Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Loading Results

A SOC strategy that delivers ROI, not red tape

  • 5 minute read
  • August 21, 2025

System and organization controls (SOC) reporting is standard practice for technology and service providers to help deepen trust with stakeholders. SOC 1 and 2 reports and other external controls certifications detail how companies secure client data, protect private information and uphold contractual commitments around data security, privacy and system availability. They can also provide assurance that internal controls over financial reporting are operating as expected.

SOC 1 reports are required for service organizations whose systems impact their clients’ internal control over financial reporting. SOC 2 reports can strengthen go-to-market positioning — offering third parties assurance regarding controls related to security, availability, confidentiality, processing integrity and privacy.

Meanwhile, our clients tell us they’re increasingly concerned about the cost of compliance. US companies spend between 1.3 and 3.3 percent of the total cost of wages on regulatory compliance, according to the Cato Institute. The larger your organization, the greater your costs.

Done the same old way, SOC and external certification programs may become overly complex, lack cohesion and monopolize more resources than they should. Your SOC program may not be integrated with other compliance work, creating confusion and duplicated effort.

Organizations that periodically reassess their reporting and certification processes often discover opportunities to enhance efficiency, strengthen customer trust and derive more value from their SOC reports and certifications. Whether engaging more effectively with your existing service auditor or evaluating broader reporting improvements, these efforts can help reduce duplication, align reporting with business priorities and make compliance more sustainable over time.

This rings especially true if you’re expanding services into new areas or implementing new technologies, like AI or blockchain, that may require new reporting or for you to provide comfort over related controls. As a longtime producer — and consumer — of SOC reports in different industries and regions, PwC helps clients assess and rethink how they meet SOC and other certification criteria. Here are four questions to ask to help you streamline your approach to external controls reporting.

1. Are we actively monitoring controls to ascertain whether they align with reporting and certification requirements?

An imbalance between the control environment and the number and types of reports being produced on those controls is surprisingly common among companies focused on expansion — whether they’re moving into new markets or acquiring other companies.

PwC has helped several organizations assess their portfolio of third-party reports and related controls frameworks to streamline their approach to reporting and rationalize their broader controls environment. For example, a global cloud software provider sought our help to examine their report portfolio and test thousands of controls before service auditors tested them. This allowed them to work with PwC to get ahead of any issues that would have otherwise been reported included in their report portfolio.

In addition, we’re helping the client create a common controls framework (CCF) to rationalize their report portfolio and enhance overall efficiency. We test and track controls as they are added or updated to help maintain a lean, efficient control environment. It’s a large company with large clients, so the controls add up. In many cases, we can also help clients boost efficiency by taking a “test once, apply many” approach in which we help identify various common elements to test at the same time so they can apply the results across the broader control environment.

2. Is our working relationship with our service auditors driving value, efficiency and quality outcomes?

Service auditors do not all provide the same quality of work. After a disappointing experience with a SOC auditor, a healthcare services company opted to replace that provider with a Big Four accounting firm. The company asked PwC for help assessing its readiness and enhancing its ability to work effectively with the auditor throughout the process.

Our client aimed to demonstrate an effective control environment and achieve its goal of releasing reports free of exceptions and qualifications. We were able to help them do that while also giving them a clearer view of how they could monitor and report on their overall control environment. This helped teams communicate with the service auditor to effectively demonstrate when and how controls were working when questions arose.

3. Do we use technology and other tools to enhance our reporting?

Many compliance and risk teams already use or are familiar with a variety of governance reporting and compliance (GRC) tech tools, some of which can also be used to help streamline external controls reporting. Every industry has unique requirements and expectations, so the right tools may differ among sectors.

While many a surprising number of companies still track this activity manually, those that adopt a structured playbook with automation tools, templates and accelerators are better positioned to drive consistency, efficiency and streamlined data collection and sharing.

We have developed accelerators, mapping tools, and a comprehensive playbook framework to help clients reliably gather necessary information across their control environments while tracking control effectiveness. Our report scoping template, for example, provides a complete list of considerations to facilitate gathering information key to the development of a new SOC report. Questions reflect leading practices and include an assessment of control objectives, control activities, system boundaries and criteria mapping.

We took the illustrative control objectives and trust services criteria for security, availability, confidentiality, processing integrity and privacy outlined by the American Institute for Certified Public Accountants (AICPA) and built a mapping template to accelerate our work helping clients identify and map controls across the relevant subject matter and points of focus. We’re using this controls map to help a cloud-native insurance tech company generate a clearer picture of its control landscape. The company has so many products in development and is growing so fast that its control matrices can’t keep up.

We also used accelerators and playbook-guided processes to enhance efficiency for our global technology and healthcare clients mentioned earlier, saving time and streamlining processes that used to be manual — or were sometimes overlooked.

Meanwhile, we are working on integrating technology, such as AI agents, into these tools and processes to save time while maintaining thoroughness.

4. Do our teams have the right skills and an understanding of reporting needs by industry or geography?

When you look to enhance your external reporting and certification program, matching your team’s skills to your reporting inventory can be key. It may sound obvious, but skipping a skills assessment around external controls reporting is a relatively common mistake. It’s ideal to have team members with a working knowledge of security protocols and systems, as well as industry-specific requirements. But if you don’t, we can help you fill in the gaps.

Our experience with data regulations in different regions proved useful in our work with a technology provider that sought our help to assess whether it was complying with requirements specific to Europe, Asia, the Middle East, Australia and the United States. We helped the client get up to speed on a handful of regional requirements. For a security certification required in Japan, we helped the company assess and update controls to get certified in about half the time it typically takes. Our work with this organization to rationalize and streamline their control environment continues.

Achieving the right balance of controls to reporting

Business and tech leaders continue to grapple with how fast technology is advancing. In our latest Pulse survey, 40 percent of CIOs listed the rate of change as a top challenge to delivering on tech strategy. When it comes to SOC and external controls reporting, you have no choice but to keep up — or risk losing customer confidence. Rationalizing your reporting portfolio and streamlining your control environment to match can help you derive more value from your investment in SOC audits and external certifications.

Related services

SOC reporting services Digital assurance and transparency

{{filterContent.facetedTitle}}

Contact us

Jay Schaldecker

Jay Schaldecker

Trust and Transparency Solutions Leader, PwC US

Email
Michael Zelwin

Michael Zelwin

Partner, Digital Assurance and Transparency, PwC US

Email
Follow us

Required fields are marked with an asterisk(*)

I agree PwC can email me about its insights, newsletters, events, services, products, and offerings.*

Your personal information will be handled in accordance with our Privacy Statement. You can update your communication preferences at any time by clicking the unsubscribe link in a PwC email or by submitting a request as outlined in our Privacy Statement.

Hide

© 2017 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.