Many organisations depend on third party service providers for a range of critical services and support including hosting or managing financial and non-financial information, providing critical business functions and delivering on major infrastructure initiatives.
You can stay competitive by using multiple customer and vendor relationships and accessing specialised solutions and skills. However, this advantage offers challenges around protecting your reputational, financial, operational and compliance requirements as your dependence on third parties increases.
Your management, board and shareholders demand confidence in the controls and compliance capabilities of suppliers, vendors and service organisations. They expect that you have the processes in place to effectively oversee third party arrangements.
Globalization and technology are today’s core business drivers, with the potential to send unprecedented risks cascading across your enterprise – or propel you toward unprecedented opportunity. By unlocking these risks you turn them into a catalyst for growth, stepping ahead of uncertainty.
Diagnostics of the internal control system
- diagnostics of control procedures in business processes and information systems, including evaluation of design effectiveness and sufficiency of control procedures for goal achievement;
- risk analysis, risk mapping, risk matrices and controls;
- analysis and assessment of corporate policies, procedures, regulations and business processes description relevance;
- checking the Segregation of Duties and Restricted Access controls in business processes and information systems;
- internal benchmarking, comparative analysis of business processes and controls of other organization departments;
- external benchmarking- comparative analysis of business processes and controls of industry counterparts and in the best world practices.
Diagnostics allows to create a clear picture of current business processes state and internal control system and provides directions for further optimisation.
Implementation of internal controls
- description of actual business processes and internal control system, creation of control procedure matrixes;
- establishing robust controls over financial reporting to prevent fraud and ensure accuracy;
- implementing measures to verify Segregation of Duties and access controls to prevent unauthorized actions;
- regularly assessing risks and updating control procedures to align with changing business environments.
Effective implementation of internal controls (especially under SOX requirements) ensures rigorous oversight of financial reporting, safeguarding against fraud, maintaining accuracy, and adapting to evolving business landscapes through continuous evaluation and auditing.
An effective internal control system (ICS) allows to improve organization’s performance. It provides reasonable confidence in the reliability of financial and operational information, compliance with regulatory requirements, improves control over the assets of the organization (including reducing the likelihood of fraud). In fulfilling these tasks, ICS simplifies corporate governance, increases investor confidence and reduces costs, including external audit.
We are ready to assist you in the creation of an effective system of internal control that corresponds to the model of corporate governance, helps to reduce or prevent risks and achieve goals.
The intensity of change in today´s business environment requires companies to manage and harness the power of proactive Enterprise Risk Management, combining innovative and proactive governance, risk and compliance activities (GRC) into a comprehensive Enterprise Risk program that facilitates seizing competitive opportunities and meeting stakeholder’s expectations.
PwC´s Enterprise Risk Management services add value by:
- Assessing your Enterprise Risk Management framework
- Performing enterprise business level or emerging risk assessment
- Analyzing the collaboration between risk and compliance functions
- Designing and reviewing risk migration plans
Companies that can report accurate information about their risk management and control framework can enhance their trustworthiness and transparency. Customers and auditors rely on these reports. They also provide the comfort and assurance your customers, regulators and other stakeholders needed at a time of unprecedented challenges.
SOC report components and types
The list of components can be tailored for each report depending on the specific SOC report your company needs. The table below presents a comparison of SOC report options depending on its content.
| SOC 1 | SOC 2 | SOC 3 | |
Report components |
|||
|
|||
|
|
||
|
|||
The standards met |
|||
| SSAE 18, ISAE 3402, ISAE 30002 | |||
Target audience of the report |
|||
|
|
|
|
SOC 2 reports are generally quite similar in structure with SOC 1 reports. SOC 3 reports contain less detail as they are intended for unrestricted audiences. SOC 1/2 reports may represent an assessment of control design at a point in time1, while SOC 3 reports may represent an assessment of the design and operating effectiveness of control over time1.
1. There may be two types of SOC reports:
Type I report covers the design of controls and the outcomes of internal control assessment as of the reporting date. This type of report will be useful if the organisation’s internal control system has undergone significant change or lacks a sufficient operating history to establish effectiveness.
Type II report covers the design and operating effectiveness of controls over a period of time (typically 6 months or longer).
2. What standards are applied in preparation of a SOC report?
In today’s world, there is an effective way to provide assurance to your clients and other stakeholders that an effective control environment is in place by performing an independent assessment of control and issuing a System and Organization Controls report (SOC, previously Service Organization Controls) in accordance with SSAE 18 and ISAE 3402.
- SSAE 18 – Statement on Standards for Attestation Engagements 18 (SSAE 18) – a US standard issued by the American Institute of Certified Public Accountants (AICPA).
- ISAE 3402 - International Standard on Assurance Engagements ISAE 3402 issued by the International Auditing and Assurance Standards Board (IAASB).
- ISAE 3000 – International Standard on Assurance Engements ISAE 3000 issued by the International Auditng and Assurance Standards Board (IAASB).
Through a range of assurance reporting services—including SOC 1, SOC 2, ISAE 3402,
ISAE 3000 — we can help you report on your control environment objectively and accurately.
PwC helps organizations develop and implement effective business continuity programs that ensure your critical operations can continue even in the face of unforeseen events. We offer a wide range of BCM services, including:
Risk assessment: We will help you identify and assess your business interruption risks so you can develop a plan to mitigate them.
Plan development: We will help you develop a business continuity program that meets your specific needs and objectives.
Implementation and testing: We will help you implement your business continuity program and make sure it works properly.
Training and awareness: We will help you train your employees on your business continuity program and raise their awareness of the importance of BCM.
Support and updates: We will provide you with ongoing support and help you update your business continuity program to meet the changing needs of your business.
The risk landscape is dynamic, uncertain and unpredictable, and the levels of risk organisations are managing today are higher than ever before. Our Connected Risk Engine is a cloud based maturity assessment platform that allows you to have a clear view of the key risks affecting your organisation, across business areas, divisions and countries. Connected Risk Engine provides a consistent, global approach to risk maturity assessment and benchmarking. This holistic view of your business and real-time insights enables you to anticipate, prepare, act and adapt to some of the most pressing issues your business faces today.
Our platform enables you to benchmark different organisations against their peers and across different industries, for example for Banking and Capital Markets industry PwC Cyber Security Maturity Framework the most relevant framework, for Central or National Government industry Technology Maturity Assessment framework would be most usefull.
Internal Audit
Addressing enterprise risk while enabling business performance.
More about Internal Audit
Trust Solutions
Your risk perspective and strategy can impact the balance between eluding failure and seizing competitive opportunities.
More about Trust Solutions
Cyber Security
Balance security, privacy and opportunity to move boldly forward.
More about Cyber Security
