Third Party Assurance

Contact us

Third Party Assurance

In today's global economy, companies must comply with ever-expanding regulations at the international level. Due to various industry regulatory and risk standards, organizations are increasingly required to demonstrate adequate controls and security of their clients' data, which means that a trusted auditor is more important today than ever before. 

For our clients, we perform third-party assurance of the services provided or we confirm the setup of their established control procedures. We deliver to our clients the conclusions of the verification of their control procedures or their supplier. We always prepare an assessment of the organisation's environment based on an understanding of its environment, so that conclusions are prepared as efficiently and effectively as possible. 

Our third-party assurance services specialists can offer companies services in accordance with applicable professional standards while meeting the requirements of the third-party service client.  

SERVICES
  • ISO

ISO 27001 focuses on the development and maintenance of ISMS (information security management system), which is an overarching method for managing data protection practices. To achieve this standard, you need to conduct a risk assessment, identify, and implement security controls, and periodically review their effectiveness.  

  • ISAE

ISAE 3402 is a third-party assurance mechanism (primarily suppliers) in the form of SOC (Service Organisation Controls).   

  • SOC 1

SOC refers to assurances of controls that could have an impact on the financial statements.

  •  SOC 2

SOC 2 refers to assurance of IT controls. Five basic criteria are included according to which the control is performed.

  •  SOC 2+

SOC 2+ is an extended assurance of IT controls. It contains 4 added criteria over SOC 2.

  •  SOC 3

It also concerns assurances of IT controls. However, unlike SOC 2, these reports are usually not detailed, and they are rather general. In most cases these reports are freely available to the public.



ISAE 3402

ISAE 3402 (International Standards for Assurance Engagements) is the global standard for reporting on controls in service organizations. It came into force on 15 June 2011, primarily in response to the passage of the Sarbanes-Oxley Act (often referred to by the acronym SOX) following the Enron and WorldCom financial scandals. The law was intended to protect shareholders and the general public from accounting errors and fraudulent practices.

ISAE 3402 is an extension and development of SAS 70 (Statement on Auditing Standards No. 70), which defined the standards that an auditor must use to assess an organization's internal controls. SAS 70 was developed by the American Institute of Certified Public Accountants (AICPA) as a simplification of a set of criteria for auditing standards originally defined in 1988.

In ISAE 3402, as in its predecessor SAS 70, auditor's reports are classified as either Type I or Type II. 

  • In a Type I report, the auditor evaluates the service organization's efforts at the time of the audit to prevent accounting irregularities, errors, and misstatements. The auditor also assesses the likelihood that these efforts will produce the desired results in the future. 
  • A Type II report contains the same information as a Type I report; in addition, the auditor seeks to determine the effectiveness of agreed controls since their implementation. Type II reports usually include data collected over a six-month period.

SOC reporting

In today's global economy, companies are governed by expanding regulations and new accounting standards both in the U.S. and internationally. In light of the Sarbanes-Oxley Act and related regulatory and risk standards, service organizations must increasingly demonstrate adequate controls and safeguards over their clients' assets.

To enable cloud-related service organizations to provide information to user entities about system and organizational controls relevant to user entities, the AICPA has issued guidance on SOC 1, SOC 2, and SOC 3. These control reports are prepared by qualified independent accounting and testing firms that employ certified persons.

During the pre-assessment phase, the auditor will become familiar with and understand your organization's cybersecurity risk management program. He or she will then work with you to map your existing risk management program against specific criteria. At this stage, the auditor will also help you identify any gaps in your program documentation and suggest the right remediation to close the gaps. The goal of the pre-assessment is to prepare your organization for the SOC audits that will follow. This phase may take several months or may take more than a year. It all depends on the state of the organization's cybersecurity risk management program prior to the pre-assessment phase. 

If your organization does not have cybersecurity risk management documentation in place, the auditor will guide you through creating a risk management program tailored to your organization. 

 

System and Organizational Controls 1, or SOC 1, focuses on the control objectives for SOC 1 processes and documents internal controls relevant to the audit of the user entity's financial statements. It is specifically designed to meet the needs of user and auditing accounting entities and is essentially an assessment of the effectiveness of the service organization's internal controls. 

SOC 2, officially Service Organization Control 2, informs about various organizational controls related to security, availability, processing integrity, confidentiality or privacy. The standard for regulating these five issues was developed under the AICPA Trust Services Principles and Criteria. SOC 2 is divided into Type 1 and Type 2.  

Read more

In a world full of ever-evolving cyber threats, customers and partners want assurance that the companies they work with take cybersecurity and privacy seriously. That's why it's critical to update your organization's risk management and strengthen your SOC 2 process. By doing so, you'll demonstrate that you're committed to protecting data, mitigating risk and keeping up with trends. Improving your SOC 2 report establishes trust, which is critical to your bottom line and can be the competitive difference when closing new business. 

Most organizations are familiar with SOC 2, which is the minimum security requirement for service organizations processing and/or storing customer data in the cloud. It focuses on securing and protecting customer data in five categories, which are discussed in detail in the SOC 2 section.

SOC 2+ provides a full implementation of multiple frameworks where there is significant overlap between SOC 2 TSC and ISO 27001 criteria, allowing the client to achieve greater efficiencies. SOC 2+ also includes several added criteria:  

  • ISO 27001 - Specifies the requirements for establishing, implementing, maintaining and continuously improving an information and security management system within the context of an organization.
  • HITRUST - Provides standards for all phases of health information transmission and storage to help ensure integrity and confidentiality.
  • NIST - The NIST framework focuses on improving the cybersecurity of critical infrastructure.
  • Cloud Controls Matrix - The Cloud Controls Matrix is specifically designed to provide basic security principles for cloud service providers and potential clients to follow.


The Service Organisation Control 3 (SOC 3) report provides information on the internal controls of the service organisation in the areas of security, availability, processing integrity, confidentiality and data protection. These five areas are the focus of the AICPA's trusted service principles and criteria. 

The SOC 3 report contains the same information as the SOC 2 report. The main difference between the two is that the SOC 3 report is intended for the general public. These reports are shorter and do not contain the same level of detail as the SOC 2 report, which is distributed only to designated stakeholders and generally on the basis of a signed NDA. Due to their more general nature, SOC 3 reports can be openly shared and posted on a company's website with a seal indicating compliance. 

Main contacts

Related insights