestation Engagements 18 (SSAE 18) – a US standard issued by the American Institute of Certified Public Accountants (AICPA).

ISAE 3402 - International Standard on Assurance Engagements ISAE 3402 issued by the International Auditing and Assurance Standards Board (IAASB)

Diagnostics of the internal control system
  • diagnostics of control procedures in business processes and information systems, including evaluation of design effectiveness and sufficiency of control procedures for goal achievement;
  • risk analysis, risk mapping, risk matrices and controls;
  • analysis and assessment of corporate policies, procedures, regulations and business processes description relevance;
  • checking the Segregation of Duties and Restricted Access controls in business processes and information systems;
  • internal benchmarking, comparative analysis of business processes and controls of other organization departments;
  • external benchmarking- comparative analysis of business processes and controls of industry counterparts and in the best world practices.

Diagnostics allows to create a clear picture of current business processes state and internal control system and provides directions for further optimisation.

Implementation of internal controls
  • description of actual business processes and internal control system, creation of control procedure matrixes;
  • establishing robust controls over financial reporting to prevent fraud and ensure accuracy;
  • implementing measures to verify Segregation of Duties and access controls to prevent unauthorized actions;
  • regularly assessing risks and updating control procedures to align with changing business environments.

Effective implementation of internal controls (especially under SOX requirements) ensures rigorous oversight of financial reporting, safeguarding against fraud, maintaining accuracy, and adapting to evolving business landscapes through continuous evaluation and auditing.


An effective internal control system (ICS) allows to improve organization’s performance. It provides reasonable confidence in the reliability of financial and operational information, compliance with regulatory requirements, improves control over the assets of the organization (including reducing the likelihood of fraud). In fulfilling these tasks, ICS simplifies corporate governance, increases investor confidence and reduces costs, including external audit.

We are ready to assist you in the creation of an effective system of internal control that corresponds to the model of corporate governance, helps to reduce or prevent risks and achieve goals.

The intensity of change in today´s business environment requires companies to manage and harness the power of proactive Enterprise Risk Management, combining innovative and proactive governance, risk and compliance activities (GRC) into a comprehensive Enterprise Risk program that facilitates seizing competitive opportunities and meeting stakeholder’s expectations.

PwC´s Enterprise Risk Management services add value by:
  • Assessing your Enterprise Risk Management framework
  • Performing enterprise business level or emerging risk assessment
  • Analyzing the collaboration between risk and compliance functions
  • Designing and reviewing risk migration plans

Companies that can report accurate information about their risk management and control framework can enhance their trustworthiness and transparency. Customers and auditors rely on these reports. They also provide the comfort and assurance your customers, regulators and other stakeholders needed at a time of unprecedented challenges.

SOC report components and types

The list of components can be tailored for each report depending on the specific SOC report your company needs. The table below presents a comparison of SOC report options depending on its content.

SOC 1  SOC 2  SOC 3

Report components

  • The auditor's opinion on service organisation control

  • System description of the control environment

  • A written assertion by the service organisation of the accurate system description, controls and their operation as of the date / over the period (depending on the report type)

  • Objectives of control
  • Trust Service Principles developed by the American Institute of Certified Public Accountants (AICPA)

  • Description of the tests of controls performed by the auditor

  • Outcomes of the testing of controls performed:

    • for Type I - tests of design as of the date;

    • for Type II - tests of design and operating effectiveness for the period.

  • Other information disclosed by the service organisation

The standards met

SSAE 18, ISAE 3402, ISAE 30002

Target audience of the report

  • Owners and management of the service organisation, clients of the service organisation and auditors of the clients’ financial statements.
  • Owners and management of the service organisation, clients of the service organisation
  • No restrictions, may be posted to the service organisation's website

SOC 2 reports are generally quite similar in structure with SOC 1 reports. SOC 3 reports contain less detail as they are intended for unrestricted audiences. SOC 1/2 reports may represent an assessment of control design at a point in time1, while SOC 3 reports may represent an assessment of the design and operating effectiveness of control over time1.

1. There may be two types of SOC reports:

Type I report covers the design of controls and the outcomes of internal control assessment as of the reporting date. This type of report will be useful if the organisation’s internal control system has undergone significant change or lacks a sufficient operating history to establish effectiveness.

Type II report covers the design and operating effectiveness of controls over a period of time (typically 6 months or longer).

2. What standards are applied in preparation of a SOC report?

In today’s world, there is an effective way to provide assurance to your clients and other stakeholders that an effective control environment is in place by performing an independent assessment of control and issuing a System and Organization Controls report  (SOC, previously Service Organization Controls) in accordance with SSAE 18 and ISAE 3402.

  1. SSAE 18 – Statement on Standards for Attestation Engagements 18 (SSAE 18) – a US standard issued by the American Institute of Certified Public Accountants (AICPA).
  2. ISAE 3402 - International Standard on Assurance Engagements ISAE 3402 issued by the International Auditing and Assurance Standards Board (IAASB).
  3. ISAE 3000 – International Standard on Assurance Engements ISAE 3000 issued by the International Auditng and Assurance Standards Board (IAASB).

Through a range of assurance reporting services—including SOC 1, SOC 2, ISAE 3402,
ISAE 3000 — we can help you report on your control environment objectively and accurately.

PwC helps organizations develop and implement effective business continuity programs that ensure your critical operations can continue even in the face of unforeseen events. We offer a wide range of BCM services, including:

Risk assessment: We will help you identify and assess your business interruption risks so you can develop a plan to mitigate them.

Plan development: We will help you develop a business continuity program that meets your specific needs and objectives.

Implementation and testing: We will help you implement your business continuity program and make sure it works properly.

Training and awareness: We will help you train your employees on your business continuity program and raise their awareness of the importance of BCM.

Support and updates: We will provide you with ongoing support and help you update your business continuity program  to meet the changing needs of your business.

The risk landscape is dynamic, uncertain and unpredictable, and the levels of risk organisations are managing today are higher than ever before. Our Connected Risk Engine is a cloud based maturity assessment platform that allows you to have a clear view of the key risks affecting your organisation, across business areas, divisions and countries. 

Connected Risk Engine provides a consistent, global approach to risk maturity assessment and benchmarking.  This holistic view of your business and real-time insights enables you to anticipate, prepare, act and adapt to some of the most pressing issues your business faces today.

Our platform enables you to benchmark different organisations against their peers and across different industries, for example  for Banking and Capital Markets industry PwC Cyber Security Maturity Framework the most relevant framework, for Central or National Government industry Technology Maturity Assessment framework would be most usefull.

Learn more about Connected Risk Engine

Internal Audit

Addressing enterprise risk while enabling business performance.

More about Internal Audit

Trust Solutions

Your risk perspective and strategy can impact the balance between eluding failure and seizing competitive opportunities.

More about Trust Solutions

Cyber Security

Balance security, privacy and opportunity to move boldly forward.

More about Cyber Security

Data and Analytics

Confidence through smarter data.

More about Data and Analytics

{{filterContent.facetedTitle}}

Contact us

Olena Volkova

Olena Volkova

Partner, PwC in Ukraine

Tel: +380 44 354 0404

Anton Tseshnatii

Anton Tseshnatii

Director, Risk Assurance, PwC in Ukraine

Tel: +380 44 354 0404

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide