Service Organization Controls Report - ISAE 3000 with Reference to AICPA’s Five Service Criteria

Satisfying Regulator’s and other Stakeholders’ demands for assurance

To satisfy regulators’ and other stakeholders’ demands for assurance around internal controls over operational activities, an ISAE 3000 report can be prepared to focus on controls specific to security, availability, processing integrity, confidentiality, and privacy. The scope can include those categories relevant to the subject matter of the report, as selected by the service organization.

 

How we help our clients

 

PwC can help you by performing:

  • Readiness assessment - PwC will evaluate the risk and controls matrix against the control objectives, assess controls implementation, conduct gap analysis, and provide recommendations on identified control gaps.
  • Attestation and reporting services - PwC will issue a service auditor's opinion on whether the description of the service organization's system is in conformity with the description criteria, the suitability of the design of the controls to meet the organization's commitments and system requirements, and, in a type 2 report, the operating effectiveness of those controls.
  • Staff secondment - PwC will source out employees that will act as your:
    • Project manager - we will act as a liaison officer between the auditors and process owners for your audit and compliance projects. Our responsibility includes managing document requests and audit raised issues.
    • Staff - we will execute tasks as determined by your team. This may include creation of risk and controls matrix, risk issues tracker, management written statement and controls description report.

 

Why are we qualified to help

PwC has engaged recurring third party assurance report engagements with different organizations ranging from back office solutions, research and development, healthcare, and technology service providers among others. By bringing together our industry-specific skills in technology, regulatory compliance, finance and accounting and other business processes, our team has helped multiple clients identify and mitigate risk and enhancing trust and transparency with their customers.

We have also worked with other PwC offices (under direct supervision) in assessing the Global ISAE 3402 Type 2 and GS007 reports over the Share Service Center's (SSC) controls related to the trade operations across different market segments.

Our team's combined credentials are composed of the following:

  • Certified Public Accountant (CPA) in the Philippines
  • Certified Information Systems Auditor (CISA)
  • Certified in COBIT 5 Foundation Level (CCOBIT5F) and Implementation (CCOBIT5I) 
  • ISO Lead Auditor for Business Continuity Management Systems (ISO 22301:2012) Course Passer
  • ISO Lead Auditor for Quality Management Systems (ISO 9001:2008) Course Passer
  • ISO Information Security Management System Auditor/Lead Auditor (ISO 27001:2013) Course Passer
  • Quality Assurance Improvement Program (Quality Assurance Review) Course Passer

The following selected citations represent engagements where we have helped clients:

PwC helped a Mobile Payment Innovation and Software Maintenance Company in performing a SSAE 16 (SOC 1) Type 2 engagement of the Company’s controls over its mobile payments gateway system relating to Information Technology General Controls (ITGCs) in 2012.

A Payroll Process Outsourcing Company engaged PwC in a SSAE 16 (SOC 1) Type 2 engagement that focuses on the review of the ITGCs and payroll processing system in 2013.


SSAE 18 (SOC 1) Type 2 engagement was performed over a Leading BPO Company’s controls related to the outsourced data entry and verification process for insurance claims with recurring engagements with recurring engagements since 2014.

PwC partnered with a Leading BPO on healthcare solutions in its SSAE 16 (SOC 1) Type 2 engagement over the Company’s controls related to the Medical Coding and Revenue Cycle Management system including relevant Information Technology (IT) General Controls over the Network Infrastructure in 2015.


ISO 27001/27002 readiness assessment was performed by PwC on a Leading BPO in technologies and customer care services' Information Security Management System (ISMS) and its related controls over information assets and information processing facilities relevant to a support service provided for a credit card company client.

Research and insights

{{filterContent.facetedTitle}}

Contact us

Maria Rosell S. Gomez

Maria Rosell S. Gomez

Risk Assurance Leader, PwC Philippines

Tel: +63 (2) 8845 2728

Michelle L. Meneses

Michelle L. Meneses

Risk Assurance Director, PwC Philippines

Tel: +63 (2) 8845 2728

Lalaine Aviles

Lalaine Aviles

Risk Assurance Manager, PwC Philippines

Tel: +63 (2) 8845 2728

Dyan Rose Esguerra

Dyan Rose Esguerra

Risk Assurance Assistant Manager, PwC Philippines

Tel: +63 (2) 8845 2728

Archelle Marie Azuro

Archelle Marie Azuro

Risk Assurance Assistant Manager, PwC Philippines

Tel: +63 (2) 8845 2728

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide