Trust Solutions

Your risk perspective and strategy can impact the balance between eluding failure and seizing competitive opportunities

45%

of CEOs who are less confident in their companies viability are taking action aimed at reinventing their business models
30%

of CEOs indicated that insufficient backing from internal stakeholders posed a moderate or greater challenge to making the company's operations more environmentally sustainable
76%

of CEOs took at least one action that had a large or very large impact on their company’s business model

Source: PwC’s 27th Annual Global CEO Survey

Many organisations depend on third party service providers for a range of critical services and support including hosting or managing financial and non-financial information, providing critical business functions and delivering on major infrastructure initiatives.

You can stay competitive by using multiple customer and vendor relationships and accessing specialised solutions and skills. However, this advantage offers challenges around protecting your reputational, financial, operational and compliance requirements as your dependence on third parties increases.

Your management, board and shareholders demand confidence in the controls and compliance capabilities of suppliers, vendors and service organisations. They expect that you have the processes in place to effectively oversee third party arrangements.

Globalization and technology are today’s core business drivers, with the potential to send unprecedented risks cascading across your enterprise – or propel you toward unprecedented opportunity. By unlocking these risks you turn them into a catalyst for growth, stepping ahead of uncertainty.

Diagnostics of the internal control system

diagnostics of control procedures in business processes and information systems, including evaluation of design effectiveness and sufficiency of control procedures for goal achievement;
risk analysis, risk mapping, risk matrices and controls;
analysis and assessment of corporate policies, procedures, regulations and business processes description relevance;
checking the Segregation of Duties and Restricted Access controls in business processes and information systems;
internal benchmarking, comparative analysis of business processes and controls of other organization departments;
external benchmarking- comparative analysis of business processes and controls of industry counterparts and in the best world practices.

Diagnostics allows to create a clear picture of current business processes state and internal control system and provides directions for further optimisation.

Implementation of internal controls

description of actual business processes and internal control system, creation of control procedure matrixes;
establishing robust controls over financial reporting to prevent fraud and ensure accuracy;
implementing measures to verify Segregation of Duties and access controls to prevent unauthorized actions;
regularly assessing risks and updating control procedures to align with changing business environments.

Effective implementation of internal controls (especially under SOX requirements) ensures rigorous oversight of financial reporting, safeguarding against fraud, maintaining accuracy, and adapting to evolving business landscapes through continuous evaluation and auditing.

An effective internal control system (ICS) allows to improve organization’s performance. It provides reasonable confidence in the reliability of financial and operational information, compliance with regulatory requirements, improves control over the assets of the organization (including reducing the likelihood of fraud). In fulfilling these tasks, ICS simplifies corporate governance, increases investor confidence and reduces costs, including external audit.

We are ready to assist you in the creation of an effective system of internal control that corresponds to the model of corporate governance, helps to reduce or prevent risks and achieve goals.

The intensity of change in today´s business environment requires companies to manage and harness the power of proactive Enterprise Risk Management, combining innovative and proactive governance, risk and compliance activities (GRC) into a comprehensive Enterprise Risk program that facilitates seizing competitive opportunities and meeting stakeholder’s expectations.

PwC´s Enterprise Risk Management services add value by:

Assessing your Enterprise Risk Management framework
Performing enterprise business level or emerging risk assessment
Analyzing the collaboration between risk and compliance functions
Designing and reviewing risk migration plans

Companies that can report accurate information about their risk management and control framework can enhance their trustworthiness and transparency. Customers and auditors rely on these reports. They also provide the comfort and assurance your customers, regulators and other stakeholders needed at a time of unprecedented challenges.

SOC report components and types

The list of components can be tailored for each report depending on the specific SOC report your company needs. The table below presents a comparison of SOC report options depending on its content.

SOC 1	SOC 2		SOC 3
Report components
The auditor's opinion on service organisation control System description of the control environment A written assertion by the service organisation of the accurate system description, controls and their operation as of the date / over the period (depending on the report type)
Objectives of control		Trust Service Principles developed by the American Institute of Certified Public Accountants (AICPA)
Description of the tests of controls performed by the auditor Outcomes of the testing of controls performed: for Type I - tests of design as of the date; for Type II - tests of design and operating effectiveness for the period. Other information disclosed by the service organisation
The standards met
SSAE 18, ISAE 3402, ISAE 3000²
Target audience of the report
Owners and management of the service organisation, clients of the service organisation and auditors of the clients’ financial statements.	Owners and management of the service organisation, clients of the service organisation		No restrictions, may be posted to the service organisation's website

SOC 2 reports are generally quite similar in structure with SOC 1 reports. SOC 3 reports contain less detail as they are intended for unrestricted audiences. SOC 1/2 reports may represent an assessment of control design at a point in time¹, while SOC 3 reports may represent an assessment of the design and operating effectiveness of control over time¹.

