System and Organization Controls reporting: How you can stay a step ahead of uncertainty

Build market confidence in your systems and processes

With global outsourcing on the rise, there’s a growing need for increased trust and transparency around service providers’ operations, processes and results. But many outsourced providers struggle to provide the assurance their customers need through effective controls reporting.

Service providers have several options for reporting on their compliance with internal controls. Commonly referred to as System and Organization Controls (SOC) reports 1, 2 and 3, these reporting controls options help outsourced providers respond to the rising concerns of their customers around issues like security breaches, privacy, confidentiality and the need to offer assurance of system reliability and integrity.

The benefits of controls reporting

Beyond meeting contractual obligations and other requirements, controls reporting offers several benefits to outsourced providers:

  • building trust with customers by demonstrating strong internal control practices
  • increasing visibility and transparency to customers
  • gaining an advantage against competitors
  • offering a fresh and independent view of risks and controls
  • streamlining internal controls over security, availability, integrity, confidentiality and privacy of their systems and data
strategy icon

Consider your options and the best fit for you and your stakeholders

Clearly articulate controls over financial reporting

To provide stakeholders with increased transparency around your financial controls and meet regulatory requirements requiring controls attestation, prepare a SOC 1 report for your organization. Also known as CSAE (Canadian Standard on Assurance Engagements) 3416, ISAE (International Standard on Assurance Engagements) 3402 or AICPA (American Institute of Certified Public Accountants) AT-C 320 reports, a SOC 1 report addresses internal controls over financial reporting. This will ensure independent assurance of controls over processes related to financial reporting outsourced to a third party.

View more

Address controls over non-financial reporting

With the growing use of cloud-based storage solutions, there’s an increased demand for assurance over the management and security of sensitive data. Companies that rely on third parties to use, store and dispose of critical data need comfort that their service provider’s controls are strong and able to protect both financial and non-financial information. To satisfy regulator and stakeholder concerns, a SOC 2 or SOC 3 report focuses on controls specific to security, availability, processing integrity, confidentiality and privacy.

View more

Meet contractual obligations or other market requirements

To meet the requirements of stakeholders that go beyond traditional SOC 1 and SOC 2 reports, organizations can provide specified procedures reporting or vendor attestation reporting to include additional criteria specific to particular users’ needs and reduce or eliminate the need for them to make on-site visits.

View more

How we can help

Approach both existing and prospective customers with confidence and provide the trust and transparency they expect and need. We can help you with the assurance your stakeholders require through SOC or other reporting options. Our approach focuses on efficient and transparent report delivery and customized attestation.


{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}

Contact us

Tony Pedari

Tony Pedari


Tel: +1 416 941 8226

Nicholas Panou

Nicholas Panou

Partner, Risk Assurance Services

Tel: +1 416 814 5868

Follow PwC Canada