^1. There may be two types of SOC reports:

Type I report covers the design of controls and the outcomes of internal control assessment as of the reporting date. This type of report will be useful if the organisation’s internal control system has undergone significant change or lacks a sufficient operating history to establish effectiveness.

Type II report covers the design and operating effectiveness of controls over a period of time (typically 6 months or longer).

^2.What standards are applied in preparation of a SOC report?

In today’s world, there is an effective way to provide assurance to your clients and other stakeholders that an effective control environment is in place by performing an independent assessment of control and issuing a System and Organization Controls report (SOC, previously Service Organization Controls) in accordance with SSAE 18 and ISAE 3402.

SSAE 18 – Statement on Standards for Attestation Engagements 18 (SSAE 18) – a US standard issued by the American Institute of Certified Public Accountants (AICPA).
ISAE 3402 - International Standard on Assurance Engagements ISAE 3402 issued by the International Auditing and Assurance Standards Board (IAASB).
ISAE 3000 – International Standard on Assurance Engements ISAE 3000 issued by the International Auditng and Assurance Standards Board (IAASB).

Through a range of assurance reporting services—including SOC 1, SOC 2, ISAE 3402,
ISAE 3000 — we can help you report on your control environment objectively and accurately.

PwC helps organizations develop and implement effective business continuity programs that ensure your critical operations can continue even in the face of unforeseen events. We offer a wide range of BCM services, including:

Risk assessment: We will help you identify and assess your business interruption risks so you can develop a plan to mitigate them.

Plan development: We will help you develop a business continuity program that meets your specific needs and objectives.

Implementation and testing: We will help you implement your business continuity program and make sure it works properly.

Training and awareness: We will help you train your employees on your business continuity program and raise their awareness of the importance of BCM.

Support and updates: We will provide you with ongoing support and help you update your business continuity program to meet the changing needs of your business.

The risk landscape is dynamic, uncertain and unpredictable, and the levels of risk organisations are managing today are higher than ever before. Our Connected Risk Engine is a cloud based maturity assessment platform that allows you to have a clear view of the key risks affecting your organisation, across business areas, divisions and countries.   Connected Risk Engine provides a consistent, global approach to risk maturity assessment and benchmarking. This holistic view of your business and real-time insights enables you to anticipate, prepare, act and adapt to some of the most pressing issues your business faces today.

Our platform enables you to benchmark different organisations against their peers and across different industries, for example for Banking and Capital Markets industry PwC Cyber Security Maturity Framework the most relevant framework, for Central or National Government industry Technology Maturity Assessment framework would be most usefull.

Learn more about Connected Risk Engine

Internal Audit

Addressing enterprise risk while enabling business performance.

More about Internal Audit

Trust Solutions

Your risk perspective and strategy can impact the balance between eluding failure and seizing competitive opportunities.

Cyber Security

Balance security, privacy and opportunity to move boldly forward.

More about Cyber Security

Data and Analytics

Confidence through smarter data.

More about Data and Analytics

Insights

28/11/24

How to deploy AI at scale: A PwC and Microsoft playbook that explores the critical role of cloud and cybersecurity

Contact us

Alex Yankovski

Partner, PwC in Ukraine

Tel: +380 44 354 0404

Anton Tseshnatii

Director, Risk Assurance, PwC in Ukraine

Tel: +380 44 354 0404

Hide

Required fields are marked with an asterisk(*)

First Name*

Last Name*

Company*

Title*

Email*

Phone

Please provide us details of your request*

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Services Industries Surveys Publications Press Room About Us Careers Offices Contact Us

© 2015 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

Trust Solutions

SOC 1 reporting

SOC 2 reporting

SOC report components and types

Report components

The standards met

Target audience of the report

Diagnostics of the internal control system

Implementation of internal controls

PwC´s Enterprise Risk Management services add value by:

SOC report components and types